apparmor: switch from file_perms to aa_perms
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
parent
aa9aeea8d4
commit
2d679f3cb0
|
|
@ -93,12 +93,12 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile)
|
|||
*
|
||||
* Returns: permission set
|
||||
*/
|
||||
static struct file_perms change_profile_perms(struct aa_profile *profile,
|
||||
struct aa_ns *ns,
|
||||
const char *name, u32 request,
|
||||
unsigned int start)
|
||||
static struct aa_perms change_profile_perms(struct aa_profile *profile,
|
||||
struct aa_ns *ns,
|
||||
const char *name, u32 request,
|
||||
unsigned int start)
|
||||
{
|
||||
struct file_perms perms;
|
||||
struct aa_perms perms;
|
||||
struct path_cond cond = { };
|
||||
unsigned int state;
|
||||
|
||||
|
|
@ -342,7 +342,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
|
|||
struct aa_ns *ns;
|
||||
char *buffer = NULL;
|
||||
unsigned int state;
|
||||
struct file_perms perms = {};
|
||||
struct aa_perms perms = {};
|
||||
struct path_cond cond = {
|
||||
file_inode(bprm->file)->i_uid,
|
||||
file_inode(bprm->file)->i_mode
|
||||
|
|
@ -400,7 +400,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
|
|||
/* find exec permissions for name */
|
||||
state = aa_str_perms(profile->file.dfa, state, name, &cond, &perms);
|
||||
if (ctx->onexec) {
|
||||
struct file_perms cp;
|
||||
struct aa_perms cp;
|
||||
info = "change_profile onexec";
|
||||
new_profile = aa_get_newest_profile(ctx->onexec);
|
||||
if (!(perms.allow & AA_MAY_ONEXEC))
|
||||
|
|
@ -609,7 +609,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
|
|||
struct aa_profile *profile, *previous_profile, *hat = NULL;
|
||||
char *name = NULL;
|
||||
int i;
|
||||
struct file_perms perms = {};
|
||||
struct aa_perms perms = {};
|
||||
const char *target = NULL, *info = NULL;
|
||||
int error = 0;
|
||||
|
||||
|
|
@ -748,7 +748,7 @@ int aa_change_profile(const char *fqname, bool onexec,
|
|||
{
|
||||
const struct cred *cred;
|
||||
struct aa_profile *profile, *target = NULL;
|
||||
struct file_perms perms = {};
|
||||
struct aa_perms perms = {};
|
||||
const char *info = NULL, *op;
|
||||
int error = 0;
|
||||
u32 request;
|
||||
|
|
|
|||
|
|
@ -19,8 +19,6 @@
|
|||
#include "include/path.h"
|
||||
#include "include/policy.h"
|
||||
|
||||
struct file_perms nullperms;
|
||||
|
||||
static u32 map_mask_to_chr_mask(u32 mask)
|
||||
{
|
||||
u32 m = mask & PERMS_CHRS_MASK;
|
||||
|
|
@ -92,7 +90,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
|
|||
*
|
||||
* Returns: %0 or error on failure
|
||||
*/
|
||||
int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
|
||||
int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
|
||||
const char *op, u32 request, const char *name,
|
||||
const char *target, kuid_t ouid, const char *info, int error)
|
||||
{
|
||||
|
|
@ -170,7 +168,7 @@ static u32 map_old_perms(u32 old)
|
|||
}
|
||||
|
||||
/**
|
||||
* compute_perms - convert dfa compressed perms to internal perms
|
||||
* aa_compute_fperms - convert dfa compressed perms to internal perms
|
||||
* @dfa: dfa to compute perms for (NOT NULL)
|
||||
* @state: state in dfa
|
||||
* @cond: conditions to consider (NOT NULL)
|
||||
|
|
@ -180,17 +178,21 @@ static u32 map_old_perms(u32 old)
|
|||
*
|
||||
* Returns: computed permission set
|
||||
*/
|
||||
static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
|
||||
struct path_cond *cond)
|
||||
struct aa_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state,
|
||||
struct path_cond *cond)
|
||||
{
|
||||
struct file_perms perms;
|
||||
struct aa_perms perms;
|
||||
|
||||
/* FIXME: change over to new dfa format
|
||||
* currently file perms are encoded in the dfa, new format
|
||||
* splits the permissions from the dfa. This mapping can be
|
||||
* done at profile load
|
||||
*/
|
||||
perms.kill = 0;
|
||||
perms.deny = 0;
|
||||
perms.kill = perms.stop = 0;
|
||||
perms.complain = perms.cond = 0;
|
||||
perms.hide = 0;
|
||||
perms.prompt = 0;
|
||||
|
||||
if (uid_eq(current_fsuid(), cond->uid)) {
|
||||
perms.allow = map_old_perms(dfa_user_allow(dfa, state));
|
||||
|
|
@ -226,16 +228,11 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
|
|||
*/
|
||||
unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
|
||||
const char *name, struct path_cond *cond,
|
||||
struct file_perms *perms)
|
||||
struct aa_perms *perms)
|
||||
{
|
||||
unsigned int state;
|
||||
if (!dfa) {
|
||||
*perms = nullperms;
|
||||
return DFA_NOMATCH;
|
||||
}
|
||||
|
||||
state = aa_dfa_match(dfa, start, name);
|
||||
*perms = compute_perms(dfa, state, cond);
|
||||
*perms = aa_compute_fperms(dfa, state, cond);
|
||||
|
||||
return state;
|
||||
}
|
||||
|
|
@ -269,7 +266,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile,
|
|||
struct path_cond *cond)
|
||||
{
|
||||
char *buffer = NULL;
|
||||
struct file_perms perms = {};
|
||||
struct aa_perms perms = {};
|
||||
const char *name, *info = NULL;
|
||||
int error;
|
||||
|
||||
|
|
@ -348,7 +345,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
|
|||
};
|
||||
char *buffer = NULL, *buffer2 = NULL;
|
||||
const char *lname, *tname = NULL, *info = NULL;
|
||||
struct file_perms lperms, perms;
|
||||
struct aa_perms lperms, perms;
|
||||
u32 request = AA_MAY_LINK;
|
||||
unsigned int state;
|
||||
int error;
|
||||
|
|
|
|||
|
|
@ -90,25 +90,6 @@ struct path_cond {
|
|||
umode_t mode;
|
||||
};
|
||||
|
||||
/* struct file_perms - file permission
|
||||
* @allow: mask of permissions that are allowed
|
||||
* @audit: mask of permissions to force an audit message for
|
||||
* @quiet: mask of permissions to quiet audit messages for
|
||||
* @kill: mask of permissions that when matched will kill the task
|
||||
* @xindex: exec transition index if @allow contains MAY_EXEC
|
||||
*
|
||||
* The @audit and @queit mask should be mutually exclusive.
|
||||
*/
|
||||
struct file_perms {
|
||||
u32 allow;
|
||||
u32 audit;
|
||||
u32 quiet;
|
||||
u32 kill;
|
||||
u16 xindex;
|
||||
};
|
||||
|
||||
extern struct file_perms nullperms;
|
||||
|
||||
#define COMBINED_PERM_MASK(X) ((X).allow | (X).audit | (X).quiet | (X).kill)
|
||||
|
||||
/* FIXME: split perms from dfa and match this to description
|
||||
|
|
@ -159,7 +140,7 @@ static inline u16 dfa_map_xindex(u16 mask)
|
|||
#define dfa_other_xindex(dfa, state) \
|
||||
dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
|
||||
|
||||
int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
|
||||
int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
|
||||
const char *op, u32 request, const char *name,
|
||||
const char *target, kuid_t ouid, const char *info, int error);
|
||||
|
||||
|
|
@ -182,9 +163,11 @@ struct aa_file_rules {
|
|||
/* TODO: add delegate table */
|
||||
};
|
||||
|
||||
struct aa_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state,
|
||||
struct path_cond *cond);
|
||||
unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
|
||||
const char *name, struct path_cond *cond,
|
||||
struct file_perms *perms);
|
||||
struct aa_perms *perms);
|
||||
|
||||
int aa_path_perm(const char *op, struct aa_profile *profile,
|
||||
const struct path *path, int flags, u32 request,
|
||||
|
|
|
|||
|
|
@ -88,7 +88,7 @@ struct aa_perms {
|
|||
};
|
||||
|
||||
#define ALL_PERMS_MASK 0xffffffff
|
||||
|
||||
extern struct aa_perms nullperms;
|
||||
extern struct aa_perms allperms;
|
||||
|
||||
struct aa_profile;
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@
|
|||
#include "include/perms.h"
|
||||
#include "include/policy.h"
|
||||
|
||||
struct aa_perms nullperms;
|
||||
struct aa_perms allperms = { .allow = ALL_PERMS_MASK,
|
||||
.quiet = ALL_PERMS_MASK,
|
||||
.hide = ALL_PERMS_MASK };
|
||||
|
|
|
|||
Loading…
Reference in New Issue