Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
92b6d8ef
Commit
92b6d8ef
authored
Jan 16, 2017
by
John Johansen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
apparmor: allow ns visibility question to consider subnses
Signed-off-by:
John Johansen
<
john.johansen@canonical.com
>
parent
31617ddf
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
14 additions
and
8 deletions
+14
-8
security/apparmor/apparmorfs.c
security/apparmor/apparmorfs.c
+1
-1
security/apparmor/include/policy_ns.h
security/apparmor/include/policy_ns.h
+2
-2
security/apparmor/policy_ns.c
security/apparmor/policy_ns.c
+9
-3
security/apparmor/procattr.c
security/apparmor/procattr.c
+2
-2
No files found.
security/apparmor/apparmorfs.c
View file @
92b6d8ef
...
@@ -750,7 +750,7 @@ static int seq_show_profile(struct seq_file *f, void *p)
...
@@ -750,7 +750,7 @@ static int seq_show_profile(struct seq_file *f, void *p)
struct
aa_ns
*
root
=
f
->
private
;
struct
aa_ns
*
root
=
f
->
private
;
if
(
profile
->
ns
!=
root
)
if
(
profile
->
ns
!=
root
)
seq_printf
(
f
,
":%s://"
,
aa_ns_name
(
root
,
profile
->
ns
));
seq_printf
(
f
,
":%s://"
,
aa_ns_name
(
root
,
profile
->
ns
,
true
));
seq_printf
(
f
,
"%s (%s)
\n
"
,
profile
->
base
.
hname
,
seq_printf
(
f
,
"%s (%s)
\n
"
,
profile
->
base
.
hname
,
aa_profile_mode_names
[
profile
->
mode
]);
aa_profile_mode_names
[
profile
->
mode
]);
...
...
security/apparmor/include/policy_ns.h
View file @
92b6d8ef
...
@@ -74,8 +74,8 @@ extern struct aa_ns *root_ns;
...
@@ -74,8 +74,8 @@ extern struct aa_ns *root_ns;
extern
const
char
*
aa_hidden_ns_name
;
extern
const
char
*
aa_hidden_ns_name
;
bool
aa_ns_visible
(
struct
aa_ns
*
curr
,
struct
aa_ns
*
view
);
bool
aa_ns_visible
(
struct
aa_ns
*
curr
,
struct
aa_ns
*
view
,
bool
subns
);
const
char
*
aa_ns_name
(
struct
aa_ns
*
parent
,
struct
aa_ns
*
child
);
const
char
*
aa_ns_name
(
struct
aa_ns
*
parent
,
struct
aa_ns
*
child
,
bool
subns
);
void
aa_free_ns
(
struct
aa_ns
*
ns
);
void
aa_free_ns
(
struct
aa_ns
*
ns
);
int
aa_alloc_root_ns
(
void
);
int
aa_alloc_root_ns
(
void
);
void
aa_free_root_ns
(
void
);
void
aa_free_root_ns
(
void
);
...
...
security/apparmor/policy_ns.c
View file @
92b6d8ef
...
@@ -33,18 +33,23 @@ const char *aa_hidden_ns_name = "---";
...
@@ -33,18 +33,23 @@ const char *aa_hidden_ns_name = "---";
* aa_ns_visible - test if @view is visible from @curr
* aa_ns_visible - test if @view is visible from @curr
* @curr: namespace to treat as the parent (NOT NULL)
* @curr: namespace to treat as the parent (NOT NULL)
* @view: namespace to test if visible from @curr (NOT NULL)
* @view: namespace to test if visible from @curr (NOT NULL)
* @subns: whether view of a subns is allowed
*
*
* Returns: true if @view is visible from @curr else false
* Returns: true if @view is visible from @curr else false
*/
*/
bool
aa_ns_visible
(
struct
aa_ns
*
curr
,
struct
aa_ns
*
view
)
bool
aa_ns_visible
(
struct
aa_ns
*
curr
,
struct
aa_ns
*
view
,
bool
subns
)
{
{
if
(
curr
==
view
)
if
(
curr
==
view
)
return
true
;
return
true
;
if
(
!
subns
)
return
false
;
for
(
;
view
;
view
=
view
->
parent
)
{
for
(
;
view
;
view
=
view
->
parent
)
{
if
(
view
->
parent
==
curr
)
if
(
view
->
parent
==
curr
)
return
true
;
return
true
;
}
}
return
false
;
return
false
;
}
}
...
@@ -52,16 +57,17 @@ bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view)
...
@@ -52,16 +57,17 @@ bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view)
* aa_na_name - Find the ns name to display for @view from @curr
* aa_na_name - Find the ns name to display for @view from @curr
* @curr - current namespace (NOT NULL)
* @curr - current namespace (NOT NULL)
* @view - namespace attempting to view (NOT NULL)
* @view - namespace attempting to view (NOT NULL)
* @subns - are subns visible
*
*
* Returns: name of @view visible from @curr
* Returns: name of @view visible from @curr
*/
*/
const
char
*
aa_ns_name
(
struct
aa_ns
*
curr
,
struct
aa_ns
*
view
)
const
char
*
aa_ns_name
(
struct
aa_ns
*
curr
,
struct
aa_ns
*
view
,
bool
subns
)
{
{
/* if view == curr then the namespace name isn't displayed */
/* if view == curr then the namespace name isn't displayed */
if
(
curr
==
view
)
if
(
curr
==
view
)
return
""
;
return
""
;
if
(
aa_ns_visible
(
curr
,
view
))
{
if
(
aa_ns_visible
(
curr
,
view
,
subns
))
{
/* at this point if a ns is visible it is in a view ns
/* at this point if a ns is visible it is in a view ns
* thus the curr ns.hname is a prefix of its name.
* thus the curr ns.hname is a prefix of its name.
* Only output the virtualized portion of the name
* Only output the virtualized portion of the name
...
...
security/apparmor/procattr.c
View file @
92b6d8ef
...
@@ -44,10 +44,10 @@ int aa_getprocattr(struct aa_profile *profile, char **string)
...
@@ -44,10 +44,10 @@ int aa_getprocattr(struct aa_profile *profile, char **string)
struct
aa_ns
*
current_ns
=
__aa_current_profile
()
->
ns
;
struct
aa_ns
*
current_ns
=
__aa_current_profile
()
->
ns
;
char
*
s
;
char
*
s
;
if
(
!
aa_ns_visible
(
current_ns
,
ns
))
if
(
!
aa_ns_visible
(
current_ns
,
ns
,
true
))
return
-
EACCES
;
return
-
EACCES
;
ns_name
=
aa_ns_name
(
current_ns
,
ns
);
ns_name
=
aa_ns_name
(
current_ns
,
ns
,
true
);
ns_len
=
strlen
(
ns_name
);
ns_len
=
strlen
(
ns_name
);
/* if the visible ns_name is > 0 increase size for : :// seperator */
/* if the visible ns_name is > 0 increase size for : :// seperator */
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment