Commit dd0c6e86 authored by John Johansen's avatar John Johansen

apparmor: fix capability to not use the current task, during reporting

Mediation is based off of the cred but auditing includes the current
task which may not be related to the actual request.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 50b719f8
...@@ -53,8 +53,7 @@ static void audit_cb(struct audit_buffer *ab, void *va) ...@@ -53,8 +53,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
/** /**
* audit_caps - audit a capability * audit_caps - audit a capability
* @profile: profile confining task (NOT NULL) * @profile: profile being tested for confinement (NOT NULL)
* @task: task capability test was performed against (NOT NULL)
* @cap: capability tested * @cap: capability tested
* @error: error code returned by test * @error: error code returned by test
* *
...@@ -63,8 +62,7 @@ static void audit_cb(struct audit_buffer *ab, void *va) ...@@ -63,8 +62,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
* *
* Returns: 0 or sa->error on success, error code on failure * Returns: 0 or sa->error on success, error code on failure
*/ */
static int audit_caps(struct aa_profile *profile, struct task_struct *task, static int audit_caps(struct aa_profile *profile, int cap, int error)
int cap, int error)
{ {
struct audit_cache *ent; struct audit_cache *ent;
int type = AUDIT_APPARMOR_AUTO; int type = AUDIT_APPARMOR_AUTO;
...@@ -73,7 +71,6 @@ static int audit_caps(struct aa_profile *profile, struct task_struct *task, ...@@ -73,7 +71,6 @@ static int audit_caps(struct aa_profile *profile, struct task_struct *task,
sa.type = LSM_AUDIT_DATA_CAP; sa.type = LSM_AUDIT_DATA_CAP;
sa.aad = &aad; sa.aad = &aad;
sa.u.cap = cap; sa.u.cap = cap;
sa.aad->tsk = task;
sa.aad->op = OP_CAPABLE; sa.aad->op = OP_CAPABLE;
sa.aad->error = error; sa.aad->error = error;
...@@ -124,8 +121,7 @@ static int profile_capable(struct aa_profile *profile, int cap) ...@@ -124,8 +121,7 @@ static int profile_capable(struct aa_profile *profile, int cap)
/** /**
* aa_capable - test permission to use capability * aa_capable - test permission to use capability
* @task: task doing capability test against (NOT NULL) * @profile: profile being tested against (NOT NULL)
* @profile: profile confining @task (NOT NULL)
* @cap: capability to be tested * @cap: capability to be tested
* @audit: whether an audit record should be generated * @audit: whether an audit record should be generated
* *
...@@ -133,8 +129,7 @@ static int profile_capable(struct aa_profile *profile, int cap) ...@@ -133,8 +129,7 @@ static int profile_capable(struct aa_profile *profile, int cap)
* *
* Returns: 0 on success, or else an error code. * Returns: 0 on success, or else an error code.
*/ */
int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap, int aa_capable(struct aa_profile *profile, int cap, int audit)
int audit)
{ {
int error = profile_capable(profile, cap); int error = profile_capable(profile, cap);
...@@ -144,5 +139,5 @@ int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap, ...@@ -144,5 +139,5 @@ int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap,
return error; return error;
} }
return audit_caps(profile, task, cap, error); return audit_caps(profile, cap, error);
} }
...@@ -75,7 +75,7 @@ static int may_change_ptraced_domain(struct task_struct *task, ...@@ -75,7 +75,7 @@ static int may_change_ptraced_domain(struct task_struct *task,
if (!tracer || unconfined(tracerp)) if (!tracer || unconfined(tracerp))
goto out; goto out;
error = aa_may_ptrace(tracer, tracerp, to_profile, PTRACE_MODE_ATTACH); error = aa_may_ptrace(tracerp, to_profile, PTRACE_MODE_ATTACH);
out: out:
rcu_read_unlock(); rcu_read_unlock();
......
...@@ -4,7 +4,7 @@ ...@@ -4,7 +4,7 @@
* This file contains AppArmor capability mediation definitions. * This file contains AppArmor capability mediation definitions.
* *
* Copyright (C) 1998-2008 Novell/SUSE * Copyright (C) 1998-2008 Novell/SUSE
* Copyright 2009-2010 Canonical Ltd. * Copyright 2009-2013 Canonical Ltd.
* *
* This program is free software; you can redistribute it and/or * This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as * modify it under the terms of the GNU General Public License as
...@@ -38,8 +38,7 @@ struct aa_caps { ...@@ -38,8 +38,7 @@ struct aa_caps {
extern struct aa_fs_entry aa_fs_entry_caps[]; extern struct aa_fs_entry aa_fs_entry_caps[];
int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap, int aa_capable(struct aa_profile *profile, int cap, int audit);
int audit);
static inline void aa_free_cap_rules(struct aa_caps *caps) static inline void aa_free_cap_rules(struct aa_caps *caps)
{ {
......
...@@ -19,8 +19,8 @@ ...@@ -19,8 +19,8 @@
struct aa_profile; struct aa_profile;
int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer, int aa_may_ptrace(struct aa_profile *tracer, struct aa_profile *tracee,
struct aa_profile *tracee, unsigned int mode); unsigned int mode);
int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee, int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
unsigned int mode); unsigned int mode);
......
...@@ -54,15 +54,14 @@ static int aa_audit_ptrace(struct aa_profile *profile, ...@@ -54,15 +54,14 @@ static int aa_audit_ptrace(struct aa_profile *profile,
/** /**
* aa_may_ptrace - test if tracer task can trace the tracee * aa_may_ptrace - test if tracer task can trace the tracee
* @tracer_task: task who will do the tracing (NOT NULL)
* @tracer: profile of the task doing the tracing (NOT NULL) * @tracer: profile of the task doing the tracing (NOT NULL)
* @tracee: task to be traced * @tracee: task to be traced
* @mode: whether PTRACE_MODE_READ || PTRACE_MODE_ATTACH * @mode: whether PTRACE_MODE_READ || PTRACE_MODE_ATTACH
* *
* Returns: %0 else error code if permission denied or error * Returns: %0 else error code if permission denied or error
*/ */
int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer, int aa_may_ptrace(struct aa_profile *tracer, struct aa_profile *tracee,
struct aa_profile *tracee, unsigned int mode) unsigned int mode)
{ {
/* TODO: currently only based on capability, not extended ptrace /* TODO: currently only based on capability, not extended ptrace
* rules, * rules,
...@@ -72,7 +71,7 @@ int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer, ...@@ -72,7 +71,7 @@ int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer,
if (unconfined(tracer) || tracer == tracee) if (unconfined(tracer) || tracer == tracee)
return 0; return 0;
/* log this capability request */ /* log this capability request */
return aa_capable(tracer_task, tracer, CAP_SYS_PTRACE, 1); return aa_capable(tracer, CAP_SYS_PTRACE, 1);
} }
/** /**
...@@ -101,7 +100,7 @@ int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee, ...@@ -101,7 +100,7 @@ int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
if (!unconfined(tracer_p)) { if (!unconfined(tracer_p)) {
struct aa_profile *tracee_p = aa_get_task_profile(tracee); struct aa_profile *tracee_p = aa_get_task_profile(tracee);
error = aa_may_ptrace(tracer, tracer_p, tracee_p, mode); error = aa_may_ptrace(tracer_p, tracee_p, mode);
error = aa_audit_ptrace(tracer_p, tracee_p, error); error = aa_audit_ptrace(tracer_p, tracee_p, error);
aa_put_profile(tracee_p); aa_put_profile(tracee_p);
......
...@@ -145,7 +145,7 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, ...@@ -145,7 +145,7 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
if (!error) { if (!error) {
profile = aa_cred_profile(cred); profile = aa_cred_profile(cred);
if (!unconfined(profile)) if (!unconfined(profile))
error = aa_capable(current, profile, cap, audit); error = aa_capable(profile, cap, audit);
} }
return error; return error;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment