Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
c70c86c4
Commit
c70c86c4
authored
Jun 09, 2017
by
John Johansen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
apparmor: move capability checks to using labels
Signed-off-by:
John Johansen
<
john.johansen@canonical.com
>
parent
317d9a05
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
58 additions
and
29 deletions
+58
-29
security/apparmor/capability.c
security/apparmor/capability.c
+38
-19
security/apparmor/include/capability.h
security/apparmor/include/capability.h
+4
-2
security/apparmor/ipc.c
security/apparmor/ipc.c
+1
-1
security/apparmor/lsm.c
security/apparmor/lsm.c
+14
-6
security/apparmor/resource.c
security/apparmor/resource.c
+1
-1
No files found.
security/apparmor/capability.c
View file @
c70c86c4
...
@@ -48,15 +48,16 @@ static DEFINE_PER_CPU(struct audit_cache, audit_cache);
...
@@ -48,15 +48,16 @@ static DEFINE_PER_CPU(struct audit_cache, audit_cache);
static
void
audit_cb
(
struct
audit_buffer
*
ab
,
void
*
va
)
static
void
audit_cb
(
struct
audit_buffer
*
ab
,
void
*
va
)
{
{
struct
common_audit_data
*
sa
=
va
;
struct
common_audit_data
*
sa
=
va
;
audit_log_format
(
ab
,
" capname="
);
audit_log_format
(
ab
,
" capname="
);
audit_log_untrustedstring
(
ab
,
capability_names
[
sa
->
u
.
cap
]);
audit_log_untrustedstring
(
ab
,
capability_names
[
sa
->
u
.
cap
]);
}
}
/**
/**
* audit_caps - audit a capability
* audit_caps - audit a capability
* @sa: audit data
* @profile: profile being tested for confinement (NOT NULL)
* @profile: profile being tested for confinement (NOT NULL)
* @cap: capability tested
* @cap: capability tested
@audit: whether an audit record should be generated
* @error: error code returned by test
* @error: error code returned by test
*
*
* Do auditing of capability and handle, audit/complain/kill modes switching
* Do auditing of capability and handle, audit/complain/kill modes switching
...
@@ -64,16 +65,13 @@ static void audit_cb(struct audit_buffer *ab, void *va)
...
@@ -64,16 +65,13 @@ static void audit_cb(struct audit_buffer *ab, void *va)
*
*
* Returns: 0 or sa->error on success, error code on failure
* Returns: 0 or sa->error on success, error code on failure
*/
*/
static
int
audit_caps
(
struct
aa_profile
*
profile
,
int
cap
,
int
audit
,
static
int
audit_caps
(
struct
common_audit_data
*
sa
,
struct
aa_profile
*
profile
,
int
error
)
int
cap
,
int
error
)
{
{
struct
audit_cache
*
ent
;
struct
audit_cache
*
ent
;
int
type
=
AUDIT_APPARMOR_AUTO
;
int
type
=
AUDIT_APPARMOR_AUTO
;
DEFINE_AUDIT_DATA
(
sa
,
LSM_AUDIT_DATA_CAP
,
OP_CAPABLE
);
sa
.
u
.
cap
=
cap
;
aad
(
sa
)
->
error
=
error
;
aad
(
&
sa
)
->
error
=
error
;
if
(
audit
==
SECURITY_CAP_NOAUDIT
)
aad
(
&
sa
)
->
info
=
"optional: no audit"
;
if
(
likely
(
!
error
))
{
if
(
likely
(
!
error
))
{
/* test if auditing is being forced */
/* test if auditing is being forced */
...
@@ -105,24 +103,44 @@ static int audit_caps(struct aa_profile *profile, int cap, int audit,
...
@@ -105,24 +103,44 @@ static int audit_caps(struct aa_profile *profile, int cap, int audit,
}
}
put_cpu_var
(
audit_cache
);
put_cpu_var
(
audit_cache
);
return
aa_audit
(
type
,
profile
,
&
sa
,
audit_cb
);
return
aa_audit
(
type
,
profile
,
sa
,
audit_cb
);
}
}
/**
/**
* profile_capable - test if profile allows use of capability @cap
* profile_capable - test if profile allows use of capability @cap
* @profile: profile being enforced (NOT NULL, NOT unconfined)
* @profile: profile being enforced (NOT NULL, NOT unconfined)
* @cap: capability to test if allowed
* @cap: capability to test if allowed
* @audit: whether an audit record should be generated
* @sa: audit data (MAY BE NULL indicating no auditing)
*
*
* Returns: 0 if allowed else -EPERM
* Returns: 0 if allowed else -EPERM
*/
*/
static
int
profile_capable
(
struct
aa_profile
*
profile
,
int
cap
)
static
int
profile_capable
(
struct
aa_profile
*
profile
,
int
cap
,
int
audit
,
struct
common_audit_data
*
sa
)
{
{
return
cap_raised
(
profile
->
caps
.
allow
,
cap
)
?
0
:
-
EPERM
;
int
error
;
if
(
cap_raised
(
profile
->
caps
.
allow
,
cap
)
&&
!
cap_raised
(
profile
->
caps
.
denied
,
cap
))
error
=
0
;
else
error
=
-
EPERM
;
if
(
audit
==
SECURITY_CAP_NOAUDIT
)
{
if
(
!
COMPLAIN_MODE
(
profile
))
return
error
;
/* audit the cap request in complain mode but note that it
* should be optional.
*/
aad
(
sa
)
->
info
=
"optional: no audit"
;
}
return
audit_caps
(
sa
,
profile
,
cap
,
error
);
}
}
/**
/**
* aa_capable - test permission to use capability
* aa_capable - test permission to use capability
* @
profile: profile being tested against
(NOT NULL)
* @
label: label being tested for capability
(NOT NULL)
* @cap: capability to be tested
* @cap: capability to be tested
* @audit: whether an audit record should be generated
* @audit: whether an audit record should be generated
*
*
...
@@ -130,14 +148,15 @@ static int profile_capable(struct aa_profile *profile, int cap)
...
@@ -130,14 +148,15 @@ static int profile_capable(struct aa_profile *profile, int cap)
*
*
* Returns: 0 on success, or else an error code.
* Returns: 0 on success, or else an error code.
*/
*/
int
aa_capable
(
struct
aa_
profile
*
profile
,
int
cap
,
int
audit
)
int
aa_capable
(
struct
aa_
label
*
label
,
int
cap
,
int
audit
)
{
{
int
error
=
profile_capable
(
profile
,
cap
);
struct
aa_profile
*
profile
;
int
error
=
0
;
DEFINE_AUDIT_DATA
(
sa
,
LSM_AUDIT_DATA_CAP
,
OP_CAPABLE
);
if
(
audit
==
SECURITY_CAP_NOAUDIT
)
{
sa
.
u
.
cap
=
cap
;
if
(
!
COMPLAIN_MODE
(
profile
))
error
=
fn_for_each_confined
(
label
,
profile
,
return
error
;
profile_capable
(
profile
,
cap
,
audit
,
&
sa
));
}
return
audit_caps
(
profile
,
cap
,
audit
,
error
)
;
return
error
;
}
}
security/apparmor/include/capability.h
View file @
c70c86c4
...
@@ -19,11 +19,12 @@
...
@@ -19,11 +19,12 @@
#include "apparmorfs.h"
#include "apparmorfs.h"
struct
aa_
profile
;
struct
aa_
label
;
/* aa_caps - confinement data for capabilities
/* aa_caps - confinement data for capabilities
* @allowed: capabilities mask
* @allowed: capabilities mask
* @audit: caps that are to be audited
* @audit: caps that are to be audited
* @denied: caps that are explicitly denied
* @quiet: caps that should not be audited
* @quiet: caps that should not be audited
* @kill: caps that when requested will result in the task being killed
* @kill: caps that when requested will result in the task being killed
* @extended: caps that are subject finer grained mediation
* @extended: caps that are subject finer grained mediation
...
@@ -31,6 +32,7 @@ struct aa_profile;
...
@@ -31,6 +32,7 @@ struct aa_profile;
struct
aa_caps
{
struct
aa_caps
{
kernel_cap_t
allow
;
kernel_cap_t
allow
;
kernel_cap_t
audit
;
kernel_cap_t
audit
;
kernel_cap_t
denied
;
kernel_cap_t
quiet
;
kernel_cap_t
quiet
;
kernel_cap_t
kill
;
kernel_cap_t
kill
;
kernel_cap_t
extended
;
kernel_cap_t
extended
;
...
@@ -38,7 +40,7 @@ struct aa_caps {
...
@@ -38,7 +40,7 @@ struct aa_caps {
extern
struct
aa_sfs_entry
aa_sfs_entry_caps
[];
extern
struct
aa_sfs_entry
aa_sfs_entry_caps
[];
int
aa_capable
(
struct
aa_
profile
*
profile
,
int
cap
,
int
audit
);
int
aa_capable
(
struct
aa_
label
*
label
,
int
cap
,
int
audit
);
static
inline
void
aa_free_cap_rules
(
struct
aa_caps
*
caps
)
static
inline
void
aa_free_cap_rules
(
struct
aa_caps
*
caps
)
{
{
...
...
security/apparmor/ipc.c
View file @
c70c86c4
...
@@ -68,7 +68,7 @@ int aa_may_ptrace(struct aa_profile *tracer, struct aa_profile *tracee,
...
@@ -68,7 +68,7 @@ int aa_may_ptrace(struct aa_profile *tracer, struct aa_profile *tracee,
if
(
profile_unconfined
(
tracer
)
||
tracer
==
tracee
)
if
(
profile_unconfined
(
tracer
)
||
tracer
==
tracee
)
return
0
;
return
0
;
/* log this capability request */
/* log this capability request */
return
aa_capable
(
tracer
,
CAP_SYS_PTRACE
,
1
);
return
aa_capable
(
&
tracer
->
label
,
CAP_SYS_PTRACE
,
1
);
}
}
/**
/**
...
...
security/apparmor/lsm.c
View file @
c70c86c4
...
@@ -117,20 +117,28 @@ static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
...
@@ -117,20 +117,28 @@ static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
kernel_cap_t
*
inheritable
,
kernel_cap_t
*
permitted
)
kernel_cap_t
*
inheritable
,
kernel_cap_t
*
permitted
)
{
{
struct
aa_label
*
label
;
struct
aa_label
*
label
;
struct
aa_profile
*
profile
;
const
struct
cred
*
cred
;
const
struct
cred
*
cred
;
rcu_read_lock
();
rcu_read_lock
();
cred
=
__task_cred
(
target
);
cred
=
__task_cred
(
target
);
label
=
aa_get_newest_cred_label
(
cred
);
label
=
aa_get_newest_cred_label
(
cred
);
profile
=
labels_profile
(
label
);
/*
/*
* cap_capget is stacked ahead of this and will
* cap_capget is stacked ahead of this and will
* initialize effective and permitted.
* initialize effective and permitted.
*/
*/
if
(
!
profile_unconfined
(
profile
)
&&
!
COMPLAIN_MODE
(
profile
))
{
if
(
!
unconfined
(
label
))
{
*
effective
=
cap_intersect
(
*
effective
,
profile
->
caps
.
allow
);
struct
aa_profile
*
profile
;
*
permitted
=
cap_intersect
(
*
permitted
,
profile
->
caps
.
allow
);
struct
label_it
i
;
label_for_each_confined
(
i
,
label
,
profile
)
{
if
(
COMPLAIN_MODE
(
profile
))
continue
;
*
effective
=
cap_intersect
(
*
effective
,
profile
->
caps
.
allow
);
*
permitted
=
cap_intersect
(
*
permitted
,
profile
->
caps
.
allow
);
}
}
}
rcu_read_unlock
();
rcu_read_unlock
();
aa_put_label
(
label
);
aa_put_label
(
label
);
...
@@ -146,7 +154,7 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
...
@@ -146,7 +154,7 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
label
=
aa_get_newest_cred_label
(
cred
);
label
=
aa_get_newest_cred_label
(
cred
);
if
(
!
unconfined
(
label
))
if
(
!
unconfined
(
label
))
error
=
aa_capable
(
label
s_profile
(
label
)
,
cap
,
audit
);
error
=
aa_capable
(
label
,
cap
,
audit
);
aa_put_label
(
label
);
aa_put_label
(
label
);
return
error
;
return
error
;
...
...
security/apparmor/resource.c
View file @
c70c86c4
...
@@ -100,7 +100,7 @@ int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
...
@@ -100,7 +100,7 @@ int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
* task has CAP_SYS_RESOURCE.
* task has CAP_SYS_RESOURCE.
*/
*/
if
((
profile
!=
labels_profile
(
task_label
)
&&
if
((
profile
!=
labels_profile
(
task_label
)
&&
aa_capable
(
profile
,
CAP_SYS_RESOURCE
,
1
))
||
aa_capable
(
&
profile
->
label
,
CAP_SYS_RESOURCE
,
1
))
||
(
profile
->
rlimits
.
mask
&
(
1
<<
resource
)
&&
(
profile
->
rlimits
.
mask
&
(
1
<<
resource
)
&&
new_rlim
->
rlim_max
>
profile
->
rlimits
.
limits
[
resource
].
rlim_max
))
new_rlim
->
rlim_max
>
profile
->
rlimits
.
limits
[
resource
].
rlim_max
))
error
=
-
EACCES
;
error
=
-
EACCES
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment