|
Goldwyn Rodrigues |
e310a9 |
From 9f953bce43a028fa2b60531081f881a1c67197c6 Mon Sep 17 00:00:00 2001
|
|
Goldwyn Rodrigues |
e310a9 |
From: John Johansen <john.johansen@canonical.com>
|
|
Goldwyn Rodrigues |
e310a9 |
Date: Fri, 9 Jun 2017 15:48:20 -0700
|
|
Goldwyn Rodrigues |
e310a9 |
Subject: [PATCH 53/65] apparmor: update aa_audit_file() to use labels
|
|
Goldwyn Rodrigues |
e310a9 |
Git-commit: 98c3d182321d489d8bfaa596127020ec3027edb2
|
|
Goldwyn Rodrigues |
e310a9 |
Patch-mainline: v4.13-rc1
|
|
Goldwyn Rodrigues |
e310a9 |
References: FATE#323500
|
|
Goldwyn Rodrigues |
e310a9 |
|
|
Goldwyn Rodrigues |
e310a9 |
Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
|
|
Goldwyn Rodrigues |
e310a9 |
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
|
Goldwyn Rodrigues |
e310a9 |
---
|
|
Goldwyn Rodrigues |
e310a9 |
security/apparmor/domain.c | 6 ++++--
|
|
Goldwyn Rodrigues |
e310a9 |
security/apparmor/file.c | 18 ++++++++++++------
|
|
Goldwyn Rodrigues |
e310a9 |
security/apparmor/include/file.h | 3 ++-
|
|
Goldwyn Rodrigues |
e310a9 |
3 files changed, 18 insertions(+), 9 deletions(-)
|
|
Goldwyn Rodrigues |
e310a9 |
|
|
Goldwyn Rodrigues |
e310a9 |
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
|
|
Goldwyn Rodrigues |
e310a9 |
index fab8923ae38e..896bca01828e 100644
|
|
Goldwyn Rodrigues |
e310a9 |
--- a/security/apparmor/domain.c
|
|
Goldwyn Rodrigues |
e310a9 |
+++ b/security/apparmor/domain.c
|
|
Goldwyn Rodrigues |
e310a9 |
@@ -518,6 +518,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
|
|
Goldwyn Rodrigues |
e310a9 |
audit:
|
|
Goldwyn Rodrigues |
e310a9 |
error = aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name,
|
|
Goldwyn Rodrigues |
e310a9 |
new_profile ? new_profile->base.hname : NULL,
|
|
Goldwyn Rodrigues |
e310a9 |
+ new_profile ? &new_profile->label : NULL,
|
|
Goldwyn Rodrigues |
e310a9 |
cond.uid, info, error);
|
|
Goldwyn Rodrigues |
e310a9 |
|
|
Goldwyn Rodrigues |
e310a9 |
cleanup:
|
|
Goldwyn Rodrigues |
e310a9 |
@@ -694,7 +695,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
|
|
Goldwyn Rodrigues |
e310a9 |
audit:
|
|
Goldwyn Rodrigues |
e310a9 |
if (!(flags & AA_CHANGE_TEST))
|
|
Goldwyn Rodrigues |
e310a9 |
error = aa_audit_file(profile, &perms, OP_CHANGE_HAT,
|
|
Goldwyn Rodrigues |
e310a9 |
- AA_MAY_CHANGEHAT, NULL, target,
|
|
Goldwyn Rodrigues |
e310a9 |
+ AA_MAY_CHANGEHAT, NULL, target, NULL,
|
|
Goldwyn Rodrigues |
e310a9 |
GLOBAL_ROOT_UID, info, error);
|
|
Goldwyn Rodrigues |
e310a9 |
|
|
Goldwyn Rodrigues |
e310a9 |
out:
|
|
Goldwyn Rodrigues |
e310a9 |
@@ -802,7 +803,8 @@ int aa_change_profile(const char *fqname, int flags)
|
|
Goldwyn Rodrigues |
e310a9 |
audit:
|
|
Goldwyn Rodrigues |
e310a9 |
if (!(flags & AA_CHANGE_TEST))
|
|
Goldwyn Rodrigues |
e310a9 |
error = aa_audit_file(profile, &perms, op, request, NULL,
|
|
Goldwyn Rodrigues |
e310a9 |
- fqname, GLOBAL_ROOT_UID, info, error);
|
|
Goldwyn Rodrigues |
e310a9 |
+ fqname, NULL, GLOBAL_ROOT_UID, info,
|
|
Goldwyn Rodrigues |
e310a9 |
+ error);
|
|
Goldwyn Rodrigues |
e310a9 |
|
|
Goldwyn Rodrigues |
e310a9 |
aa_put_profile(target);
|
|
Goldwyn Rodrigues |
e310a9 |
aa_put_label(label);
|
|
Goldwyn Rodrigues |
e310a9 |
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
|
|
Goldwyn Rodrigues |
e310a9 |
index c13e967137a8..a40bc1e276dc 100644
|
|
Goldwyn Rodrigues |
e310a9 |
--- a/security/apparmor/file.c
|
|
Goldwyn Rodrigues |
e310a9 |
+++ b/security/apparmor/file.c
|
|
Goldwyn Rodrigues |
e310a9 |
@@ -75,7 +75,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
|
|
Goldwyn Rodrigues |
e310a9 |
from_kuid(&init_user_ns, aad(sa)->fs.ouid));
|
|
Goldwyn Rodrigues |
e310a9 |
}
|
|
Goldwyn Rodrigues |
e310a9 |
|
|
Goldwyn Rodrigues |
e310a9 |
- if (aad(sa)->fs.target) {
|
|
Goldwyn Rodrigues |
e310a9 |
+ if (aad(sa)->peer) {
|
|
Goldwyn Rodrigues |
e310a9 |
+ audit_log_format(ab, " target=");
|
|
Goldwyn Rodrigues |
e310a9 |
+ aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
|
|
Goldwyn Rodrigues |
e310a9 |
+ FLAG_VIEW_SUBNS, GFP_ATOMIC);
|
|
Goldwyn Rodrigues |
e310a9 |
+ } else if (aad(sa)->fs.target) {
|
|
Goldwyn Rodrigues |
e310a9 |
audit_log_format(ab, " target=");
|
|
Goldwyn Rodrigues |
e310a9 |
audit_log_untrustedstring(ab, aad(sa)->fs.target);
|
|
Goldwyn Rodrigues |
e310a9 |
}
|
|
Goldwyn Rodrigues |
e310a9 |
@@ -85,11 +89,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
|
|
Goldwyn Rodrigues |
e310a9 |
* aa_audit_file - handle the auditing of file operations
|
|
Goldwyn Rodrigues |
e310a9 |
* @profile: the profile being enforced (NOT NULL)
|
|
Goldwyn Rodrigues |
e310a9 |
* @perms: the permissions computed for the request (NOT NULL)
|
|
Goldwyn Rodrigues |
e310a9 |
- * @gfp: allocation flags
|
|
Goldwyn Rodrigues |
e310a9 |
* @op: operation being mediated
|
|
Goldwyn Rodrigues |
e310a9 |
* @request: permissions requested
|
|
Goldwyn Rodrigues |
e310a9 |
* @name: name of object being mediated (MAYBE NULL)
|
|
Goldwyn Rodrigues |
e310a9 |
* @target: name of target (MAYBE NULL)
|
|
Goldwyn Rodrigues |
e310a9 |
+ * @tlabel: target label (MAY BE NULL)
|
|
Goldwyn Rodrigues |
e310a9 |
* @ouid: object uid
|
|
Goldwyn Rodrigues |
e310a9 |
* @info: extra information message (MAYBE NULL)
|
|
Goldwyn Rodrigues |
e310a9 |
* @error: 0 if operation allowed else failure error code
|
|
Goldwyn Rodrigues |
e310a9 |
@@ -98,7 +102,8 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
|
|
Goldwyn Rodrigues |
e310a9 |
*/
|
|
Goldwyn Rodrigues |
e310a9 |
int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
|
|
Goldwyn Rodrigues |
e310a9 |
const char *op, u32 request, const char *name,
|
|
Goldwyn Rodrigues |
e310a9 |
- const char *target, kuid_t ouid, const char *info, int error)
|
|
Goldwyn Rodrigues |
e310a9 |
+ const char *target, struct aa_label *tlabel,
|
|
Goldwyn Rodrigues |
e310a9 |
+ kuid_t ouid, const char *info, int error)
|
|
Goldwyn Rodrigues |
e310a9 |
{
|
|
Goldwyn Rodrigues |
e310a9 |
int type = AUDIT_APPARMOR_AUTO;
|
|
Goldwyn Rodrigues |
e310a9 |
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, op);
|
|
Goldwyn Rodrigues |
e310a9 |
@@ -107,6 +112,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
|
|
Goldwyn Rodrigues |
e310a9 |
aad(&sa)->request = request;
|
|
Goldwyn Rodrigues |
e310a9 |
aad(&sa)->name = name;
|
|
Goldwyn Rodrigues |
e310a9 |
aad(&sa)->fs.target = target;
|
|
Goldwyn Rodrigues |
e310a9 |
+ aad(&sa)->peer = tlabel;
|
|
Goldwyn Rodrigues |
e310a9 |
aad(&sa)->fs.ouid = ouid;
|
|
Goldwyn Rodrigues |
e310a9 |
aad(&sa)->info = info;
|
|
Goldwyn Rodrigues |
e310a9 |
aad(&sa)->error = error;
|
|
Goldwyn Rodrigues |
e310a9 |
@@ -139,7 +145,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
|
|
Goldwyn Rodrigues |
e310a9 |
aad(&sa)->request &= ~perms->quiet;
|
|
Goldwyn Rodrigues |
e310a9 |
|
|
Goldwyn Rodrigues |
e310a9 |
if (!aad(&sa)->request)
|
|
Goldwyn Rodrigues |
e310a9 |
- return COMPLAIN_MODE(profile) ? 0 : aad(&sa)->error;
|
|
Goldwyn Rodrigues |
e310a9 |
+ return aad(&sa)->error;
|
|
Goldwyn Rodrigues |
e310a9 |
}
|
|
Goldwyn Rodrigues |
e310a9 |
|
|
Goldwyn Rodrigues |
e310a9 |
aad(&sa)->denied = aad(&sa)->request & ~perms->allow;
|
|
Goldwyn Rodrigues |
e310a9 |
@@ -295,7 +301,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile,
|
|
Goldwyn Rodrigues |
e310a9 |
if (request & ~perms.allow)
|
|
Goldwyn Rodrigues |
e310a9 |
error = -EACCES;
|
|
Goldwyn Rodrigues |
e310a9 |
}
|
|
Goldwyn Rodrigues |
e310a9 |
- error = aa_audit_file(profile, &perms, op, request, name, NULL,
|
|
Goldwyn Rodrigues |
e310a9 |
+ error = aa_audit_file(profile, &perms, op, request, name, NULL, NULL,
|
|
Goldwyn Rodrigues |
e310a9 |
cond->uid, info, error);
|
|
Goldwyn Rodrigues |
e310a9 |
put_buffers(buffer);
|
|
Goldwyn Rodrigues |
e310a9 |
|
|
Goldwyn Rodrigues |
e310a9 |
@@ -425,7 +431,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
|
|
Goldwyn Rodrigues |
e310a9 |
|
|
Goldwyn Rodrigues |
e310a9 |
audit:
|
|
Goldwyn Rodrigues |
e310a9 |
error = aa_audit_file(profile, &lperms, OP_LINK, request,
|
|
Goldwyn Rodrigues |
e310a9 |
- lname, tname, cond.uid, info, error);
|
|
Goldwyn Rodrigues |
e310a9 |
+ lname, tname, NULL, cond.uid, info, error);
|
|
Goldwyn Rodrigues |
e310a9 |
put_buffers(buffer, buffer2);
|
|
Goldwyn Rodrigues |
e310a9 |
|
|
Goldwyn Rodrigues |
e310a9 |
return error;
|
|
Goldwyn Rodrigues |
e310a9 |
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
|
|
Goldwyn Rodrigues |
e310a9 |
index 415512771bff..7c6026460272 100644
|
|
Goldwyn Rodrigues |
e310a9 |
--- a/security/apparmor/include/file.h
|
|
Goldwyn Rodrigues |
e310a9 |
+++ b/security/apparmor/include/file.h
|
|
Goldwyn Rodrigues |
e310a9 |
@@ -162,7 +162,8 @@ static inline u16 dfa_map_xindex(u16 mask)
|
|
Goldwyn Rodrigues |
e310a9 |
|
|
Goldwyn Rodrigues |
e310a9 |
int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
|
|
Goldwyn Rodrigues |
e310a9 |
const char *op, u32 request, const char *name,
|
|
Goldwyn Rodrigues |
e310a9 |
- const char *target, kuid_t ouid, const char *info, int error);
|
|
Goldwyn Rodrigues |
e310a9 |
+ const char *target, struct aa_label *tlabel, kuid_t ouid,
|
|
Goldwyn Rodrigues |
e310a9 |
+ const char *info, int error);
|
|
Goldwyn Rodrigues |
e310a9 |
|
|
Goldwyn Rodrigues |
e310a9 |
/**
|
|
Goldwyn Rodrigues |
e310a9 |
* struct aa_file_rules - components used for file rule permissions
|
|
Goldwyn Rodrigues |
e310a9 |
--
|
|
Goldwyn Rodrigues |
e310a9 |
2.12.3
|
|
Goldwyn Rodrigues |
e310a9 |
|