Commit f567e7fa authored by John Johansen's avatar John Johansen

apparmor: extend policydb permission set by making use of the xbits

The policydb permission set has left the xbits unused. Make them available
for mediation.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent c1ed5da1
...@@ -2334,6 +2334,7 @@ static struct aa_sfs_entry aa_sfs_entry_versions[] = { ...@@ -2334,6 +2334,7 @@ static struct aa_sfs_entry aa_sfs_entry_versions[] = {
AA_SFS_FILE_BOOLEAN("v6", 1), AA_SFS_FILE_BOOLEAN("v6", 1),
AA_SFS_FILE_BOOLEAN("v7", 1), AA_SFS_FILE_BOOLEAN("v7", 1),
AA_SFS_FILE_BOOLEAN("v8", 1), AA_SFS_FILE_BOOLEAN("v8", 1),
AA_SFS_FILE_BOOLEAN("v9", 1),
{ } { }
}; };
......
...@@ -142,6 +142,7 @@ static inline u16 dfa_map_xindex(u16 mask) ...@@ -142,6 +142,7 @@ static inline u16 dfa_map_xindex(u16 mask)
*/ */
#define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \ #define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \
((ACCEPT_TABLE(dfa)[state]) & 0x80000000)) ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
#define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f)
#define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f) #define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f)
#define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f) #define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f)
#define dfa_user_xindex(dfa, state) \ #define dfa_user_xindex(dfa, state) \
...@@ -150,6 +151,8 @@ static inline u16 dfa_map_xindex(u16 mask) ...@@ -150,6 +151,8 @@ static inline u16 dfa_map_xindex(u16 mask)
#define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \ #define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \
0x7f) | \ 0x7f) | \
((ACCEPT_TABLE(dfa)[state]) & 0x80000000)) ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
#define dfa_other_xbits(dfa, state) \
((((ACCEPT_TABLE(dfa)[state]) >> 7) >> 14) & 0x7f)
#define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f) #define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f)
#define dfa_other_quiet(dfa, state) \ #define dfa_other_quiet(dfa, state) \
((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f) ((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f)
......
...@@ -322,22 +322,39 @@ static u32 map_other(u32 x) ...@@ -322,22 +322,39 @@ static u32 map_other(u32 x)
((x & 0x60) << 19); /* SETOPT/GETOPT */ ((x & 0x60) << 19); /* SETOPT/GETOPT */
} }
static u32 map_xbits(u32 x)
{
return ((x & 0x1) << 7) |
((x & 0x7e) << 9);
}
void aa_compute_perms(struct aa_dfa *dfa, unsigned int state, void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
struct aa_perms *perms) struct aa_perms *perms)
{ {
/* This mapping is convulated due to history.
* v1-v4: only file perms
* v5: added policydb which dropped in perm user conditional to
* gain new perm bits, but had to map around the xbits because
* the userspace compiler was still munging them.
* v9: adds using the xbits in policydb because the compiler now
* supports treating policydb permission bits different.
* Unfortunately there is not way to force auditing on the
* perms represented by the xbits
*/
*perms = (struct aa_perms) { *perms = (struct aa_perms) {
.allow = dfa_user_allow(dfa, state), .allow = dfa_user_allow(dfa, state) |
map_xbits(dfa_user_xbits(dfa, state)),
.audit = dfa_user_audit(dfa, state), .audit = dfa_user_audit(dfa, state),
.quiet = dfa_user_quiet(dfa, state), .quiet = dfa_user_quiet(dfa, state) |
map_xbits(dfa_other_xbits(dfa, state)),
}; };
/* for v5 perm mapping in the policydb, the other set is used /* for v5-v9 perm mapping in the policydb, the other set is used
* to extend the general perm set * to extend the general perm set
*/ */
perms->allow |= map_other(dfa_other_allow(dfa, state)); perms->allow |= map_other(dfa_other_allow(dfa, state));
perms->audit |= map_other(dfa_other_audit(dfa, state)); perms->audit |= map_other(dfa_other_audit(dfa, state));
perms->quiet |= map_other(dfa_other_quiet(dfa, state)); perms->quiet |= map_other(dfa_other_quiet(dfa, state));
// perms->xindex = dfa_user_xindex(dfa, state);
} }
/** /**
......
...@@ -217,7 +217,6 @@ static struct aa_perms compute_mnt_perms(struct aa_dfa *dfa, ...@@ -217,7 +217,6 @@ static struct aa_perms compute_mnt_perms(struct aa_dfa *dfa,
.allow = dfa_user_allow(dfa, state), .allow = dfa_user_allow(dfa, state),
.audit = dfa_user_audit(dfa, state), .audit = dfa_user_audit(dfa, state),
.quiet = dfa_user_quiet(dfa, state), .quiet = dfa_user_quiet(dfa, state),
.xindex = dfa_user_xindex(dfa, state),
}; };
return perms; return perms;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment