Commit 12eb87d5 authored by John Johansen's avatar John Johansen

apparmor: update cap audit to check SECURITY_CAP_NOAUDIT

apparmor should be checking the SECURITY_CAP_NOAUDIT constant. Also
in complain mode make it so apparmor can elect to log a message,
informing of the check.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 31f75bfe
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
#include <linux/capability.h> #include <linux/capability.h>
#include <linux/errno.h> #include <linux/errno.h>
#include <linux/gfp.h> #include <linux/gfp.h>
#include <linux/security.h>
#include "include/apparmor.h" #include "include/apparmor.h"
#include "include/capability.h" #include "include/capability.h"
...@@ -55,6 +56,7 @@ static void audit_cb(struct audit_buffer *ab, void *va) ...@@ -55,6 +56,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
* audit_caps - audit a capability * audit_caps - audit a capability
* @profile: profile being tested for confinement (NOT NULL) * @profile: profile being tested for confinement (NOT NULL)
* @cap: capability tested * @cap: capability tested
@audit: whether an audit record should be generated
* @error: error code returned by test * @error: error code returned by test
* *
* Do auditing of capability and handle, audit/complain/kill modes switching * Do auditing of capability and handle, audit/complain/kill modes switching
...@@ -62,13 +64,16 @@ static void audit_cb(struct audit_buffer *ab, void *va) ...@@ -62,13 +64,16 @@ static void audit_cb(struct audit_buffer *ab, void *va)
* *
* Returns: 0 or sa->error on success, error code on failure * Returns: 0 or sa->error on success, error code on failure
*/ */
static int audit_caps(struct aa_profile *profile, int cap, int error) static int audit_caps(struct aa_profile *profile, int cap, int audit,
int error)
{ {
struct audit_cache *ent; struct audit_cache *ent;
int type = AUDIT_APPARMOR_AUTO; int type = AUDIT_APPARMOR_AUTO;
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, OP_CAPABLE); DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, OP_CAPABLE);
sa.u.cap = cap; sa.u.cap = cap;
aad(&sa)->error = error; aad(&sa)->error = error;
if (audit == SECURITY_CAP_NOAUDIT)
aad(&sa)->info = "optional: no audit";
if (likely(!error)) { if (likely(!error)) {
/* test if auditing is being forced */ /* test if auditing is being forced */
...@@ -129,11 +134,10 @@ int aa_capable(struct aa_profile *profile, int cap, int audit) ...@@ -129,11 +134,10 @@ int aa_capable(struct aa_profile *profile, int cap, int audit)
{ {
int error = profile_capable(profile, cap); int error = profile_capable(profile, cap);
if (!audit) { if (audit == SECURITY_CAP_NOAUDIT) {
if (COMPLAIN_MODE(profile)) if (!COMPLAIN_MODE(profile))
return complain_error(error);
return error; return error;
} }
return audit_caps(profile, cap, error); return audit_caps(profile, cap, audit, error);
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment