Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
e53cfe6c
Commit
e53cfe6c
authored
May 26, 2017
by
John Johansen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
apparmor: rework perm mapping to a slightly broader set
Signed-off-by:
John Johansen
<
john.johansen@canonical.com
>
parent
fc7e0b26
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
133 additions
and
53 deletions
+133
-53
security/apparmor/file.c
security/apparmor/file.c
+16
-27
security/apparmor/include/file.h
security/apparmor/include/file.h
+3
-2
security/apparmor/include/perms.h
security/apparmor/include/perms.h
+50
-19
security/apparmor/lib.c
security/apparmor/lib.c
+59
-0
security/apparmor/lsm.c
security/apparmor/lsm.c
+5
-5
No files found.
security/apparmor/file.c
View file @
e53cfe6c
...
@@ -21,6 +21,17 @@
...
@@ -21,6 +21,17 @@
struct
file_perms
nullperms
;
struct
file_perms
nullperms
;
static
u32
map_mask_to_chr_mask
(
u32
mask
)
{
u32
m
=
mask
&
PERMS_CHRS_MASK
;
if
(
mask
&
AA_MAY_GETATTR
)
m
|=
MAY_READ
;
if
(
mask
&
(
AA_MAY_SETATTR
|
AA_MAY_CHMOD
|
AA_MAY_CHOWN
))
m
|=
MAY_WRITE
;
return
m
;
}
/**
/**
* audit_file_mask - convert mask to permission string
* audit_file_mask - convert mask to permission string
...
@@ -31,29 +42,7 @@ static void audit_file_mask(struct audit_buffer *ab, u32 mask)
...
@@ -31,29 +42,7 @@ static void audit_file_mask(struct audit_buffer *ab, u32 mask)
{
{
char
str
[
10
];
char
str
[
10
];
char
*
m
=
str
;
aa_perm_mask_to_str
(
str
,
aa_file_perm_chrs
,
map_mask_to_chr_mask
(
mask
));
if
(
mask
&
AA_EXEC_MMAP
)
*
m
++
=
'm'
;
if
(
mask
&
(
MAY_READ
|
AA_MAY_META_READ
))
*
m
++
=
'r'
;
if
(
mask
&
(
MAY_WRITE
|
AA_MAY_META_WRITE
|
AA_MAY_CHMOD
|
AA_MAY_CHOWN
))
*
m
++
=
'w'
;
else
if
(
mask
&
MAY_APPEND
)
*
m
++
=
'a'
;
if
(
mask
&
AA_MAY_CREATE
)
*
m
++
=
'c'
;
if
(
mask
&
AA_MAY_DELETE
)
*
m
++
=
'd'
;
if
(
mask
&
AA_MAY_LINK
)
*
m
++
=
'l'
;
if
(
mask
&
AA_MAY_LOCK
)
*
m
++
=
'k'
;
if
(
mask
&
MAY_EXEC
)
*
m
++
=
'x'
;
*
m
=
'\0'
;
audit_log_string
(
ab
,
str
);
audit_log_string
(
ab
,
str
);
}
}
...
@@ -163,10 +152,10 @@ static u32 map_old_perms(u32 old)
...
@@ -163,10 +152,10 @@ static u32 map_old_perms(u32 old)
{
{
u32
new
=
old
&
0xf
;
u32
new
=
old
&
0xf
;
if
(
old
&
MAY_READ
)
if
(
old
&
MAY_READ
)
new
|=
AA_MAY_
META_READ
;
new
|=
AA_MAY_
GETATTR
|
AA_MAY_OPEN
;
if
(
old
&
MAY_WRITE
)
if
(
old
&
MAY_WRITE
)
new
|=
AA_MAY_
META_WRITE
|
AA_MAY_CREATE
|
AA_MAY_DELETE
|
new
|=
AA_MAY_
SETATTR
|
AA_MAY_CREATE
|
AA_MAY_DELETE
|
AA_MAY_CHMOD
|
AA_MAY_CHOW
N
;
AA_MAY_CHMOD
|
AA_MAY_CHOWN
|
AA_MAY_OPE
N
;
if
(
old
&
0x10
)
if
(
old
&
0x10
)
new
|=
AA_MAY_LINK
;
new
|=
AA_MAY_LINK
;
/* the old mapping lock and link_subset flags where overlaid
/* the old mapping lock and link_subset flags where overlaid
...
@@ -214,7 +203,7 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
...
@@ -214,7 +203,7 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
perms
.
quiet
=
map_old_perms
(
dfa_other_quiet
(
dfa
,
state
));
perms
.
quiet
=
map_old_perms
(
dfa_other_quiet
(
dfa
,
state
));
perms
.
xindex
=
dfa_other_xindex
(
dfa
,
state
);
perms
.
xindex
=
dfa_other_xindex
(
dfa
,
state
);
}
}
perms
.
allow
|=
AA_MAY_
META_READ
;
perms
.
allow
|=
AA_MAY_
GETATTR
;
/* change_profile wasn't determined by ownership in old mapping */
/* change_profile wasn't determined by ownership in old mapping */
if
(
ACCEPT_TABLE
(
dfa
)[
state
]
&
0x80000000
)
if
(
ACCEPT_TABLE
(
dfa
)[
state
]
&
0x80000000
)
...
...
security/apparmor/include/file.h
View file @
e53cfe6c
...
@@ -22,10 +22,11 @@
...
@@ -22,10 +22,11 @@
struct
aa_profile
;
struct
aa_profile
;
struct
path
;
struct
path
;
#define mask_mode_t(X) (X & (MAY_EXEC | MAY_WRITE | MAY_READ | MAY_APPEND))
#define AA_AUDIT_FILE_MASK (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND |\
#define AA_AUDIT_FILE_MASK (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND |\
AA_MAY_CREATE | AA_MAY_DELETE | \
AA_MAY_CREATE | AA_MAY_DELETE | \
AA_MAY_
META_READ | AA_MAY_META_WRITE
| \
AA_MAY_
GETATTR | AA_MAY_SETATTR
| \
AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_LOCK | \
AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_LOCK | \
AA_EXEC_MMAP | AA_MAY_LINK)
AA_EXEC_MMAP | AA_MAY_LINK)
...
@@ -37,7 +38,7 @@ struct path;
...
@@ -37,7 +38,7 @@ struct path;
* ctx struct will expand in the future so we keep the struct.
* ctx struct will expand in the future so we keep the struct.
*/
*/
struct
aa_file_ctx
{
struct
aa_file_ctx
{
u
16
allow
;
u
32
allow
;
};
};
/**
/**
...
...
security/apparmor/include/perms.h
View file @
e53cfe6c
...
@@ -16,25 +16,56 @@
...
@@ -16,25 +16,56 @@
#include <linux/fs.h>
#include <linux/fs.h>
/*
#define AA_MAY_EXEC MAY_EXEC
* We use MAY_EXEC, MAY_WRITE, MAY_READ, MAY_APPEND and the following flags
#define AA_MAY_WRITE MAY_WRITE
* for profile permissions
#define AA_MAY_READ MAY_READ
*/
#define AA_MAY_APPEND MAY_APPEND
#define AA_MAY_CREATE 0x0010
#define AA_MAY_DELETE 0x0020
#define AA_MAY_CREATE 0x0010
#define AA_MAY_META_WRITE 0x0040
#define AA_MAY_DELETE 0x0020
#define AA_MAY_META_READ 0x0080
#define AA_MAY_OPEN 0x0040
#define AA_MAY_RENAME 0x0080
/* pair */
#define AA_MAY_CHMOD 0x0100
#define AA_MAY_CHOWN 0x0200
#define AA_MAY_SETATTR 0x0100
/* meta write */
#define AA_MAY_LOCK 0x0400
#define AA_MAY_GETATTR 0x0200
/* meta read */
#define AA_EXEC_MMAP 0x0800
#define AA_MAY_SETCRED 0x0400
/* security cred/attr */
#define AA_MAY_GETCRED 0x0800
#define AA_MAY_LINK 0x1000
#define AA_LINK_SUBSET AA_MAY_LOCK
/* overlaid */
#define AA_MAY_CHMOD 0x1000
/* pair */
#define AA_MAY_ONEXEC 0x40000000
/* exec allows onexec */
#define AA_MAY_CHOWN 0x2000
/* pair */
#define AA_MAY_CHANGE_PROFILE 0x80000000
#define AA_MAY_CHGRP 0x4000
/* pair */
#define AA_MAY_CHANGEHAT 0x80000000
/* ctrl auditing only */
#define AA_MAY_LOCK 0x8000
/* LINK_SUBSET overlaid */
#define AA_EXEC_MMAP 0x00010000
#define AA_MAY_MPROT 0x00020000
/* extend conditions */
#define AA_MAY_LINK 0x00040000
/* pair */
#define AA_MAY_SNAPSHOT 0x00080000
/* pair */
#define AA_MAY_DELEGATE
#define AA_CONT_MATCH 0x08000000
#define AA_MAY_STACK 0x10000000
#define AA_MAY_ONEXEC 0x20000000
/* either stack or change_profile */
#define AA_MAY_CHANGE_PROFILE 0x40000000
#define AA_MAY_CHANGEHAT 0x80000000
#define AA_LINK_SUBSET AA_MAY_LOCK
/* overlaid */
#define PERMS_CHRS_MASK (MAY_READ | MAY_WRITE | AA_MAY_CREATE | \
AA_MAY_DELETE | AA_MAY_LINK | AA_MAY_LOCK | \
AA_MAY_EXEC | AA_EXEC_MMAP | AA_MAY_APPEND)
#define PERMS_NAMES_MASK (PERMS_CHRS_MASK | AA_MAY_OPEN | AA_MAY_RENAME | \
AA_MAY_SETATTR | AA_MAY_GETATTR | AA_MAY_SETCRED | \
AA_MAY_GETCRED | AA_MAY_CHMOD | AA_MAY_CHOWN | \
AA_MAY_CHGRP | AA_MAY_MPROT | AA_MAY_SNAPSHOT | \
AA_MAY_STACK | AA_MAY_ONEXEC | \
AA_MAY_CHANGE_PROFILE | AA_MAY_CHANGEHAT)
extern
const
char
aa_file_perm_chrs
[];
extern
const
char
*
aa_file_perm_names
[];
void
aa_perm_mask_to_str
(
char
*
str
,
const
char
*
chrs
,
u32
mask
);
#endif
/* __AA_PERM_H */
#endif
/* __AA_PERM_H */
security/apparmor/lib.c
View file @
e53cfe6c
...
@@ -129,6 +129,65 @@ void aa_info_message(const char *str)
...
@@ -129,6 +129,65 @@ void aa_info_message(const char *str)
printk
(
KERN_INFO
"AppArmor: %s
\n
"
,
str
);
printk
(
KERN_INFO
"AppArmor: %s
\n
"
,
str
);
}
}
const
char
aa_file_perm_chrs
[]
=
"xwracd km l "
;
const
char
*
aa_file_perm_names
[]
=
{
"exec"
,
"write"
,
"read"
,
"append"
,
"create"
,
"delete"
,
"open"
,
"rename"
,
"setattr"
,
"getattr"
,
"setcred"
,
"getcred"
,
"chmod"
,
"chown"
,
"chgrp"
,
"lock"
,
"mmap"
,
"mprot"
,
"link"
,
"snapshot"
,
"unknown"
,
"unknown"
,
"unknown"
,
"unknown"
,
"unknown"
,
"unknown"
,
"unknown"
,
"unknown"
,
"stack"
,
"change_onexec"
,
"change_profile"
,
"change_hat"
,
};
/**
* aa_perm_mask_to_str - convert a perm mask to its short string
* @str: character buffer to store string in (at least 10 characters)
* @mask: permission mask to convert
*/
void
aa_perm_mask_to_str
(
char
*
str
,
const
char
*
chrs
,
u32
mask
)
{
unsigned
int
i
,
perm
=
1
;
for
(
i
=
0
;
i
<
32
;
perm
<<=
1
,
i
++
)
{
if
(
mask
&
perm
)
*
str
++
=
chrs
[
i
];
}
*
str
=
'\0'
;
}
/**
/**
* aa_policy_init - initialize a policy structure
* aa_policy_init - initialize a policy structure
* @policy: policy to initialize (NOT NULL)
* @policy: policy to initialize (NOT NULL)
...
...
security/apparmor/lsm.c
View file @
e53cfe6c
...
@@ -278,7 +278,7 @@ static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
...
@@ -278,7 +278,7 @@ static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
static
int
apparmor_path_truncate
(
const
struct
path
*
path
)
static
int
apparmor_path_truncate
(
const
struct
path
*
path
)
{
{
return
common_perm_cond
(
OP_TRUNC
,
path
,
MAY_WRITE
|
AA_MAY_
META_WRITE
);
return
common_perm_cond
(
OP_TRUNC
,
path
,
MAY_WRITE
|
AA_MAY_
SETATTR
);
}
}
static
int
apparmor_path_symlink
(
const
struct
path
*
dir
,
struct
dentry
*
dentry
,
static
int
apparmor_path_symlink
(
const
struct
path
*
dir
,
struct
dentry
*
dentry
,
...
@@ -323,12 +323,12 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d
...
@@ -323,12 +323,12 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d
};
};
error
=
aa_path_perm
(
OP_RENAME_SRC
,
profile
,
&
old_path
,
0
,
error
=
aa_path_perm
(
OP_RENAME_SRC
,
profile
,
&
old_path
,
0
,
MAY_READ
|
AA_MAY_
META_READ
|
MAY_WRITE
|
MAY_READ
|
AA_MAY_
GETATTR
|
MAY_WRITE
|
AA_MAY_
META_WRITE
|
AA_MAY_DELETE
,
AA_MAY_
SETATTR
|
AA_MAY_DELETE
,
&
cond
);
&
cond
);
if
(
!
error
)
if
(
!
error
)
error
=
aa_path_perm
(
OP_RENAME_DEST
,
profile
,
&
new_path
,
error
=
aa_path_perm
(
OP_RENAME_DEST
,
profile
,
&
new_path
,
0
,
MAY_WRITE
|
AA_MAY_
META_WRITE
|
0
,
MAY_WRITE
|
AA_MAY_
SETATTR
|
AA_MAY_CREATE
,
&
cond
);
AA_MAY_CREATE
,
&
cond
);
}
}
...
@@ -347,7 +347,7 @@ static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
...
@@ -347,7 +347,7 @@ static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
static
int
apparmor_inode_getattr
(
const
struct
path
*
path
)
static
int
apparmor_inode_getattr
(
const
struct
path
*
path
)
{
{
return
common_perm_cond
(
OP_GETATTR
,
path
,
AA_MAY_
META_READ
);
return
common_perm_cond
(
OP_GETATTR
,
path
,
AA_MAY_
GETATTR
);
}
}
static
int
apparmor_file_open
(
struct
file
*
file
,
const
struct
cred
*
cred
)
static
int
apparmor_file_open
(
struct
file
*
file
,
const
struct
cred
*
cred
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment