Commit 31f75bfe authored by John Johansen's avatar John Johansen

apparmor: make computing policy hashes conditional on kernel parameter

Allow turning off the computation of the policy hashes via the
apparmor.hash_policy kernel parameter.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent aa9a39ad
...@@ -166,42 +166,42 @@ static int common_perm(const char *op, const struct path *path, u32 mask, ...@@ -166,42 +166,42 @@ static int common_perm(const char *op, const struct path *path, u32 mask,
} }
/** /**
* common_perm_dir_dentry - common permission wrapper when path is dir, dentry * common_perm_cond - common permission wrapper around inode cond
* @op: operation being checked * @op: operation being checked
* @dir: directory of the dentry (NOT NULL) * @path: location to check (NOT NULL)
* @dentry: dentry to check (NOT NULL)
* @mask: requested permissions mask * @mask: requested permissions mask
* @cond: conditional info for the permission request (NOT NULL)
* *
* Returns: %0 else error code if error or permission denied * Returns: %0 else error code if error or permission denied
*/ */
static int common_perm_dir_dentry(const char *op, const struct path *dir, static int common_perm_cond(const char *op, const struct path *path, u32 mask)
struct dentry *dentry, u32 mask,
struct path_cond *cond)
{ {
struct path path = { .mnt = dir->mnt, .dentry = dentry }; struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
d_backing_inode(path->dentry)->i_mode
};
return common_perm(op, &path, mask, cond); if (!path_mediated_fs(path->dentry))
return 0;
return common_perm(op, path, mask, &cond);
} }
/** /**
* common_perm_path - common permission wrapper when mnt, dentry * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
* @op: operation being checked * @op: operation being checked
* @path: location to check (NOT NULL) * @dir: directory of the dentry (NOT NULL)
* @dentry: dentry to check (NOT NULL)
* @mask: requested permissions mask * @mask: requested permissions mask
* @cond: conditional info for the permission request (NOT NULL)
* *
* Returns: %0 else error code if error or permission denied * Returns: %0 else error code if error or permission denied
*/ */
static inline int common_perm_path(const char *op, const struct path *path, static int common_perm_dir_dentry(const char *op, const struct path *dir,
u32 mask) struct dentry *dentry, u32 mask,
struct path_cond *cond)
{ {
struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, struct path path = { .mnt = dir->mnt, .dentry = dentry };
d_backing_inode(path->dentry)->i_mode
};
if (!path_mediated_fs(path->dentry))
return 0;
return common_perm(op, path, mask, &cond); return common_perm(op, &path, mask, cond);
} }
/** /**
...@@ -274,7 +274,7 @@ static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, ...@@ -274,7 +274,7 @@ static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
static int apparmor_path_truncate(const struct path *path) static int apparmor_path_truncate(const struct path *path)
{ {
return common_perm_path(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE); return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE);
} }
static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
...@@ -333,17 +333,17 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d ...@@ -333,17 +333,17 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d
static int apparmor_path_chmod(const struct path *path, umode_t mode) static int apparmor_path_chmod(const struct path *path, umode_t mode)
{ {
return common_perm_path(OP_CHMOD, path, AA_MAY_CHMOD); return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
} }
static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
{ {
return common_perm_path(OP_CHOWN, path, AA_MAY_CHOWN); return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
} }
static int apparmor_inode_getattr(const struct path *path) static int apparmor_inode_getattr(const struct path *path)
{ {
return common_perm_path(OP_GETATTR, path, AA_MAY_META_READ); return common_perm_cond(OP_GETATTR, path, AA_MAY_META_READ);
} }
static int apparmor_file_open(struct file *file, const struct cred *cred) static int apparmor_file_open(struct file *file, const struct cred *cred)
......
...@@ -825,6 +825,7 @@ int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, ...@@ -825,6 +825,7 @@ int aa_unpack(struct aa_loaddata *udata, struct list_head *lh,
if (error) if (error)
goto fail_profile; goto fail_profile;
if (aa_g_hash_policy)
error = aa_calc_profile_hash(profile, e.version, start, error = aa_calc_profile_hash(profile, e.version, start,
e.pos - start); e.pos - start);
if (error) if (error)
...@@ -841,12 +842,14 @@ int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, ...@@ -841,12 +842,14 @@ int aa_unpack(struct aa_loaddata *udata, struct list_head *lh,
list_add_tail(&ent->list, lh); list_add_tail(&ent->list, lh);
} }
udata->abi = e.version & K_ABI_MASK; udata->abi = e.version & K_ABI_MASK;
if (aa_g_hash_policy) {
udata->hash = aa_calc_hash(udata->data, udata->size); udata->hash = aa_calc_hash(udata->data, udata->size);
if (IS_ERR(udata->hash)) { if (IS_ERR(udata->hash)) {
error = PTR_ERR(udata->hash); error = PTR_ERR(udata->hash);
udata->hash = NULL; udata->hash = NULL;
goto fail; goto fail;
} }
}
return 0; return 0;
fail_profile: fail_profile:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment