Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
72c8a768
Commit
72c8a768
authored
May 22, 2017
by
John Johansen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
apparmor: allow profiles to provide info to disconnected paths
Signed-off-by:
John Johansen
<
john.johansen@canonical.com
>
parent
b91deb9d
Changes
6
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
34 additions
and
17 deletions
+34
-17
security/apparmor/domain.c
security/apparmor/domain.c
+1
-1
security/apparmor/file.c
security/apparmor/file.c
+4
-3
security/apparmor/include/path.h
security/apparmor/include/path.h
+2
-1
security/apparmor/include/policy.h
security/apparmor/include/policy.h
+2
-0
security/apparmor/path.c
security/apparmor/path.c
+22
-12
security/apparmor/policy_unpack.c
security/apparmor/policy_unpack.c
+3
-0
No files found.
security/apparmor/domain.c
View file @
72c8a768
...
@@ -366,7 +366,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -366,7 +366,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
/* buffer freed below, name is pointer into buffer */
/* buffer freed below, name is pointer into buffer */
error
=
aa_path_name
(
&
bprm
->
file
->
f_path
,
profile
->
path_flags
,
&
buffer
,
error
=
aa_path_name
(
&
bprm
->
file
->
f_path
,
profile
->
path_flags
,
&
buffer
,
&
name
,
&
info
);
&
name
,
&
info
,
profile
->
disconnected
);
if
(
error
)
{
if
(
error
)
{
if
(
unconfined
(
profile
)
||
if
(
unconfined
(
profile
)
||
(
profile
->
flags
&
PFLAG_IX_ON_NAME_ERROR
))
(
profile
->
flags
&
PFLAG_IX_ON_NAME_ERROR
))
...
...
security/apparmor/file.c
View file @
72c8a768
...
@@ -285,7 +285,8 @@ int aa_path_perm(const char *op, struct aa_profile *profile,
...
@@ -285,7 +285,8 @@ int aa_path_perm(const char *op, struct aa_profile *profile,
int
error
;
int
error
;
flags
|=
profile
->
path_flags
|
(
S_ISDIR
(
cond
->
mode
)
?
PATH_IS_DIR
:
0
);
flags
|=
profile
->
path_flags
|
(
S_ISDIR
(
cond
->
mode
)
?
PATH_IS_DIR
:
0
);
error
=
aa_path_name
(
path
,
flags
,
&
buffer
,
&
name
,
&
info
);
error
=
aa_path_name
(
path
,
flags
,
&
buffer
,
&
name
,
&
info
,
profile
->
disconnected
);
if
(
error
)
{
if
(
error
)
{
if
(
error
==
-
ENOENT
&&
is_deleted
(
path
->
dentry
))
{
if
(
error
==
-
ENOENT
&&
is_deleted
(
path
->
dentry
))
{
/* Access to open files that are deleted are
/* Access to open files that are deleted are
...
@@ -366,13 +367,13 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
...
@@ -366,13 +367,13 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
/* buffer freed below, lname is pointer in buffer */
/* buffer freed below, lname is pointer in buffer */
error
=
aa_path_name
(
&
link
,
profile
->
path_flags
,
&
buffer
,
&
lname
,
error
=
aa_path_name
(
&
link
,
profile
->
path_flags
,
&
buffer
,
&
lname
,
&
info
);
&
info
,
profile
->
disconnected
);
if
(
error
)
if
(
error
)
goto
audit
;
goto
audit
;
/* buffer2 freed below, tname is pointer in buffer2 */
/* buffer2 freed below, tname is pointer in buffer2 */
error
=
aa_path_name
(
&
target
,
profile
->
path_flags
,
&
buffer2
,
&
tname
,
error
=
aa_path_name
(
&
target
,
profile
->
path_flags
,
&
buffer2
,
&
tname
,
&
info
);
&
info
,
profile
->
disconnected
);
if
(
error
)
if
(
error
)
goto
audit
;
goto
audit
;
...
...
security/apparmor/include/path.h
View file @
72c8a768
...
@@ -27,7 +27,8 @@ enum path_flags {
...
@@ -27,7 +27,8 @@ enum path_flags {
};
};
int
aa_path_name
(
const
struct
path
*
path
,
int
flags
,
char
**
buffer
,
int
aa_path_name
(
const
struct
path
*
path
,
int
flags
,
char
**
buffer
,
const
char
**
name
,
const
char
**
info
);
const
char
**
name
,
const
char
**
info
,
const
char
*
disconnected
);
#define MAX_PATH_BUFFERS 2
#define MAX_PATH_BUFFERS 2
...
...
security/apparmor/include/policy.h
View file @
72c8a768
...
@@ -128,6 +128,7 @@ struct aa_data {
...
@@ -128,6 +128,7 @@ struct aa_data {
* @mode: the enforcement mode of the profile
* @mode: the enforcement mode of the profile
* @flags: flags controlling profile behavior
* @flags: flags controlling profile behavior
* @path_flags: flags controlling path generation behavior
* @path_flags: flags controlling path generation behavior
* @disconnected: what to prepend if attach_disconnected is specified
* @size: the memory consumed by this profiles rules
* @size: the memory consumed by this profiles rules
* @policy: general match rules governing policy
* @policy: general match rules governing policy
* @file: The set of rules governing basic file access and domain transitions
* @file: The set of rules governing basic file access and domain transitions
...
@@ -169,6 +170,7 @@ struct aa_profile {
...
@@ -169,6 +170,7 @@ struct aa_profile {
long
mode
;
long
mode
;
long
flags
;
long
flags
;
u32
path_flags
;
u32
path_flags
;
const
char
*
disconnected
;
int
size
;
int
size
;
struct
aa_policydb
policy
;
struct
aa_policydb
policy
;
...
...
security/apparmor/path.c
View file @
72c8a768
...
@@ -50,7 +50,7 @@ static int prepend(char **buffer, int buflen, const char *str, int namelen)
...
@@ -50,7 +50,7 @@ static int prepend(char **buffer, int buflen, const char *str, int namelen)
* namespace root.
* namespace root.
*/
*/
static
int
disconnect
(
const
struct
path
*
path
,
char
*
buf
,
char
**
name
,
static
int
disconnect
(
const
struct
path
*
path
,
char
*
buf
,
char
**
name
,
int
flags
)
int
flags
,
const
char
*
disconnected
)
{
{
int
error
=
0
;
int
error
=
0
;
...
@@ -63,9 +63,14 @@ static int disconnect(const struct path *path, char *buf, char **name,
...
@@ -63,9 +63,14 @@ static int disconnect(const struct path *path, char *buf, char **name,
error
=
-
EACCES
;
error
=
-
EACCES
;
if
(
**
name
==
'/'
)
if
(
**
name
==
'/'
)
*
name
=
*
name
+
1
;
*
name
=
*
name
+
1
;
}
else
if
(
**
name
!=
'/'
)
}
else
{
/* CONNECT_PATH with missing root */
if
(
**
name
!=
'/'
)
error
=
prepend
(
name
,
*
name
-
buf
,
"/"
,
1
);
/* CONNECT_PATH with missing root */
error
=
prepend
(
name
,
*
name
-
buf
,
"/"
,
1
);
if
(
!
error
&&
disconnected
)
error
=
prepend
(
name
,
*
name
-
buf
,
disconnected
,
strlen
(
disconnected
));
}
return
error
;
return
error
;
}
}
...
@@ -77,6 +82,7 @@ static int disconnect(const struct path *path, char *buf, char **name,
...
@@ -77,6 +82,7 @@ static int disconnect(const struct path *path, char *buf, char **name,
* @buflen: length of @buf
* @buflen: length of @buf
* @name: Returns - pointer for start of path name with in @buf (NOT NULL)
* @name: Returns - pointer for start of path name with in @buf (NOT NULL)
* @flags: flags controlling path lookup
* @flags: flags controlling path lookup
* @disconnected: string to prefix to disconnected paths
*
*
* Handle path name lookup.
* Handle path name lookup.
*
*
...
@@ -85,7 +91,7 @@ static int disconnect(const struct path *path, char *buf, char **name,
...
@@ -85,7 +91,7 @@ static int disconnect(const struct path *path, char *buf, char **name,
* to a position in @buf
* to a position in @buf
*/
*/
static
int
d_namespace_path
(
const
struct
path
*
path
,
char
*
buf
,
int
buflen
,
static
int
d_namespace_path
(
const
struct
path
*
path
,
char
*
buf
,
int
buflen
,
char
**
name
,
int
flags
)
char
**
name
,
int
flags
,
const
char
*
disconnected
)
{
{
char
*
res
;
char
*
res
;
int
error
=
0
;
int
error
=
0
;
...
@@ -106,8 +112,8 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
...
@@ -106,8 +112,8 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
*/
*/
return
prepend
(
name
,
*
name
-
buf
,
"/proc"
,
5
);
return
prepend
(
name
,
*
name
-
buf
,
"/proc"
,
5
);
}
else
}
else
return
disconnect
(
path
,
buf
,
name
,
flags
);
return
disconnect
(
path
,
buf
,
name
,
flags
,
return
0
;
disconnected
)
;
}
}
/* resolve paths relative to chroot?*/
/* resolve paths relative to chroot?*/
...
@@ -153,7 +159,7 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
...
@@ -153,7 +159,7 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
}
}
if
(
!
connected
)
if
(
!
connected
)
error
=
disconnect
(
path
,
buf
,
name
,
flags
);
error
=
disconnect
(
path
,
buf
,
name
,
flags
,
disconnected
);
out:
out:
return
error
;
return
error
;
...
@@ -170,10 +176,12 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
...
@@ -170,10 +176,12 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen,
* Returns: %0 else error on failure
* Returns: %0 else error on failure
*/
*/
static
int
get_name_to_buffer
(
const
struct
path
*
path
,
int
flags
,
char
*
buffer
,
static
int
get_name_to_buffer
(
const
struct
path
*
path
,
int
flags
,
char
*
buffer
,
int
size
,
char
**
name
,
const
char
**
info
)
int
size
,
char
**
name
,
const
char
**
info
,
const
char
*
disconnected
)
{
{
int
adjust
=
(
flags
&
PATH_IS_DIR
)
?
1
:
0
;
int
adjust
=
(
flags
&
PATH_IS_DIR
)
?
1
:
0
;
int
error
=
d_namespace_path
(
path
,
buffer
,
size
-
adjust
,
name
,
flags
);
int
error
=
d_namespace_path
(
path
,
buffer
,
size
-
adjust
,
name
,
flags
,
disconnected
);
if
(
!
error
&&
(
flags
&
PATH_IS_DIR
)
&&
(
*
name
)[
1
]
!=
'\0'
)
if
(
!
error
&&
(
flags
&
PATH_IS_DIR
)
&&
(
*
name
)[
1
]
!=
'\0'
)
/*
/*
...
@@ -203,6 +211,7 @@ static int get_name_to_buffer(const struct path *path, int flags, char *buffer,
...
@@ -203,6 +211,7 @@ static int get_name_to_buffer(const struct path *path, int flags, char *buffer,
* @buffer: buffer that aa_get_name() allocated (NOT NULL)
* @buffer: buffer that aa_get_name() allocated (NOT NULL)
* @name: Returns - the generated path name if !error (NOT NULL)
* @name: Returns - the generated path name if !error (NOT NULL)
* @info: Returns - information on why the path lookup failed (MAYBE NULL)
* @info: Returns - information on why the path lookup failed (MAYBE NULL)
* @disconnected: string to prepend to disconnected paths
*
*
* @name is a pointer to the beginning of the pathname (which usually differs
* @name is a pointer to the beginning of the pathname (which usually differs
* from the beginning of the buffer), or NULL. If there is an error @name
* from the beginning of the buffer), or NULL. If there is an error @name
...
@@ -216,7 +225,7 @@ static int get_name_to_buffer(const struct path *path, int flags, char *buffer,
...
@@ -216,7 +225,7 @@ static int get_name_to_buffer(const struct path *path, int flags, char *buffer,
* Returns: %0 else error code if could retrieve name
* Returns: %0 else error code if could retrieve name
*/
*/
int
aa_path_name
(
const
struct
path
*
path
,
int
flags
,
char
**
buffer
,
int
aa_path_name
(
const
struct
path
*
path
,
int
flags
,
char
**
buffer
,
const
char
**
name
,
const
char
**
info
)
const
char
**
name
,
const
char
**
info
,
const
char
*
disconnected
)
{
{
char
*
buf
,
*
str
=
NULL
;
char
*
buf
,
*
str
=
NULL
;
int
size
=
256
;
int
size
=
256
;
...
@@ -230,7 +239,8 @@ int aa_path_name(const struct path *path, int flags, char **buffer,
...
@@ -230,7 +239,8 @@ int aa_path_name(const struct path *path, int flags, char **buffer,
if
(
!
buf
)
if
(
!
buf
)
return
-
ENOMEM
;
return
-
ENOMEM
;
error
=
get_name_to_buffer
(
path
,
flags
,
buf
,
size
,
&
str
,
info
);
error
=
get_name_to_buffer
(
path
,
flags
,
buf
,
size
,
&
str
,
info
,
disconnected
);
if
(
error
!=
-
ENAMETOOLONG
)
if
(
error
!=
-
ENAMETOOLONG
)
break
;
break
;
...
...
security/apparmor/policy_unpack.c
View file @
72c8a768
...
@@ -569,6 +569,9 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
...
@@ -569,6 +569,9 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
profile
->
xmatch_len
=
tmp
;
profile
->
xmatch_len
=
tmp
;
}
}
/* disconnected attachment string is optional */
(
void
)
unpack_str
(
e
,
&
profile
->
disconnected
,
"disconnected"
);
/* per profile debug flags (complain, audit) */
/* per profile debug flags (complain, audit) */
if
(
!
unpack_nameX
(
e
,
AA_STRUCT
,
"flags"
))
if
(
!
unpack_nameX
(
e
,
AA_STRUCT
,
"flags"
))
goto
fail
;
goto
fail
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment