Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
fc1c9fd1
Commit
fc1c9fd1
authored
Jan 16, 2017
by
John Johansen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
apparmor: add ns name to the audit data for policy loads
Signed-off-by:
John Johansen
<
john.johansen@canonical.com
>
parent
078c73c6
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
25 additions
and
10 deletions
+25
-10
security/apparmor/include/audit.h
security/apparmor/include/audit.h
+1
-0
security/apparmor/policy.c
security/apparmor/policy.c
+24
-10
No files found.
security/apparmor/include/audit.h
View file @
fc1c9fd1
...
@@ -113,6 +113,7 @@ struct apparmor_audit_data {
...
@@ -113,6 +113,7 @@ struct apparmor_audit_data {
void
*
target
;
void
*
target
;
struct
{
struct
{
long
pos
;
long
pos
;
const
char
*
ns
;
void
*
target
;
void
*
target
;
}
iface
;
}
iface
;
struct
{
struct
{
...
...
security/apparmor/policy.c
View file @
fc1c9fd1
...
@@ -582,11 +582,23 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace,
...
@@ -582,11 +582,23 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace,
return
0
;
return
0
;
}
}
/* audit callback for net specific fields */
static
void
audit_cb
(
struct
audit_buffer
*
ab
,
void
*
va
)
{
struct
common_audit_data
*
sa
=
va
;
if
(
sa
->
aad
->
iface
.
ns
)
{
audit_log_format
(
ab
,
" ns="
);
audit_log_untrustedstring
(
ab
,
sa
->
aad
->
iface
.
ns
);
}
}
/**
/**
* aa_audit_policy - Do auditing of policy changes
* aa_audit_policy - Do auditing of policy changes
* @profile: profile to check if it can manage policy
* @profile: profile to check if it can manage policy
* @op: policy operation being performed
* @op: policy operation being performed
* @gfp: memory allocation flags
* @gfp: memory allocation flags
* @nsname: name of the ns being manipulated (MAY BE NULL)
* @name: name of profile being manipulated (NOT NULL)
* @name: name of profile being manipulated (NOT NULL)
* @info: any extra information to be audited (MAYBE NULL)
* @info: any extra information to be audited (MAYBE NULL)
* @error: error code
* @error: error code
...
@@ -594,19 +606,21 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace,
...
@@ -594,19 +606,21 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace,
* Returns: the error to be returned after audit is done
* Returns: the error to be returned after audit is done
*/
*/
static
int
audit_policy
(
struct
aa_profile
*
profile
,
int
op
,
gfp_t
gfp
,
static
int
audit_policy
(
struct
aa_profile
*
profile
,
int
op
,
gfp_t
gfp
,
const
char
*
name
,
const
char
*
info
,
int
error
)
const
char
*
nsname
,
const
char
*
name
,
const
char
*
info
,
int
error
)
{
{
struct
common_audit_data
sa
;
struct
common_audit_data
sa
;
struct
apparmor_audit_data
aad
=
{
0
,};
struct
apparmor_audit_data
aad
=
{
0
,};
sa
.
type
=
LSM_AUDIT_DATA_NONE
;
sa
.
type
=
LSM_AUDIT_DATA_NONE
;
sa
.
aad
=
&
aad
;
sa
.
aad
=
&
aad
;
aad
.
op
=
op
;
aad
.
op
=
op
;
aad
.
iface
.
ns
=
nsname
;
aad
.
name
=
name
;
aad
.
name
=
name
;
aad
.
info
=
info
;
aad
.
info
=
info
;
aad
.
error
=
error
;
aad
.
error
=
error
;
return
aa_audit
(
AUDIT_APPARMOR_STATUS
,
profile
,
gfp
,
return
aa_audit
(
AUDIT_APPARMOR_STATUS
,
profile
,
gfp
,
&
sa
,
NULL
);
&
sa
,
audit_cb
);
}
}
/**
/**
...
@@ -659,11 +673,11 @@ int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op)
...
@@ -659,11 +673,11 @@ int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op)
{
{
/* check if loading policy is locked out */
/* check if loading policy is locked out */
if
(
aa_g_lock_policy
)
if
(
aa_g_lock_policy
)
return
audit_policy
(
profile
,
op
,
GFP_KERNEL
,
NULL
,
return
audit_policy
(
profile
,
op
,
GFP_KERNEL
,
NULL
,
NULL
,
"policy_locked"
,
-
EACCES
);
"policy_locked"
,
-
EACCES
);
if
(
!
policy_admin_capable
(
ns
))
if
(
!
policy_admin_capable
(
ns
))
return
audit_policy
(
profile
,
op
,
GFP_KERNEL
,
NULL
,
return
audit_policy
(
profile
,
op
,
GFP_KERNEL
,
NULL
,
NULL
,
"not policy admin"
,
-
EACCES
);
"not policy admin"
,
-
EACCES
);
/* TODO: add fine grained mediation of policy loads */
/* TODO: add fine grained mediation of policy loads */
...
@@ -818,7 +832,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
...
@@ -818,7 +832,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
ns
=
aa_prepare_ns
(
view
,
ns_name
);
ns
=
aa_prepare_ns
(
view
,
ns_name
);
if
(
!
ns
)
{
if
(
!
ns
)
{
error
=
audit_policy
(
__aa_current_profile
(),
op
,
GFP_KERNEL
,
error
=
audit_policy
(
__aa_current_profile
(),
op
,
GFP_KERNEL
,
ns_name
,
NULL
,
ns_name
,
"failed to prepare namespace"
,
-
ENOMEM
);
"failed to prepare namespace"
,
-
ENOMEM
);
goto
free
;
goto
free
;
}
}
...
@@ -895,7 +909,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
...
@@ -895,7 +909,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
list_del_init
(
&
ent
->
list
);
list_del_init
(
&
ent
->
list
);
op
=
(
!
ent
->
old
&&
!
ent
->
rename
)
?
OP_PROF_LOAD
:
OP_PROF_REPL
;
op
=
(
!
ent
->
old
&&
!
ent
->
rename
)
?
OP_PROF_LOAD
:
OP_PROF_REPL
;
audit_policy
(
__aa_current_profile
(),
op
,
GFP_ATOMIC
,
audit_policy
(
__aa_current_profile
(),
op
,
GFP_ATOMIC
,
NULL
,
ent
->
new
->
base
.
hname
,
NULL
,
error
);
ent
->
new
->
base
.
hname
,
NULL
,
error
);
if
(
ent
->
old
)
{
if
(
ent
->
old
)
{
...
@@ -950,7 +964,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
...
@@ -950,7 +964,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
/* audit cause of failure */
/* audit cause of failure */
op
=
(
!
ent
->
old
)
?
OP_PROF_LOAD
:
OP_PROF_REPL
;
op
=
(
!
ent
->
old
)
?
OP_PROF_LOAD
:
OP_PROF_REPL
;
audit_policy
(
__aa_current_profile
(),
op
,
GFP_KERNEL
,
audit_policy
(
__aa_current_profile
(),
op
,
GFP_KERNEL
,
NULL
,
ent
->
new
->
base
.
hname
,
info
,
error
);
ent
->
new
->
base
.
hname
,
info
,
error
);
/* audit status that rest of profiles in the atomic set failed too */
/* audit status that rest of profiles in the atomic set failed too */
info
=
"valid profile in failed atomic policy load"
;
info
=
"valid profile in failed atomic policy load"
;
...
@@ -961,7 +975,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
...
@@ -961,7 +975,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
continue
;
continue
;
}
}
op
=
(
!
ent
->
old
)
?
OP_PROF_LOAD
:
OP_PROF_REPL
;
op
=
(
!
ent
->
old
)
?
OP_PROF_LOAD
:
OP_PROF_REPL
;
audit_policy
(
__aa_current_profile
(),
op
,
GFP_KERNEL
,
audit_policy
(
__aa_current_profile
(),
op
,
GFP_KERNEL
,
NULL
,
tmp
->
new
->
base
.
hname
,
info
,
error
);
tmp
->
new
->
base
.
hname
,
info
,
error
);
}
}
free:
free:
...
@@ -1036,7 +1050,7 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
...
@@ -1036,7 +1050,7 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
/* don't fail removal if audit fails */
/* don't fail removal if audit fails */
(
void
)
audit_policy
(
__aa_current_profile
(),
OP_PROF_RM
,
GFP_KERNEL
,
(
void
)
audit_policy
(
__aa_current_profile
(),
OP_PROF_RM
,
GFP_KERNEL
,
name
,
info
,
error
);
NULL
,
name
,
info
,
error
);
aa_put_ns
(
ns
);
aa_put_ns
(
ns
);
aa_put_profile
(
profile
);
aa_put_profile
(
profile
);
return
size
;
return
size
;
...
@@ -1047,6 +1061,6 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
...
@@ -1047,6 +1061,6 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
fail:
fail:
(
void
)
audit_policy
(
__aa_current_profile
(),
OP_PROF_RM
,
GFP_KERNEL
,
(
void
)
audit_policy
(
__aa_current_profile
(),
OP_PROF_RM
,
GFP_KERNEL
,
name
,
info
,
error
);
NULL
,
name
,
info
,
error
);
return
error
;
return
error
;
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment