Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
2d679f3c
Commit
2d679f3c
authored
May 29, 2017
by
John Johansen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
apparmor: switch from file_perms to aa_perms
Signed-off-by:
John Johansen
<
john.johansen@canonical.com
>
parent
aa9aeea8
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
29 additions
and
48 deletions
+29
-48
security/apparmor/domain.c
security/apparmor/domain.c
+9
-9
security/apparmor/file.c
security/apparmor/file.c
+14
-17
security/apparmor/include/file.h
security/apparmor/include/file.h
+4
-21
security/apparmor/include/perms.h
security/apparmor/include/perms.h
+1
-1
security/apparmor/lib.c
security/apparmor/lib.c
+1
-0
No files found.
security/apparmor/domain.c
View file @
2d679f3c
...
@@ -93,12 +93,12 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile)
...
@@ -93,12 +93,12 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile)
*
*
* Returns: permission set
* Returns: permission set
*/
*/
static
struct
file
_perms
change_profile_perms
(
struct
aa_profile
*
profile
,
static
struct
aa
_perms
change_profile_perms
(
struct
aa_profile
*
profile
,
struct
aa_ns
*
ns
,
struct
aa_ns
*
ns
,
const
char
*
name
,
u32
request
,
const
char
*
name
,
u32
request
,
unsigned
int
start
)
unsigned
int
start
)
{
{
struct
file
_perms
perms
;
struct
aa
_perms
perms
;
struct
path_cond
cond
=
{
};
struct
path_cond
cond
=
{
};
unsigned
int
state
;
unsigned
int
state
;
...
@@ -342,7 +342,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -342,7 +342,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
struct
aa_ns
*
ns
;
struct
aa_ns
*
ns
;
char
*
buffer
=
NULL
;
char
*
buffer
=
NULL
;
unsigned
int
state
;
unsigned
int
state
;
struct
file
_perms
perms
=
{};
struct
aa
_perms
perms
=
{};
struct
path_cond
cond
=
{
struct
path_cond
cond
=
{
file_inode
(
bprm
->
file
)
->
i_uid
,
file_inode
(
bprm
->
file
)
->
i_uid
,
file_inode
(
bprm
->
file
)
->
i_mode
file_inode
(
bprm
->
file
)
->
i_mode
...
@@ -400,7 +400,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -400,7 +400,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
/* find exec permissions for name */
/* find exec permissions for name */
state
=
aa_str_perms
(
profile
->
file
.
dfa
,
state
,
name
,
&
cond
,
&
perms
);
state
=
aa_str_perms
(
profile
->
file
.
dfa
,
state
,
name
,
&
cond
,
&
perms
);
if
(
ctx
->
onexec
)
{
if
(
ctx
->
onexec
)
{
struct
file
_perms
cp
;
struct
aa
_perms
cp
;
info
=
"change_profile onexec"
;
info
=
"change_profile onexec"
;
new_profile
=
aa_get_newest_profile
(
ctx
->
onexec
);
new_profile
=
aa_get_newest_profile
(
ctx
->
onexec
);
if
(
!
(
perms
.
allow
&
AA_MAY_ONEXEC
))
if
(
!
(
perms
.
allow
&
AA_MAY_ONEXEC
))
...
@@ -609,7 +609,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
...
@@ -609,7 +609,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
struct
aa_profile
*
profile
,
*
previous_profile
,
*
hat
=
NULL
;
struct
aa_profile
*
profile
,
*
previous_profile
,
*
hat
=
NULL
;
char
*
name
=
NULL
;
char
*
name
=
NULL
;
int
i
;
int
i
;
struct
file
_perms
perms
=
{};
struct
aa
_perms
perms
=
{};
const
char
*
target
=
NULL
,
*
info
=
NULL
;
const
char
*
target
=
NULL
,
*
info
=
NULL
;
int
error
=
0
;
int
error
=
0
;
...
@@ -748,7 +748,7 @@ int aa_change_profile(const char *fqname, bool onexec,
...
@@ -748,7 +748,7 @@ int aa_change_profile(const char *fqname, bool onexec,
{
{
const
struct
cred
*
cred
;
const
struct
cred
*
cred
;
struct
aa_profile
*
profile
,
*
target
=
NULL
;
struct
aa_profile
*
profile
,
*
target
=
NULL
;
struct
file
_perms
perms
=
{};
struct
aa
_perms
perms
=
{};
const
char
*
info
=
NULL
,
*
op
;
const
char
*
info
=
NULL
,
*
op
;
int
error
=
0
;
int
error
=
0
;
u32
request
;
u32
request
;
...
...
security/apparmor/file.c
View file @
2d679f3c
...
@@ -19,8 +19,6 @@
...
@@ -19,8 +19,6 @@
#include "include/path.h"
#include "include/path.h"
#include "include/policy.h"
#include "include/policy.h"
struct
file_perms
nullperms
;
static
u32
map_mask_to_chr_mask
(
u32
mask
)
static
u32
map_mask_to_chr_mask
(
u32
mask
)
{
{
u32
m
=
mask
&
PERMS_CHRS_MASK
;
u32
m
=
mask
&
PERMS_CHRS_MASK
;
...
@@ -92,7 +90,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
...
@@ -92,7 +90,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
*
*
* Returns: %0 or error on failure
* Returns: %0 or error on failure
*/
*/
int
aa_audit_file
(
struct
aa_profile
*
profile
,
struct
file
_perms
*
perms
,
int
aa_audit_file
(
struct
aa_profile
*
profile
,
struct
aa
_perms
*
perms
,
const
char
*
op
,
u32
request
,
const
char
*
name
,
const
char
*
op
,
u32
request
,
const
char
*
name
,
const
char
*
target
,
kuid_t
ouid
,
const
char
*
info
,
int
error
)
const
char
*
target
,
kuid_t
ouid
,
const
char
*
info
,
int
error
)
{
{
...
@@ -170,7 +168,7 @@ static u32 map_old_perms(u32 old)
...
@@ -170,7 +168,7 @@ static u32 map_old_perms(u32 old)
}
}
/**
/**
*
compute_
perms - convert dfa compressed perms to internal perms
*
aa_compute_f
perms - convert dfa compressed perms to internal perms
* @dfa: dfa to compute perms for (NOT NULL)
* @dfa: dfa to compute perms for (NOT NULL)
* @state: state in dfa
* @state: state in dfa
* @cond: conditions to consider (NOT NULL)
* @cond: conditions to consider (NOT NULL)
...
@@ -180,17 +178,21 @@ static u32 map_old_perms(u32 old)
...
@@ -180,17 +178,21 @@ static u32 map_old_perms(u32 old)
*
*
* Returns: computed permission set
* Returns: computed permission set
*/
*/
st
atic
struct
file_perms
compute_
perms
(
struct
aa_dfa
*
dfa
,
unsigned
int
state
,
st
ruct
aa_perms
aa_compute_f
perms
(
struct
aa_dfa
*
dfa
,
unsigned
int
state
,
struct
path_cond
*
cond
)
struct
path_cond
*
cond
)
{
{
struct
file
_perms
perms
;
struct
aa
_perms
perms
;
/* FIXME: change over to new dfa format
/* FIXME: change over to new dfa format
* currently file perms are encoded in the dfa, new format
* currently file perms are encoded in the dfa, new format
* splits the permissions from the dfa. This mapping can be
* splits the permissions from the dfa. This mapping can be
* done at profile load
* done at profile load
*/
*/
perms
.
kill
=
0
;
perms
.
deny
=
0
;
perms
.
kill
=
perms
.
stop
=
0
;
perms
.
complain
=
perms
.
cond
=
0
;
perms
.
hide
=
0
;
perms
.
prompt
=
0
;
if
(
uid_eq
(
current_fsuid
(),
cond
->
uid
))
{
if
(
uid_eq
(
current_fsuid
(),
cond
->
uid
))
{
perms
.
allow
=
map_old_perms
(
dfa_user_allow
(
dfa
,
state
));
perms
.
allow
=
map_old_perms
(
dfa_user_allow
(
dfa
,
state
));
...
@@ -226,16 +228,11 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
...
@@ -226,16 +228,11 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
*/
*/
unsigned
int
aa_str_perms
(
struct
aa_dfa
*
dfa
,
unsigned
int
start
,
unsigned
int
aa_str_perms
(
struct
aa_dfa
*
dfa
,
unsigned
int
start
,
const
char
*
name
,
struct
path_cond
*
cond
,
const
char
*
name
,
struct
path_cond
*
cond
,
struct
file
_perms
*
perms
)
struct
aa
_perms
*
perms
)
{
{
unsigned
int
state
;
unsigned
int
state
;
if
(
!
dfa
)
{
*
perms
=
nullperms
;
return
DFA_NOMATCH
;
}
state
=
aa_dfa_match
(
dfa
,
start
,
name
);
state
=
aa_dfa_match
(
dfa
,
start
,
name
);
*
perms
=
compute_
perms
(
dfa
,
state
,
cond
);
*
perms
=
aa_compute_f
perms
(
dfa
,
state
,
cond
);
return
state
;
return
state
;
}
}
...
@@ -269,7 +266,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile,
...
@@ -269,7 +266,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile,
struct
path_cond
*
cond
)
struct
path_cond
*
cond
)
{
{
char
*
buffer
=
NULL
;
char
*
buffer
=
NULL
;
struct
file
_perms
perms
=
{};
struct
aa
_perms
perms
=
{};
const
char
*
name
,
*
info
=
NULL
;
const
char
*
name
,
*
info
=
NULL
;
int
error
;
int
error
;
...
@@ -348,7 +345,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
...
@@ -348,7 +345,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
};
};
char
*
buffer
=
NULL
,
*
buffer2
=
NULL
;
char
*
buffer
=
NULL
,
*
buffer2
=
NULL
;
const
char
*
lname
,
*
tname
=
NULL
,
*
info
=
NULL
;
const
char
*
lname
,
*
tname
=
NULL
,
*
info
=
NULL
;
struct
file
_perms
lperms
,
perms
;
struct
aa
_perms
lperms
,
perms
;
u32
request
=
AA_MAY_LINK
;
u32
request
=
AA_MAY_LINK
;
unsigned
int
state
;
unsigned
int
state
;
int
error
;
int
error
;
...
...
security/apparmor/include/file.h
View file @
2d679f3c
...
@@ -90,25 +90,6 @@ struct path_cond {
...
@@ -90,25 +90,6 @@ struct path_cond {
umode_t
mode
;
umode_t
mode
;
};
};
/* struct file_perms - file permission
* @allow: mask of permissions that are allowed
* @audit: mask of permissions to force an audit message for
* @quiet: mask of permissions to quiet audit messages for
* @kill: mask of permissions that when matched will kill the task
* @xindex: exec transition index if @allow contains MAY_EXEC
*
* The @audit and @queit mask should be mutually exclusive.
*/
struct
file_perms
{
u32
allow
;
u32
audit
;
u32
quiet
;
u32
kill
;
u16
xindex
;
};
extern
struct
file_perms
nullperms
;
#define COMBINED_PERM_MASK(X) ((X).allow | (X).audit | (X).quiet | (X).kill)
#define COMBINED_PERM_MASK(X) ((X).allow | (X).audit | (X).quiet | (X).kill)
/* FIXME: split perms from dfa and match this to description
/* FIXME: split perms from dfa and match this to description
...
@@ -159,7 +140,7 @@ static inline u16 dfa_map_xindex(u16 mask)
...
@@ -159,7 +140,7 @@ static inline u16 dfa_map_xindex(u16 mask)
#define dfa_other_xindex(dfa, state) \
#define dfa_other_xindex(dfa, state) \
dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
int
aa_audit_file
(
struct
aa_profile
*
profile
,
struct
file
_perms
*
perms
,
int
aa_audit_file
(
struct
aa_profile
*
profile
,
struct
aa
_perms
*
perms
,
const
char
*
op
,
u32
request
,
const
char
*
name
,
const
char
*
op
,
u32
request
,
const
char
*
name
,
const
char
*
target
,
kuid_t
ouid
,
const
char
*
info
,
int
error
);
const
char
*
target
,
kuid_t
ouid
,
const
char
*
info
,
int
error
);
...
@@ -182,9 +163,11 @@ struct aa_file_rules {
...
@@ -182,9 +163,11 @@ struct aa_file_rules {
/* TODO: add delegate table */
/* TODO: add delegate table */
};
};
struct
aa_perms
aa_compute_fperms
(
struct
aa_dfa
*
dfa
,
unsigned
int
state
,
struct
path_cond
*
cond
);
unsigned
int
aa_str_perms
(
struct
aa_dfa
*
dfa
,
unsigned
int
start
,
unsigned
int
aa_str_perms
(
struct
aa_dfa
*
dfa
,
unsigned
int
start
,
const
char
*
name
,
struct
path_cond
*
cond
,
const
char
*
name
,
struct
path_cond
*
cond
,
struct
file
_perms
*
perms
);
struct
aa
_perms
*
perms
);
int
aa_path_perm
(
const
char
*
op
,
struct
aa_profile
*
profile
,
int
aa_path_perm
(
const
char
*
op
,
struct
aa_profile
*
profile
,
const
struct
path
*
path
,
int
flags
,
u32
request
,
const
struct
path
*
path
,
int
flags
,
u32
request
,
...
...
security/apparmor/include/perms.h
View file @
2d679f3c
...
@@ -88,7 +88,7 @@ struct aa_perms {
...
@@ -88,7 +88,7 @@ struct aa_perms {
};
};
#define ALL_PERMS_MASK 0xffffffff
#define ALL_PERMS_MASK 0xffffffff
extern
struct
aa_perms
nullperms
;
extern
struct
aa_perms
allperms
;
extern
struct
aa_perms
allperms
;
struct
aa_profile
;
struct
aa_profile
;
...
...
security/apparmor/lib.c
View file @
2d679f3c
...
@@ -24,6 +24,7 @@
...
@@ -24,6 +24,7 @@
#include "include/perms.h"
#include "include/perms.h"
#include "include/policy.h"
#include "include/policy.h"
struct
aa_perms
nullperms
;
struct
aa_perms
allperms
=
{
.
allow
=
ALL_PERMS_MASK
,
struct
aa_perms
allperms
=
{
.
allow
=
ALL_PERMS_MASK
,
.
quiet
=
ALL_PERMS_MASK
,
.
quiet
=
ALL_PERMS_MASK
,
.
hide
=
ALL_PERMS_MASK
};
.
hide
=
ALL_PERMS_MASK
};
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment