kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   07d5db05cd6058a13afaa801d110a4206abdd0a5
  2.   patches.apparmor
  3.   apparmor-basic-networking-rules-4.11-rc1.patch
Blob Blame History Raw 
From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: update apparmor-basic-networking-rules for 4.11-rc1
Patch-mainline: depends on apparmor-basic-networking-rules.patch
References: FATE#300516

4.11-rc1 changed op from a index into an array of strings to the strings
themselves.

It also renamed: OP_SOCK_SHUTDOWN to OP_SHUTDOWN and
common_audit_data.aad to common_audit_data.apparmor_audit_data and removed
the gfp_t parameter from aa_audit.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
 security/apparmor/include/net.h |    4 ++--
 security/apparmor/lsm.c         |    2 +-
 security/apparmor/net.c         |   40 +++++++++++++++++++++-------------------
 3 files changed, 24 insertions(+), 22 deletions(-)

--- a/security/apparmor/include/net.h
+++ b/security/apparmor/include/net.h
@@ -32,9 +32,9 @@ struct aa_net {
 
 extern struct aa_fs_entry aa_fs_entry_network[];
 
-extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
+extern int aa_net_perm(const char *op, struct aa_profile *profile, u16 family,
 		       int type, int protocol, struct sock *sk);
-extern int aa_revalidate_sk(int op, struct sock *sk);
+extern int aa_revalidate_sk(const char *op, struct sock *sk);
 
 static inline void aa_free_net_rules(struct aa_net *new)
 {
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -683,7 +683,7 @@ static int apparmor_socket_shutdown(stru
 {
 	struct sock *sk = sock->sk;
 
-	return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
+	return aa_revalidate_sk(OP_SHUTDOWN, sk);
 }
 
 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
--- a/security/apparmor/net.c
+++ b/security/apparmor/net.c
@@ -37,12 +37,12 @@ static void audit_cb(struct audit_buffer
 		audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
 	}
 	audit_log_format(ab, " sock_type=");
-	if (sock_type_names[sa->aad->net.type]) {
-		audit_log_string(ab, sock_type_names[sa->aad->net.type]);
+	if (sock_type_names[aad(sa)->net.type]) {
+		audit_log_string(ab, sock_type_names[aad(sa)->net.type]);
 	} else {
-		audit_log_format(ab, "\"unknown(%d)\"", sa->aad->net.type);
+		audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type);
 	}
-	audit_log_format(ab, " protocol=%d", sa->aad->net.protocol);
+	audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
 }
 
 /**
@@ -57,8 +57,9 @@ static void audit_cb(struct audit_buffer
  *
  * Returns: %0 or sa->error else other errorcode on failure
  */
-static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
-		     int protocol, struct sock *sk, int error)
+static int audit_net(struct aa_profile *profile, const char *op,
+		     u16 family, int type, int protocol,
+		     struct sock *sk, int error)
 {
 	int audit_type = AUDIT_APPARMOR_AUTO;
 	struct common_audit_data sa;
@@ -70,25 +71,26 @@ static int audit_net(struct aa_profile *
 		sa.type = LSM_AUDIT_DATA_NONE;
 	}
 	/* todo fill in socket addr info */
-	sa.aad = &aad;
+
+	aad(&sa) = &aad;
 	sa.u.net = &net;
-	sa.aad->op = op,
+	aad(&sa)->op = op,
 	sa.u.net->family = family;
 	sa.u.net->sk = sk;
-	sa.aad->net.type = type;
-	sa.aad->net.protocol = protocol;
-	sa.aad->error = error;
+	aad(&sa)->net.type = type;
+	aad(&sa)->net.protocol = protocol;
+	aad(&sa)->error = error;
 
-	if (likely(!sa.aad->error)) {
+	if (likely(!aad(&sa)->error)) {
 		u16 audit_mask = profile->net.audit[sa.u.net->family];
 		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
-			   !(1 << sa.aad->net.type & audit_mask)))
+			   !(1 << aad(&sa)->net.type & audit_mask)))
 			return 0;
 		audit_type = AUDIT_APPARMOR_AUDIT;
 	} else {
 		u16 quiet_mask = profile->net.quiet[sa.u.net->family];
 		u16 kill_mask = 0;
-		u16 denied = (1 << sa.aad->net.type);
+		u16 denied = (1 << aad(&sa)->net.type) & ~quiet_mask;
 
 		if (denied & kill_mask)
 			audit_type = AUDIT_APPARMOR_KILL;
@@ -96,10 +98,10 @@ static int audit_net(struct aa_profile *
 		if ((denied & quiet_mask) &&
 		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&
 		    AUDIT_MODE(profile) != AUDIT_ALL)
-			return COMPLAIN_MODE(profile) ? 0 : sa.aad->error;
+			return COMPLAIN_MODE(profile) ? 0 : aad(&sa)->error;
 	}
 
-	return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
+	return aa_audit(audit_type, profile, &sa, audit_cb);
 }
 
 /**
@@ -112,8 +114,8 @@ static int audit_net(struct aa_profile *
  *
  * Returns: %0 else error if permission denied
  */
-int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
-		int protocol, struct sock *sk)
+int aa_net_perm(const char *op, struct aa_profile *profile, u16 family,
+		int type, int protocol, struct sock *sk)
 {
 	u16 family_mask;
 	int error;
@@ -142,7 +144,7 @@ int aa_net_perm(int op, struct aa_profil
  *
  * Returns: %0 else error if permission denied
  */
-int aa_revalidate_sk(int op, struct sock *sk)
+int aa_revalidate_sk(const char *op, struct sock *sk)
 {
 	struct aa_profile *profile;
 	int error = 0;
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.