From 9f953bce43a028fa2b60531081f881a1c67197c6 Mon Sep 17 00:00:00 2001

From: John Johansen <john.johansen@canonical.com>

Date: Fri, 9 Jun 2017 15:48:20 -0700

Subject: [PATCH 53/65] apparmor: update aa_audit_file() to use labels

Git-commit: 98c3d182321d489d8bfaa596127020ec3027edb2

Patch-mainline: v4.13-rc1

References: FATE#323500

Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>

Signed-off-by: John Johansen <john.johansen@canonical.com>

---

 security/apparmor/domain.c       |  6 ++++--

 security/apparmor/file.c         | 18 ++++++++++++------

 security/apparmor/include/file.h |  3 ++-

 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c

index fab8923ae38e..896bca01828e 100644

--- a/security/apparmor/domain.c

+++ b/security/apparmor/domain.c

@@ -518,6 +518,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)

 audit:

 	error = aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name,

 			      new_profile ? new_profile->base.hname : NULL,

+			      new_profile ? &new_profile->label : NULL,

 			      cond.uid, info, error);

 cleanup:

@@ -694,7 +695,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)

 audit:

 	if (!(flags & AA_CHANGE_TEST))

 		error = aa_audit_file(profile, &perms, OP_CHANGE_HAT,

-				      AA_MAY_CHANGEHAT, NULL, target,

+				      AA_MAY_CHANGEHAT, NULL, target, NULL,

 				      GLOBAL_ROOT_UID, info, error);

 out:

@@ -802,7 +803,8 @@ int aa_change_profile(const char *fqname, int flags)

 audit:

 	if (!(flags & AA_CHANGE_TEST))

 		error = aa_audit_file(profile, &perms, op, request, NULL,

-				      fqname, GLOBAL_ROOT_UID, info, error);

+				      fqname, NULL, GLOBAL_ROOT_UID, info,

+				      error);

 	aa_put_profile(target);

 	aa_put_label(label);

diff --git a/security/apparmor/file.c b/security/apparmor/file.c

index c13e967137a8..a40bc1e276dc 100644

--- a/security/apparmor/file.c

+++ b/security/apparmor/file.c

@@ -75,7 +75,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)

 				 from_kuid(&init_user_ns, aad(sa)->fs.ouid));

 	}

-	if (aad(sa)->fs.target) {

+	if (aad(sa)->peer) {

+		audit_log_format(ab, " target=");

+		aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,

+				FLAG_VIEW_SUBNS, GFP_ATOMIC);

+	} else if (aad(sa)->fs.target) {

 		audit_log_format(ab, " target=");

 		audit_log_untrustedstring(ab, aad(sa)->fs.target);

 	}

@@ -85,11 +89,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)

  * aa_audit_file - handle the auditing of file operations

  * @profile: the profile being enforced  (NOT NULL)

  * @perms: the permissions computed for the request (NOT NULL)

- * @gfp: allocation flags

  * @op: operation being mediated

  * @request: permissions requested

  * @name: name of object being mediated (MAYBE NULL)

  * @target: name of target (MAYBE NULL)

+ * @tlabel: target label (MAY BE NULL)

  * @ouid: object uid

  * @info: extra information message (MAYBE NULL)

  * @error: 0 if operation allowed else failure error code

@@ -98,7 +102,8 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)

  */

 int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,

 		  const char *op, u32 request, const char *name,

-		  const char *target, kuid_t ouid, const char *info, int error)

+		  const char *target, struct aa_label *tlabel,

+		  kuid_t ouid, const char *info, int error)

 {

 	int type = AUDIT_APPARMOR_AUTO;

 	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, op);

@@ -107,6 +112,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,

 	aad(&sa)->request = request;

 	aad(&sa)->name = name;

 	aad(&sa)->fs.target = target;

+	aad(&sa)->peer = tlabel;

 	aad(&sa)->fs.ouid = ouid;

 	aad(&sa)->info = info;

 	aad(&sa)->error = error;

@@ -139,7 +145,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,

 			aad(&sa)->request &= ~perms->quiet;

 		if (!aad(&sa)->request)

-			return COMPLAIN_MODE(profile) ? 0 : aad(&sa)->error;

+			return aad(&sa)->error;

 	}

 	aad(&sa)->denied = aad(&sa)->request & ~perms->allow;

@@ -295,7 +301,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile,

 		if (request & ~perms.allow)

 			error = -EACCES;

 	}

-	error = aa_audit_file(profile, &perms, op, request, name, NULL,

+	error = aa_audit_file(profile, &perms, op, request, name, NULL, NULL,

 			      cond->uid, info, error);

 	put_buffers(buffer);

@@ -425,7 +431,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,

 audit:

 	error = aa_audit_file(profile, &lperms, OP_LINK, request,

-			      lname, tname, cond.uid, info, error);

+			      lname, tname, NULL, cond.uid, info, error);

 	put_buffers(buffer, buffer2);

 	return error;

diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h

index 415512771bff..7c6026460272 100644

--- a/security/apparmor/include/file.h

+++ b/security/apparmor/include/file.h

@@ -162,7 +162,8 @@ static inline u16 dfa_map_xindex(u16 mask)

 int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,

 		  const char *op, u32 request, const char *name,

-		  const char *target, kuid_t ouid, const char *info, int error);

+		  const char *target, struct aa_label *tlabel, kuid_t ouid,

+		  const char *info, int error);

 /**

  * struct aa_file_rules - components used for file rule permissions

-- 

2.12.3