Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
317d9a05
Commit
317d9a05
authored
Jun 09, 2017
by
John Johansen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
apparmor: update query interface to support label queries
Signed-off-by:
John Johansen
<
john.johansen@canonical.com
>
parent
76a1d263
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
39 additions
and
7 deletions
+39
-7
security/apparmor/apparmorfs.c
security/apparmor/apparmorfs.c
+39
-7
No files found.
security/apparmor/apparmorfs.c
View file @
317d9a05
...
@@ -33,6 +33,7 @@
...
@@ -33,6 +33,7 @@
#include "include/context.h"
#include "include/context.h"
#include "include/crypto.h"
#include "include/crypto.h"
#include "include/policy_ns.h"
#include "include/policy_ns.h"
#include "include/label.h"
#include "include/policy.h"
#include "include/policy.h"
#include "include/policy_ns.h"
#include "include/policy_ns.h"
#include "include/resource.h"
#include "include/resource.h"
...
@@ -629,6 +630,7 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
...
@@ -629,6 +630,7 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
tmp
=
nullperms
;
tmp
=
nullperms
;
}
}
aa_apply_modes_to_perms
(
profile
,
&
tmp
);
aa_apply_modes_to_perms
(
profile
,
&
tmp
);
aa_perms_accum_raw
(
perms
,
&
tmp
);
}
}
...
@@ -655,7 +657,9 @@ static ssize_t query_data(char *buf, size_t buf_len,
...
@@ -655,7 +657,9 @@ static ssize_t query_data(char *buf, size_t buf_len,
{
{
char
*
out
;
char
*
out
;
const
char
*
key
;
const
char
*
key
;
struct
label_it
i
;
struct
aa_label
*
label
,
*
curr
;
struct
aa_label
*
label
,
*
curr
;
struct
aa_profile
*
profile
;
struct
aa_data
*
data
;
struct
aa_data
*
data
;
u32
bytes
,
blocks
;
u32
bytes
,
blocks
;
__le32
outle32
;
__le32
outle32
;
...
@@ -690,13 +694,16 @@ static ssize_t query_data(char *buf, size_t buf_len,
...
@@ -690,13 +694,16 @@ static ssize_t query_data(char *buf, size_t buf_len,
out
=
buf
+
sizeof
(
bytes
)
+
sizeof
(
blocks
);
out
=
buf
+
sizeof
(
bytes
)
+
sizeof
(
blocks
);
blocks
=
0
;
blocks
=
0
;
if
(
labels_profile
(
label
)
->
data
)
{
label_for_each_confined
(
i
,
label
,
profile
)
{
data
=
rhashtable_lookup_fast
(
labels_profile
(
label
)
->
data
,
&
key
,
if
(
!
profile
->
data
)
labels_profile
(
label
)
->
data
->
p
);
continue
;
data
=
rhashtable_lookup_fast
(
profile
->
data
,
&
key
,
profile
->
data
->
p
);
if
(
data
)
{
if
(
data
)
{
if
(
out
+
sizeof
(
outle32
)
+
data
->
size
>
if
(
out
+
sizeof
(
outle32
)
+
data
->
size
>
buf
+
buf
+
buf
_len
)
{
buf_len
)
{
aa_put_label
(
label
);
aa_put_label
(
label
);
return
-
EINVAL
;
/* not enough space */
return
-
EINVAL
;
/* not enough space */
}
}
...
@@ -741,10 +748,12 @@ static ssize_t query_data(char *buf, size_t buf_len,
...
@@ -741,10 +748,12 @@ static ssize_t query_data(char *buf, size_t buf_len,
static
ssize_t
query_label
(
char
*
buf
,
size_t
buf_len
,
static
ssize_t
query_label
(
char
*
buf
,
size_t
buf_len
,
char
*
query
,
size_t
query_len
,
bool
view_only
)
char
*
query
,
size_t
query_len
,
bool
view_only
)
{
{
struct
aa_profile
*
profile
;
struct
aa_label
*
label
,
*
curr
;
struct
aa_label
*
label
,
*
curr
;
char
*
label_name
,
*
match_str
;
char
*
label_name
,
*
match_str
;
size_t
label_name_len
,
match_len
;
size_t
label_name_len
,
match_len
;
struct
aa_perms
perms
;
struct
aa_perms
perms
;
struct
label_it
i
;
if
(
!
query_len
)
if
(
!
query_len
)
return
-
EINVAL
;
return
-
EINVAL
;
...
@@ -770,7 +779,16 @@ static ssize_t query_label(char *buf, size_t buf_len,
...
@@ -770,7 +779,16 @@ static ssize_t query_label(char *buf, size_t buf_len,
return
PTR_ERR
(
label
);
return
PTR_ERR
(
label
);
perms
=
allperms
;
perms
=
allperms
;
profile_query_cb
(
labels_profile
(
label
),
&
perms
,
match_str
,
match_len
);
if
(
view_only
)
{
label_for_each_in_ns
(
i
,
labels_ns
(
label
),
label
,
profile
)
{
profile_query_cb
(
profile
,
&
perms
,
match_str
,
match_len
);
}
}
else
{
label_for_each
(
i
,
label
,
profile
)
{
profile_query_cb
(
profile
,
&
perms
,
match_str
,
match_len
);
}
}
aa_put_label
(
label
);
return
scnprintf
(
buf
,
buf_len
,
return
scnprintf
(
buf
,
buf_len
,
"allow 0x%08x
\n
deny 0x%08x
\n
audit 0x%08x
\n
quiet 0x%08x
\n
"
,
"allow 0x%08x
\n
deny 0x%08x
\n
audit 0x%08x
\n
quiet 0x%08x
\n
"
,
...
@@ -877,9 +895,12 @@ static int multi_transaction_release(struct inode *inode, struct file *file)
...
@@ -877,9 +895,12 @@ static int multi_transaction_release(struct inode *inode, struct file *file)
return
0
;
return
0
;
}
}
#define QUERY_CMD_LABEL "label\0"
#define QUERY_CMD_LABEL_LEN 6
#define QUERY_CMD_PROFILE "profile\0"
#define QUERY_CMD_PROFILE "profile\0"
#define QUERY_CMD_PROFILE_LEN 8
#define QUERY_CMD_PROFILE_LEN 8
#define QUERY_CMD_LABELALL "labelall\0"
#define QUERY_CMD_LABELALL_LEN 9
#define QUERY_CMD_DATA "data\0"
#define QUERY_CMD_DATA "data\0"
#define QUERY_CMD_DATA_LEN 5
#define QUERY_CMD_DATA_LEN 5
...
@@ -922,6 +943,17 @@ static ssize_t aa_write_access(struct file *file, const char __user *ubuf,
...
@@ -922,6 +943,17 @@ static ssize_t aa_write_access(struct file *file, const char __user *ubuf,
len
=
query_label
(
t
->
data
,
MULTI_TRANSACTION_LIMIT
,
len
=
query_label
(
t
->
data
,
MULTI_TRANSACTION_LIMIT
,
t
->
data
+
QUERY_CMD_PROFILE_LEN
,
t
->
data
+
QUERY_CMD_PROFILE_LEN
,
count
-
QUERY_CMD_PROFILE_LEN
,
true
);
count
-
QUERY_CMD_PROFILE_LEN
,
true
);
}
else
if
(
count
>
QUERY_CMD_LABEL_LEN
&&
!
memcmp
(
t
->
data
,
QUERY_CMD_LABEL
,
QUERY_CMD_LABEL_LEN
))
{
len
=
query_label
(
t
->
data
,
MULTI_TRANSACTION_LIMIT
,
t
->
data
+
QUERY_CMD_LABEL_LEN
,
count
-
QUERY_CMD_LABEL_LEN
,
true
);
}
else
if
(
count
>
QUERY_CMD_LABELALL_LEN
&&
!
memcmp
(
t
->
data
,
QUERY_CMD_LABELALL
,
QUERY_CMD_LABELALL_LEN
))
{
len
=
query_label
(
t
->
data
,
MULTI_TRANSACTION_LIMIT
,
t
->
data
+
QUERY_CMD_LABELALL_LEN
,
count
-
QUERY_CMD_LABELALL_LEN
,
false
);
}
else
if
(
count
>
QUERY_CMD_DATA_LEN
&&
}
else
if
(
count
>
QUERY_CMD_DATA_LEN
&&
!
memcmp
(
t
->
data
,
QUERY_CMD_DATA
,
QUERY_CMD_DATA_LEN
))
{
!
memcmp
(
t
->
data
,
QUERY_CMD_DATA
,
QUERY_CMD_DATA_LEN
))
{
len
=
query_data
(
t
->
data
,
MULTI_TRANSACTION_LIMIT
,
len
=
query_data
(
t
->
data
,
MULTI_TRANSACTION_LIMIT
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment