Commit 524d8e14 authored by John Johansen's avatar John Johansen

apparmor: disable showing the mode as part of a secid to secctx

Displaying the mode as part of the seectx takes up unnecessary memory,
makes it so we can't use refcounted secctx so we need to alloc/free on
every conversion from secid to secctx and introduces a space that
could be potentially mishandled by tooling.

Eg. In an audit record we get

  subj_type=firefix (enforce)

Having the mode reported is not necessary, and might even be confusing
eg. when writing an audit rule to match the above record field you
would use

  -F subj_type=firefox

ie. the mode is not included. AppArmor provides ways to find the mode
without reporting as part of the secctx. So disable this by default
before its use is wide spread and we can't. For now we add a sysctl
to control the behavior as we can't guarantee no one is using this.
Acked-by: default avatarAndrea Righi <andrea.righi@canonical.com>
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent df439093
...@@ -21,6 +21,9 @@ struct aa_label; ...@@ -21,6 +21,9 @@ struct aa_label;
/* secid value that matches any other secid */ /* secid value that matches any other secid */
#define AA_SECID_WILDCARD 1 #define AA_SECID_WILDCARD 1
/* sysctl to enable displaying mode when converting secid to secctx */
extern int apparmor_display_secid_mode;
struct aa_label *aa_secid_to_label(u32 secid); struct aa_label *aa_secid_to_label(u32 secid);
int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
......
...@@ -1764,6 +1764,14 @@ static struct ctl_table apparmor_sysctl_table[] = { ...@@ -1764,6 +1764,14 @@ static struct ctl_table apparmor_sysctl_table[] = {
.mode = 0600, .mode = 0600,
.proc_handler = apparmor_dointvec, .proc_handler = apparmor_dointvec,
}, },
{
.procname = "apparmor_display_secid_mode",
.data = &apparmor_display_secid_mode,
.maxlen = sizeof(int),
.mode = 0600,
.proc_handler = apparmor_dointvec,
},
{ } { }
}; };
......
...@@ -31,6 +31,8 @@ ...@@ -31,6 +31,8 @@
static DEFINE_XARRAY_FLAGS(aa_secids, XA_FLAGS_LOCK_IRQ | XA_FLAGS_TRACK_FREE); static DEFINE_XARRAY_FLAGS(aa_secids, XA_FLAGS_LOCK_IRQ | XA_FLAGS_TRACK_FREE);
int apparmor_display_secid_mode;
/* /*
* TODO: allow policy to reserve a secid range? * TODO: allow policy to reserve a secid range?
* TODO: add secid pinning * TODO: add secid pinning
...@@ -64,6 +66,7 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) ...@@ -64,6 +66,7 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{ {
/* TODO: cache secctx and ref count so we don't have to recreate */ /* TODO: cache secctx and ref count so we don't have to recreate */
struct aa_label *label = aa_secid_to_label(secid); struct aa_label *label = aa_secid_to_label(secid);
int flags = FLAG_VIEW_SUBNS | FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT;
int len; int len;
AA_BUG(!seclen); AA_BUG(!seclen);
...@@ -71,15 +74,15 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) ...@@ -71,15 +74,15 @@ int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
if (!label) if (!label)
return -EINVAL; return -EINVAL;
if (apparmor_display_secid_mode)
flags |= FLAG_SHOW_MODE;
if (secdata) if (secdata)
len = aa_label_asxprint(secdata, root_ns, label, len = aa_label_asxprint(secdata, root_ns, label,
FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | flags, GFP_ATOMIC);
FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT,
GFP_ATOMIC);
else else
len = aa_label_snxprint(NULL, 0, root_ns, label, len = aa_label_snxprint(NULL, 0, root_ns, label, flags);
FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT);
if (len < 0) if (len < 0)
return -ENOMEM; return -ENOMEM;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment