Commit c70c86c4 authored by John Johansen's avatar John Johansen

apparmor: move capability checks to using labels

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 317d9a05
...@@ -48,15 +48,16 @@ static DEFINE_PER_CPU(struct audit_cache, audit_cache); ...@@ -48,15 +48,16 @@ static DEFINE_PER_CPU(struct audit_cache, audit_cache);
static void audit_cb(struct audit_buffer *ab, void *va) static void audit_cb(struct audit_buffer *ab, void *va)
{ {
struct common_audit_data *sa = va; struct common_audit_data *sa = va;
audit_log_format(ab, " capname="); audit_log_format(ab, " capname=");
audit_log_untrustedstring(ab, capability_names[sa->u.cap]); audit_log_untrustedstring(ab, capability_names[sa->u.cap]);
} }
/** /**
* audit_caps - audit a capability * audit_caps - audit a capability
* @sa: audit data
* @profile: profile being tested for confinement (NOT NULL) * @profile: profile being tested for confinement (NOT NULL)
* @cap: capability tested * @cap: capability tested
@audit: whether an audit record should be generated
* @error: error code returned by test * @error: error code returned by test
* *
* Do auditing of capability and handle, audit/complain/kill modes switching * Do auditing of capability and handle, audit/complain/kill modes switching
...@@ -64,16 +65,13 @@ static void audit_cb(struct audit_buffer *ab, void *va) ...@@ -64,16 +65,13 @@ static void audit_cb(struct audit_buffer *ab, void *va)
* *
* Returns: 0 or sa->error on success, error code on failure * Returns: 0 or sa->error on success, error code on failure
*/ */
static int audit_caps(struct aa_profile *profile, int cap, int audit, static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile,
int error) int cap, int error)
{ {
struct audit_cache *ent; struct audit_cache *ent;
int type = AUDIT_APPARMOR_AUTO; int type = AUDIT_APPARMOR_AUTO;
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, OP_CAPABLE);
sa.u.cap = cap; aad(sa)->error = error;
aad(&sa)->error = error;
if (audit == SECURITY_CAP_NOAUDIT)
aad(&sa)->info = "optional: no audit";
if (likely(!error)) { if (likely(!error)) {
/* test if auditing is being forced */ /* test if auditing is being forced */
...@@ -105,24 +103,44 @@ static int audit_caps(struct aa_profile *profile, int cap, int audit, ...@@ -105,24 +103,44 @@ static int audit_caps(struct aa_profile *profile, int cap, int audit,
} }
put_cpu_var(audit_cache); put_cpu_var(audit_cache);
return aa_audit(type, profile, &sa, audit_cb); return aa_audit(type, profile, sa, audit_cb);
} }
/** /**
* profile_capable - test if profile allows use of capability @cap * profile_capable - test if profile allows use of capability @cap
* @profile: profile being enforced (NOT NULL, NOT unconfined) * @profile: profile being enforced (NOT NULL, NOT unconfined)
* @cap: capability to test if allowed * @cap: capability to test if allowed
* @audit: whether an audit record should be generated
* @sa: audit data (MAY BE NULL indicating no auditing)
* *
* Returns: 0 if allowed else -EPERM * Returns: 0 if allowed else -EPERM
*/ */
static int profile_capable(struct aa_profile *profile, int cap) static int profile_capable(struct aa_profile *profile, int cap, int audit,
struct common_audit_data *sa)
{ {
return cap_raised(profile->caps.allow, cap) ? 0 : -EPERM; int error;
if (cap_raised(profile->caps.allow, cap) &&
!cap_raised(profile->caps.denied, cap))
error = 0;
else
error = -EPERM;
if (audit == SECURITY_CAP_NOAUDIT) {
if (!COMPLAIN_MODE(profile))
return error;
/* audit the cap request in complain mode but note that it
* should be optional.
*/
aad(sa)->info = "optional: no audit";
}
return audit_caps(sa, profile, cap, error);
} }
/** /**
* aa_capable - test permission to use capability * aa_capable - test permission to use capability
* @profile: profile being tested against (NOT NULL) * @label: label being tested for capability (NOT NULL)
* @cap: capability to be tested * @cap: capability to be tested
* @audit: whether an audit record should be generated * @audit: whether an audit record should be generated
* *
...@@ -130,14 +148,15 @@ static int profile_capable(struct aa_profile *profile, int cap) ...@@ -130,14 +148,15 @@ static int profile_capable(struct aa_profile *profile, int cap)
* *
* Returns: 0 on success, or else an error code. * Returns: 0 on success, or else an error code.
*/ */
int aa_capable(struct aa_profile *profile, int cap, int audit) int aa_capable(struct aa_label *label, int cap, int audit)
{ {
int error = profile_capable(profile, cap); struct aa_profile *profile;
int error = 0;
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, OP_CAPABLE);
if (audit == SECURITY_CAP_NOAUDIT) { sa.u.cap = cap;
if (!COMPLAIN_MODE(profile)) error = fn_for_each_confined(label, profile,
return error; profile_capable(profile, cap, audit, &sa));
}
return audit_caps(profile, cap, audit, error); return error;
} }
...@@ -19,11 +19,12 @@ ...@@ -19,11 +19,12 @@
#include "apparmorfs.h" #include "apparmorfs.h"
struct aa_profile; struct aa_label;
/* aa_caps - confinement data for capabilities /* aa_caps - confinement data for capabilities
* @allowed: capabilities mask * @allowed: capabilities mask
* @audit: caps that are to be audited * @audit: caps that are to be audited
* @denied: caps that are explicitly denied
* @quiet: caps that should not be audited * @quiet: caps that should not be audited
* @kill: caps that when requested will result in the task being killed * @kill: caps that when requested will result in the task being killed
* @extended: caps that are subject finer grained mediation * @extended: caps that are subject finer grained mediation
...@@ -31,6 +32,7 @@ struct aa_profile; ...@@ -31,6 +32,7 @@ struct aa_profile;
struct aa_caps { struct aa_caps {
kernel_cap_t allow; kernel_cap_t allow;
kernel_cap_t audit; kernel_cap_t audit;
kernel_cap_t denied;
kernel_cap_t quiet; kernel_cap_t quiet;
kernel_cap_t kill; kernel_cap_t kill;
kernel_cap_t extended; kernel_cap_t extended;
...@@ -38,7 +40,7 @@ struct aa_caps { ...@@ -38,7 +40,7 @@ struct aa_caps {
extern struct aa_sfs_entry aa_sfs_entry_caps[]; extern struct aa_sfs_entry aa_sfs_entry_caps[];
int aa_capable(struct aa_profile *profile, int cap, int audit); int aa_capable(struct aa_label *label, int cap, int audit);
static inline void aa_free_cap_rules(struct aa_caps *caps) static inline void aa_free_cap_rules(struct aa_caps *caps)
{ {
......
...@@ -68,7 +68,7 @@ int aa_may_ptrace(struct aa_profile *tracer, struct aa_profile *tracee, ...@@ -68,7 +68,7 @@ int aa_may_ptrace(struct aa_profile *tracer, struct aa_profile *tracee,
if (profile_unconfined(tracer) || tracer == tracee) if (profile_unconfined(tracer) || tracer == tracee)
return 0; return 0;
/* log this capability request */ /* log this capability request */
return aa_capable(tracer, CAP_SYS_PTRACE, 1); return aa_capable(&tracer->label, CAP_SYS_PTRACE, 1);
} }
/** /**
......
...@@ -117,20 +117,28 @@ static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, ...@@ -117,20 +117,28 @@ static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted) kernel_cap_t *inheritable, kernel_cap_t *permitted)
{ {
struct aa_label *label; struct aa_label *label;
struct aa_profile *profile;
const struct cred *cred; const struct cred *cred;
rcu_read_lock(); rcu_read_lock();
cred = __task_cred(target); cred = __task_cred(target);
label = aa_get_newest_cred_label(cred); label = aa_get_newest_cred_label(cred);
profile = labels_profile(label);
/* /*
* cap_capget is stacked ahead of this and will * cap_capget is stacked ahead of this and will
* initialize effective and permitted. * initialize effective and permitted.
*/ */
if (!profile_unconfined(profile) && !COMPLAIN_MODE(profile)) { if (!unconfined(label)) {
*effective = cap_intersect(*effective, profile->caps.allow); struct aa_profile *profile;
*permitted = cap_intersect(*permitted, profile->caps.allow); struct label_it i;
label_for_each_confined(i, label, profile) {
if (COMPLAIN_MODE(profile))
continue;
*effective = cap_intersect(*effective,
profile->caps.allow);
*permitted = cap_intersect(*permitted,
profile->caps.allow);
}
} }
rcu_read_unlock(); rcu_read_unlock();
aa_put_label(label); aa_put_label(label);
...@@ -146,7 +154,7 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, ...@@ -146,7 +154,7 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
label = aa_get_newest_cred_label(cred); label = aa_get_newest_cred_label(cred);
if (!unconfined(label)) if (!unconfined(label))
error = aa_capable(labels_profile(label), cap, audit); error = aa_capable(label, cap, audit);
aa_put_label(label); aa_put_label(label);
return error; return error;
......
...@@ -100,7 +100,7 @@ int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task, ...@@ -100,7 +100,7 @@ int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
* task has CAP_SYS_RESOURCE. * task has CAP_SYS_RESOURCE.
*/ */
if ((profile != labels_profile(task_label) && if ((profile != labels_profile(task_label) &&
aa_capable(profile, CAP_SYS_RESOURCE, 1)) || aa_capable(&profile->label, CAP_SYS_RESOURCE, 1)) ||
(profile->rlimits.mask & (1 << resource) && (profile->rlimits.mask & (1 << resource) &&
new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)) new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max))
error = -EACCES; error = -EACCES;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment