Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
de62de59
Commit
de62de59
authored
Oct 08, 2017
by
John Johansen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
apparmor: move task related defines and fns to task.X files
Signed-off-by:
John Johansen
<
john.johansen@canonical.com
>
parent
d065f2f5
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
105 additions
and
98 deletions
+105
-98
security/apparmor/Makefile
security/apparmor/Makefile
+1
-1
security/apparmor/domain.c
security/apparmor/domain.c
+2
-2
security/apparmor/include/context.h
security/apparmor/include/context.h
+1
-39
security/apparmor/include/task.h
security/apparmor/include/task.h
+90
-0
security/apparmor/lsm.c
security/apparmor/lsm.c
+3
-3
security/apparmor/task.c
security/apparmor/task.c
+8
-53
No files found.
security/apparmor/Makefile
View file @
de62de59
...
@@ -3,7 +3,7 @@
...
@@ -3,7 +3,7 @@
#
#
obj-$(CONFIG_SECURITY_APPARMOR)
+=
apparmor.o
obj-$(CONFIG_SECURITY_APPARMOR)
+=
apparmor.o
apparmor-y
:=
apparmorfs.o audit.o capability.o
context
.o ipc.o lib.o match.o
\
apparmor-y
:=
apparmorfs.o audit.o capability.o
task
.o ipc.o lib.o match.o
\
path.o domain.o policy.o policy_unpack.o procattr.o lsm.o
\
path.o domain.o policy.o policy_unpack.o procattr.o lsm.o
\
resource.o secid.o file.o policy_ns.o label.o mount.o
resource.o secid.o file.o policy_ns.o label.o mount.o
apparmor-$(CONFIG_SECURITY_APPARMOR_HASH)
+=
crypto.o
apparmor-$(CONFIG_SECURITY_APPARMOR_HASH)
+=
crypto.o
...
...
security/apparmor/domain.c
View file @
de62de59
...
@@ -794,7 +794,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -794,7 +794,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
if
(
bprm
->
called_set_creds
)
if
(
bprm
->
called_set_creds
)
return
0
;
return
0
;
ctx
=
current_task_ctx
(
);
ctx
=
task_ctx
(
current
);
AA_BUG
(
!
cred_label
(
bprm
->
cred
));
AA_BUG
(
!
cred_label
(
bprm
->
cred
));
AA_BUG
(
!
ctx
);
AA_BUG
(
!
ctx
);
...
@@ -1067,7 +1067,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
...
@@ -1067,7 +1067,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
/* released below */
/* released below */
cred
=
get_current_cred
();
cred
=
get_current_cred
();
ctx
=
current_task_ctx
(
);
ctx
=
task_ctx
(
current
);
label
=
aa_get_newest_cred_label
(
cred
);
label
=
aa_get_newest_cred_label
(
cred
);
previous
=
aa_get_newest_label
(
ctx
->
previous
);
previous
=
aa_get_newest_label
(
ctx
->
previous
);
...
...
security/apparmor/include/context.h
View file @
de62de59
...
@@ -21,33 +21,10 @@
...
@@ -21,33 +21,10 @@
#include "label.h"
#include "label.h"
#include "policy_ns.h"
#include "policy_ns.h"
#include "task.h"
#define task_ctx(X) ((X)->security)
#define current_task_ctx() (task_ctx(current))
#define cred_label(X) ((X)->security)
#define cred_label(X) ((X)->security)
/*
* struct aa_task_ctx - information for current task label change
* @onexec: profile to transition to on next exec (MAY BE NULL)
* @previous: profile the task may return to (MAY BE NULL)
* @token: magic value the task must know for returning to @previous_profile
*/
struct
aa_task_ctx
{
struct
aa_label
*
onexec
;
struct
aa_label
*
previous
;
u64
token
;
};
struct
aa_task_ctx
*
aa_alloc_task_ctx
(
gfp_t
flags
);
void
aa_free_task_ctx
(
struct
aa_task_ctx
*
ctx
);
void
aa_dup_task_ctx
(
struct
aa_task_ctx
*
new
,
const
struct
aa_task_ctx
*
old
);
int
aa_replace_current_label
(
struct
aa_label
*
label
);
int
aa_set_current_onexec
(
struct
aa_label
*
label
,
bool
stack
);
int
aa_set_current_hat
(
struct
aa_label
*
label
,
u64
token
);
int
aa_restore_previous_label
(
u64
cookie
);
struct
aa_label
*
aa_get_task_label
(
struct
task_struct
*
task
);
/**
/**
* aa_cred_raw_label - obtain cred's label
* aa_cred_raw_label - obtain cred's label
...
@@ -196,19 +173,4 @@ static inline struct aa_ns *aa_get_current_ns(void)
...
@@ -196,19 +173,4 @@ static inline struct aa_ns *aa_get_current_ns(void)
return
ns
;
return
ns
;
}
}
/**
* aa_clear_task_ctx_trans - clear transition tracking info from the ctx
* @ctx: task context to clear (NOT NULL)
*/
static
inline
void
aa_clear_task_ctx_trans
(
struct
aa_task_ctx
*
ctx
)
{
AA_BUG
(
!
ctx
);
aa_put_label
(
ctx
->
previous
);
aa_put_label
(
ctx
->
onexec
);
ctx
->
previous
=
NULL
;
ctx
->
onexec
=
NULL
;
ctx
->
token
=
0
;
}
#endif
/* __AA_CONTEXT_H */
#endif
/* __AA_CONTEXT_H */
security/apparmor/include/task.h
0 → 100644
View file @
de62de59
/*
* AppArmor security module
*
* This file contains AppArmor task related definitions and mediation
*
* Copyright 2017 Canonical Ltd.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* License.
*/
#ifndef __AA_TASK_H
#define __AA_TASK_H
#define task_ctx(X) ((X)->security)
/*
* struct aa_task_ctx - information for current task label change
* @onexec: profile to transition to on next exec (MAY BE NULL)
* @previous: profile the task may return to (MAY BE NULL)
* @token: magic value the task must know for returning to @previous_profile
*/
struct
aa_task_ctx
{
struct
aa_label
*
onexec
;
struct
aa_label
*
previous
;
u64
token
;
};
int
aa_replace_current_label
(
struct
aa_label
*
label
);
int
aa_set_current_onexec
(
struct
aa_label
*
label
,
bool
stack
);
int
aa_set_current_hat
(
struct
aa_label
*
label
,
u64
token
);
int
aa_restore_previous_label
(
u64
cookie
);
struct
aa_label
*
aa_get_task_label
(
struct
task_struct
*
task
);
/**
* aa_alloc_task_ctx - allocate a new task_ctx
* @flags: gfp flags for allocation
*
* Returns: allocated buffer or NULL on failure
*/
static
inline
struct
aa_task_ctx
*
aa_alloc_task_ctx
(
gfp_t
flags
)
{
return
kzalloc
(
sizeof
(
struct
aa_task_ctx
),
flags
);
}
/**
* aa_free_task_ctx - free a task_ctx
* @ctx: task_ctx to free (MAYBE NULL)
*/
static
inline
void
aa_free_task_ctx
(
struct
aa_task_ctx
*
ctx
)
{
if
(
ctx
)
{
aa_put_label
(
ctx
->
previous
);
aa_put_label
(
ctx
->
onexec
);
kzfree
(
ctx
);
}
}
/**
* aa_dup_task_ctx - duplicate a task context, incrementing reference counts
* @new: a blank task context (NOT NULL)
* @old: the task context to copy (NOT NULL)
*/
static
inline
void
aa_dup_task_ctx
(
struct
aa_task_ctx
*
new
,
const
struct
aa_task_ctx
*
old
)
{
*
new
=
*
old
;
aa_get_label
(
new
->
previous
);
aa_get_label
(
new
->
onexec
);
}
/**
* aa_clear_task_ctx_trans - clear transition tracking info from the ctx
* @ctx: task context to clear (NOT NULL)
*/
static
inline
void
aa_clear_task_ctx_trans
(
struct
aa_task_ctx
*
ctx
)
{
AA_BUG
(
!
ctx
);
aa_put_label
(
ctx
->
previous
);
aa_put_label
(
ctx
->
onexec
);
ctx
->
previous
=
NULL
;
ctx
->
onexec
=
NULL
;
ctx
->
token
=
0
;
}
#endif
/* __AA_TASK_H */
security/apparmor/lsm.c
View file @
de62de59
...
@@ -101,7 +101,7 @@ static int apparmor_task_alloc(struct task_struct *task,
...
@@ -101,7 +101,7 @@ static int apparmor_task_alloc(struct task_struct *task,
if
(
!
new
)
if
(
!
new
)
return
-
ENOMEM
;
return
-
ENOMEM
;
aa_dup_task_ctx
(
new
,
current_task_ctx
(
));
aa_dup_task_ctx
(
new
,
task_ctx
(
current
));
task_ctx
(
task
)
=
new
;
task_ctx
(
task
)
=
new
;
return
0
;
return
0
;
...
@@ -582,7 +582,7 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
...
@@ -582,7 +582,7 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
int
error
=
-
ENOENT
;
int
error
=
-
ENOENT
;
/* released below */
/* released below */
const
struct
cred
*
cred
=
get_task_cred
(
task
);
const
struct
cred
*
cred
=
get_task_cred
(
task
);
struct
aa_task_ctx
*
ctx
=
current_task_ctx
(
);
struct
aa_task_ctx
*
ctx
=
task_ctx
(
current
);
struct
aa_label
*
label
=
NULL
;
struct
aa_label
*
label
=
NULL
;
if
(
strcmp
(
name
,
"current"
)
==
0
)
if
(
strcmp
(
name
,
"current"
)
==
0
)
...
@@ -705,7 +705,7 @@ static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
...
@@ -705,7 +705,7 @@ static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
static
void
apparmor_bprm_committed_creds
(
struct
linux_binprm
*
bprm
)
static
void
apparmor_bprm_committed_creds
(
struct
linux_binprm
*
bprm
)
{
{
/* clear out temporary/transitional state from the context */
/* clear out temporary/transitional state from the context */
aa_clear_task_ctx_trans
(
current_task_ctx
(
));
aa_clear_task_ctx_trans
(
task_ctx
(
current
));
return
;
return
;
}
}
...
...
security/apparmor/
context
.c
→
security/apparmor/
task
.c
View file @
de62de59
/*
/*
* AppArmor security module
* AppArmor security module
*
*
* This file contains AppArmor functions used to manipulate object security
* This file contains AppArmor task related definitions and mediation
* contexts.
*
*
* Copyright (C) 1998-2008 Novell/SUSE
* Copyright 2017 Canonical Ltd.
* Copyright 2009-2010 Canonical Ltd.
*
*
* This program is free software; you can redistribute it and/or
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* published by the Free Software Foundation, version 2 of the
* License.
* License.
*
*
*
* AppArmor sets confinement on every task, via the cred_label() which
* is required and are not allowed to be NULL. The cred_label is
* reference counted.
*
* TODO
* TODO
* If a task uses change_hat it currently does not return to the old
* If a task uses change_hat it currently does not return to the old
* cred or task context but instead creates a new one. Ideally the task
* cred or task context but instead creates a new one. Ideally the task
* should return to the previous cred if it has not been modified.
* should return to the previous cred if it has not been modified.
*
*/
*/
#include "include/context.h"
#include "include/context.h"
#include "include/policy.h"
#include "include/task.h"
/**
/**
* aa_get_task_label - Get another task's label
* aa_get_task_label - Get another task's label
...
@@ -45,43 +36,6 @@ struct aa_label *aa_get_task_label(struct task_struct *task)
...
@@ -45,43 +36,6 @@ struct aa_label *aa_get_task_label(struct task_struct *task)
return
p
;
return
p
;
}
}
/**
* aa_alloc_task_ctx - allocate a new task_ctx
* @flags: gfp flags for allocation
*
* Returns: allocated buffer or NULL on failure
*/
struct
aa_task_ctx
*
aa_alloc_task_ctx
(
gfp_t
flags
)
{
return
kzalloc
(
sizeof
(
struct
aa_task_ctx
),
flags
);
}
/**
* aa_free_task_ctx - free a task_ctx
* @ctx: task_ctx to free (MAYBE NULL)
*/
void
aa_free_task_ctx
(
struct
aa_task_ctx
*
ctx
)
{
if
(
ctx
)
{
aa_put_label
(
ctx
->
previous
);
aa_put_label
(
ctx
->
onexec
);
kzfree
(
ctx
);
}
}
/**
* aa_dup_task_ctx - duplicate a task context, incrementing reference counts
* @new: a blank task context (NOT NULL)
* @old: the task context to copy (NOT NULL)
*/
void
aa_dup_task_ctx
(
struct
aa_task_ctx
*
new
,
const
struct
aa_task_ctx
*
old
)
{
*
new
=
*
old
;
aa_get_label
(
new
->
previous
);
aa_get_label
(
new
->
onexec
);
}
/**
/**
* aa_replace_current_label - replace the current tasks label
* aa_replace_current_label - replace the current tasks label
* @label: new label (NOT NULL)
* @label: new label (NOT NULL)
...
@@ -110,7 +64,7 @@ int aa_replace_current_label(struct aa_label *label)
...
@@ -110,7 +64,7 @@ int aa_replace_current_label(struct aa_label *label)
* if switching to unconfined or a different label namespace
* if switching to unconfined or a different label namespace
* clear out context state
* clear out context state
*/
*/
aa_clear_task_ctx_trans
(
current_task_ctx
(
));
aa_clear_task_ctx_trans
(
task_ctx
(
current
));
/*
/*
* be careful switching cred label, when racing replacement it
* be careful switching cred label, when racing replacement it
...
@@ -126,6 +80,7 @@ int aa_replace_current_label(struct aa_label *label)
...
@@ -126,6 +80,7 @@ int aa_replace_current_label(struct aa_label *label)
return
0
;
return
0
;
}
}
/**
/**
* aa_set_current_onexec - set the tasks change_profile to happen onexec
* aa_set_current_onexec - set the tasks change_profile to happen onexec
* @label: system label to set at exec (MAYBE NULL to clear value)
* @label: system label to set at exec (MAYBE NULL to clear value)
...
@@ -134,7 +89,7 @@ int aa_replace_current_label(struct aa_label *label)
...
@@ -134,7 +89,7 @@ int aa_replace_current_label(struct aa_label *label)
*/
*/
int
aa_set_current_onexec
(
struct
aa_label
*
label
,
bool
stack
)
int
aa_set_current_onexec
(
struct
aa_label
*
label
,
bool
stack
)
{
{
struct
aa_task_ctx
*
ctx
=
current_task_ctx
(
);
struct
aa_task_ctx
*
ctx
=
task_ctx
(
current
);
aa_get_label
(
label
);
aa_get_label
(
label
);
aa_put_label
(
ctx
->
onexec
);
aa_put_label
(
ctx
->
onexec
);
...
@@ -156,7 +111,7 @@ int aa_set_current_onexec(struct aa_label *label, bool stack)
...
@@ -156,7 +111,7 @@ int aa_set_current_onexec(struct aa_label *label, bool stack)
*/
*/
int
aa_set_current_hat
(
struct
aa_label
*
label
,
u64
token
)
int
aa_set_current_hat
(
struct
aa_label
*
label
,
u64
token
)
{
{
struct
aa_task_ctx
*
ctx
=
current_task_ctx
(
);
struct
aa_task_ctx
*
ctx
=
task_ctx
(
current
);
struct
cred
*
new
;
struct
cred
*
new
;
new
=
prepare_creds
();
new
=
prepare_creds
();
...
@@ -196,7 +151,7 @@ int aa_set_current_hat(struct aa_label *label, u64 token)
...
@@ -196,7 +151,7 @@ int aa_set_current_hat(struct aa_label *label, u64 token)
*/
*/
int
aa_restore_previous_label
(
u64
token
)
int
aa_restore_previous_label
(
u64
token
)
{
{
struct
aa_task_ctx
*
ctx
=
current_task_ctx
(
);
struct
aa_task_ctx
*
ctx
=
task_ctx
(
current
);
struct
cred
*
new
;
struct
cred
*
new
;
if
(
ctx
->
token
!=
token
)
if
(
ctx
->
token
!=
token
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment