Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
98c3d182
Commit
98c3d182
authored
Jun 09, 2017
by
John Johansen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
apparmor: update aa_audit_file() to use labels
Signed-off-by:
John Johansen
<
john.johansen@canonical.com
>
parent
190a9518
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
18 additions
and
9 deletions
+18
-9
security/apparmor/domain.c
security/apparmor/domain.c
+4
-2
security/apparmor/file.c
security/apparmor/file.c
+12
-6
security/apparmor/include/file.h
security/apparmor/include/file.h
+2
-1
No files found.
security/apparmor/domain.c
View file @
98c3d182
...
@@ -518,6 +518,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -518,6 +518,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
audit:
audit:
error
=
aa_audit_file
(
profile
,
&
perms
,
OP_EXEC
,
MAY_EXEC
,
name
,
error
=
aa_audit_file
(
profile
,
&
perms
,
OP_EXEC
,
MAY_EXEC
,
name
,
new_profile
?
new_profile
->
base
.
hname
:
NULL
,
new_profile
?
new_profile
->
base
.
hname
:
NULL
,
new_profile
?
&
new_profile
->
label
:
NULL
,
cond
.
uid
,
info
,
error
);
cond
.
uid
,
info
,
error
);
cleanup:
cleanup:
...
@@ -694,7 +695,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
...
@@ -694,7 +695,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
audit:
audit:
if
(
!
(
flags
&
AA_CHANGE_TEST
))
if
(
!
(
flags
&
AA_CHANGE_TEST
))
error
=
aa_audit_file
(
profile
,
&
perms
,
OP_CHANGE_HAT
,
error
=
aa_audit_file
(
profile
,
&
perms
,
OP_CHANGE_HAT
,
AA_MAY_CHANGEHAT
,
NULL
,
target
,
AA_MAY_CHANGEHAT
,
NULL
,
target
,
NULL
,
GLOBAL_ROOT_UID
,
info
,
error
);
GLOBAL_ROOT_UID
,
info
,
error
);
out:
out:
...
@@ -802,7 +803,8 @@ int aa_change_profile(const char *fqname, int flags)
...
@@ -802,7 +803,8 @@ int aa_change_profile(const char *fqname, int flags)
audit:
audit:
if
(
!
(
flags
&
AA_CHANGE_TEST
))
if
(
!
(
flags
&
AA_CHANGE_TEST
))
error
=
aa_audit_file
(
profile
,
&
perms
,
op
,
request
,
NULL
,
error
=
aa_audit_file
(
profile
,
&
perms
,
op
,
request
,
NULL
,
fqname
,
GLOBAL_ROOT_UID
,
info
,
error
);
fqname
,
NULL
,
GLOBAL_ROOT_UID
,
info
,
error
);
aa_put_profile
(
target
);
aa_put_profile
(
target
);
aa_put_label
(
label
);
aa_put_label
(
label
);
...
...
security/apparmor/file.c
View file @
98c3d182
...
@@ -75,7 +75,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
...
@@ -75,7 +75,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
from_kuid
(
&
init_user_ns
,
aad
(
sa
)
->
fs
.
ouid
));
from_kuid
(
&
init_user_ns
,
aad
(
sa
)
->
fs
.
ouid
));
}
}
if
(
aad
(
sa
)
->
fs
.
target
)
{
if
(
aad
(
sa
)
->
peer
)
{
audit_log_format
(
ab
,
" target="
);
aa_label_xaudit
(
ab
,
labels_ns
(
aad
(
sa
)
->
label
),
aad
(
sa
)
->
peer
,
FLAG_VIEW_SUBNS
,
GFP_ATOMIC
);
}
else
if
(
aad
(
sa
)
->
fs
.
target
)
{
audit_log_format
(
ab
,
" target="
);
audit_log_format
(
ab
,
" target="
);
audit_log_untrustedstring
(
ab
,
aad
(
sa
)
->
fs
.
target
);
audit_log_untrustedstring
(
ab
,
aad
(
sa
)
->
fs
.
target
);
}
}
...
@@ -85,11 +89,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
...
@@ -85,11 +89,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
* aa_audit_file - handle the auditing of file operations
* aa_audit_file - handle the auditing of file operations
* @profile: the profile being enforced (NOT NULL)
* @profile: the profile being enforced (NOT NULL)
* @perms: the permissions computed for the request (NOT NULL)
* @perms: the permissions computed for the request (NOT NULL)
* @gfp: allocation flags
* @op: operation being mediated
* @op: operation being mediated
* @request: permissions requested
* @request: permissions requested
* @name: name of object being mediated (MAYBE NULL)
* @name: name of object being mediated (MAYBE NULL)
* @target: name of target (MAYBE NULL)
* @target: name of target (MAYBE NULL)
* @tlabel: target label (MAY BE NULL)
* @ouid: object uid
* @ouid: object uid
* @info: extra information message (MAYBE NULL)
* @info: extra information message (MAYBE NULL)
* @error: 0 if operation allowed else failure error code
* @error: 0 if operation allowed else failure error code
...
@@ -98,7 +102,8 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
...
@@ -98,7 +102,8 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
*/
*/
int
aa_audit_file
(
struct
aa_profile
*
profile
,
struct
aa_perms
*
perms
,
int
aa_audit_file
(
struct
aa_profile
*
profile
,
struct
aa_perms
*
perms
,
const
char
*
op
,
u32
request
,
const
char
*
name
,
const
char
*
op
,
u32
request
,
const
char
*
name
,
const
char
*
target
,
kuid_t
ouid
,
const
char
*
info
,
int
error
)
const
char
*
target
,
struct
aa_label
*
tlabel
,
kuid_t
ouid
,
const
char
*
info
,
int
error
)
{
{
int
type
=
AUDIT_APPARMOR_AUTO
;
int
type
=
AUDIT_APPARMOR_AUTO
;
DEFINE_AUDIT_DATA
(
sa
,
LSM_AUDIT_DATA_TASK
,
op
);
DEFINE_AUDIT_DATA
(
sa
,
LSM_AUDIT_DATA_TASK
,
op
);
...
@@ -107,6 +112,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
...
@@ -107,6 +112,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
aad
(
&
sa
)
->
request
=
request
;
aad
(
&
sa
)
->
request
=
request
;
aad
(
&
sa
)
->
name
=
name
;
aad
(
&
sa
)
->
name
=
name
;
aad
(
&
sa
)
->
fs
.
target
=
target
;
aad
(
&
sa
)
->
fs
.
target
=
target
;
aad
(
&
sa
)
->
peer
=
tlabel
;
aad
(
&
sa
)
->
fs
.
ouid
=
ouid
;
aad
(
&
sa
)
->
fs
.
ouid
=
ouid
;
aad
(
&
sa
)
->
info
=
info
;
aad
(
&
sa
)
->
info
=
info
;
aad
(
&
sa
)
->
error
=
error
;
aad
(
&
sa
)
->
error
=
error
;
...
@@ -139,7 +145,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
...
@@ -139,7 +145,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
aad
(
&
sa
)
->
request
&=
~
perms
->
quiet
;
aad
(
&
sa
)
->
request
&=
~
perms
->
quiet
;
if
(
!
aad
(
&
sa
)
->
request
)
if
(
!
aad
(
&
sa
)
->
request
)
return
COMPLAIN_MODE
(
profile
)
?
0
:
aad
(
&
sa
)
->
error
;
return
aad
(
&
sa
)
->
error
;
}
}
aad
(
&
sa
)
->
denied
=
aad
(
&
sa
)
->
request
&
~
perms
->
allow
;
aad
(
&
sa
)
->
denied
=
aad
(
&
sa
)
->
request
&
~
perms
->
allow
;
...
@@ -295,7 +301,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile,
...
@@ -295,7 +301,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile,
if
(
request
&
~
perms
.
allow
)
if
(
request
&
~
perms
.
allow
)
error
=
-
EACCES
;
error
=
-
EACCES
;
}
}
error
=
aa_audit_file
(
profile
,
&
perms
,
op
,
request
,
name
,
NULL
,
error
=
aa_audit_file
(
profile
,
&
perms
,
op
,
request
,
name
,
NULL
,
NULL
,
cond
->
uid
,
info
,
error
);
cond
->
uid
,
info
,
error
);
put_buffers
(
buffer
);
put_buffers
(
buffer
);
...
@@ -425,7 +431,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
...
@@ -425,7 +431,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
audit:
audit:
error
=
aa_audit_file
(
profile
,
&
lperms
,
OP_LINK
,
request
,
error
=
aa_audit_file
(
profile
,
&
lperms
,
OP_LINK
,
request
,
lname
,
tname
,
cond
.
uid
,
info
,
error
);
lname
,
tname
,
NULL
,
cond
.
uid
,
info
,
error
);
put_buffers
(
buffer
,
buffer2
);
put_buffers
(
buffer
,
buffer2
);
return
error
;
return
error
;
...
...
security/apparmor/include/file.h
View file @
98c3d182
...
@@ -162,7 +162,8 @@ static inline u16 dfa_map_xindex(u16 mask)
...
@@ -162,7 +162,8 @@ static inline u16 dfa_map_xindex(u16 mask)
int
aa_audit_file
(
struct
aa_profile
*
profile
,
struct
aa_perms
*
perms
,
int
aa_audit_file
(
struct
aa_profile
*
profile
,
struct
aa_perms
*
perms
,
const
char
*
op
,
u32
request
,
const
char
*
name
,
const
char
*
op
,
u32
request
,
const
char
*
name
,
const
char
*
target
,
kuid_t
ouid
,
const
char
*
info
,
int
error
);
const
char
*
target
,
struct
aa_label
*
tlabel
,
kuid_t
ouid
,
const
char
*
info
,
int
error
);
/**
/**
* struct aa_file_rules - components used for file rule permissions
* struct aa_file_rules - components used for file rule permissions
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment