From: Jeff Mahoney <jeffm@suse.com>
Subject: apparmor: update apparmor-basic-networking-rules for 4.11-rc1
Patch-mainline: depends on apparmor-basic-networking-rules.patch
References: FATE#300516
4.11-rc1 changed op from a index into an array of strings to the strings
themselves.
It also renamed: OP_SOCK_SHUTDOWN to OP_SHUTDOWN and
common_audit_data.aad to common_audit_data.apparmor_audit_data and removed
the gfp_t parameter from aa_audit.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
security/apparmor/include/net.h | 4 ++--
security/apparmor/lsm.c | 2 +-
security/apparmor/net.c | 40 +++++++++++++++++++++-------------------
3 files changed, 24 insertions(+), 22 deletions(-)
--- a/security/apparmor/include/net.h
+++ b/security/apparmor/include/net.h
@@ -32,9 +32,9 @@ struct aa_net {
extern struct aa_fs_entry aa_fs_entry_network[];
-extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
+extern int aa_net_perm(const char *op, struct aa_profile *profile, u16 family,
int type, int protocol, struct sock *sk);
-extern int aa_revalidate_sk(int op, struct sock *sk);
+extern int aa_revalidate_sk(const char *op, struct sock *sk);
static inline void aa_free_net_rules(struct aa_net *new)
{
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -683,7 +683,7 @@ static int apparmor_socket_shutdown(stru
{
struct sock *sk = sock->sk;
- return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
+ return aa_revalidate_sk(OP_SHUTDOWN, sk);
}
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
--- a/security/apparmor/net.c
+++ b/security/apparmor/net.c
@@ -37,12 +37,12 @@ static void audit_cb(struct audit_buffer
audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
}
audit_log_format(ab, " sock_type=");
- if (sock_type_names[sa->aad->net.type]) {
- audit_log_string(ab, sock_type_names[sa->aad->net.type]);
+ if (sock_type_names[aad(sa)->net.type]) {
+ audit_log_string(ab, sock_type_names[aad(sa)->net.type]);
} else {
- audit_log_format(ab, "\"unknown(%d)\"", sa->aad->net.type);
+ audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type);
}
- audit_log_format(ab, " protocol=%d", sa->aad->net.protocol);
+ audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
}
/**
@@ -57,8 +57,9 @@ static void audit_cb(struct audit_buffer
*
* Returns: %0 or sa->error else other errorcode on failure
*/
-static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
- int protocol, struct sock *sk, int error)
+static int audit_net(struct aa_profile *profile, const char *op,
+ u16 family, int type, int protocol,
+ struct sock *sk, int error)
{
int audit_type = AUDIT_APPARMOR_AUTO;
struct common_audit_data sa;
@@ -70,25 +71,26 @@ static int audit_net(struct aa_profile *
sa.type = LSM_AUDIT_DATA_NONE;
}
/* todo fill in socket addr info */
- sa.aad = &aad;
+
+ aad(&sa) = &aad;
sa.u.net = &net;
- sa.aad->op = op,
+ aad(&sa)->op = op,
sa.u.net->family = family;
sa.u.net->sk = sk;
- sa.aad->net.type = type;
- sa.aad->net.protocol = protocol;
- sa.aad->error = error;
+ aad(&sa)->net.type = type;
+ aad(&sa)->net.protocol = protocol;
+ aad(&sa)->error = error;
- if (likely(!sa.aad->error)) {
+ if (likely(!aad(&sa)->error)) {
u16 audit_mask = profile->net.audit[sa.u.net->family];
if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
- !(1 << sa.aad->net.type & audit_mask)))
+ !(1 << aad(&sa)->net.type & audit_mask)))
return 0;
audit_type = AUDIT_APPARMOR_AUDIT;
} else {
u16 quiet_mask = profile->net.quiet[sa.u.net->family];
u16 kill_mask = 0;
- u16 denied = (1 << sa.aad->net.type);
+ u16 denied = (1 << aad(&sa)->net.type) & ~quiet_mask;
if (denied & kill_mask)
audit_type = AUDIT_APPARMOR_KILL;
@@ -96,10 +98,10 @@ static int audit_net(struct aa_profile *
if ((denied & quiet_mask) &&
AUDIT_MODE(profile) != AUDIT_NOQUIET &&
AUDIT_MODE(profile) != AUDIT_ALL)
- return COMPLAIN_MODE(profile) ? 0 : sa.aad->error;
+ return COMPLAIN_MODE(profile) ? 0 : aad(&sa)->error;
}
- return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
+ return aa_audit(audit_type, profile, &sa, audit_cb);
}
/**
@@ -112,8 +114,8 @@ static int audit_net(struct aa_profile *
*
* Returns: %0 else error if permission denied
*/
-int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
- int protocol, struct sock *sk)
+int aa_net_perm(const char *op, struct aa_profile *profile, u16 family,
+ int type, int protocol, struct sock *sk)
{
u16 family_mask;
int error;
@@ -142,7 +144,7 @@ int aa_net_perm(int op, struct aa_profil
*
* Returns: %0 else error if permission denied
*/
-int aa_revalidate_sk(int op, struct sock *sk)
+int aa_revalidate_sk(const char *op, struct sock *sk)
{
struct aa_profile *profile;
int error = 0;