apparmor: prepare to support newer versions of policy

Newer policy encodes more than just version in the version tag, so add masking to make sure the comparison remains correct. Note: this is fully compatible with older policy as it will never set the bits being masked out. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16 00:42:39 -08:00 · 2017-01-16 00:42:39 -08:00 · 474d6b7510
parent 5ebfb12822
commit 474d6b7510
2 changed files with 25 additions and 10 deletions
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@ -799,9 +799,15 @@ static struct aa_fs_entry aa_fs_entry_domain[] = {
 	{ }
 };

+static struct aa_fs_entry aa_fs_entry_versions[] = {
+	AA_FS_FILE_BOOLEAN("v5",	1),
+	{ }
+};
+
 static struct aa_fs_entry aa_fs_entry_policy[] = {
-	AA_FS_FILE_BOOLEAN("set_load",          1),
-	{}
+	AA_FS_DIR("versions",                   aa_fs_entry_versions),
+	AA_FS_FILE_BOOLEAN("set_load",		1),
+	{ }
 };

 static struct aa_fs_entry aa_fs_entry_features[] = {
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@ -29,7 +29,14 @@
 #include "include/policy.h"
 #include "include/policy_unpack.h"

+#define K_ABI_MASK 0x3ff
 #define FORCE_COMPLAIN_FLAG 0x800
+#define VERSION_LT(X, Y) (((X) & K_ABI_MASK) < ((Y) & K_ABI_MASK))
+#define VERSION_GT(X, Y) (((X) & K_ABI_MASK) > ((Y) & K_ABI_MASK))
+
+#define v5	5	/* base version */
+#define v6	6	/* per entry policydb mediation check */
+#define v7	7	/* full network masking */

 /*
 * The AppArmor interface treats data as a type byte followed by the
@ -646,19 +653,21 @@ static int verify_header(struct aa_ext *e, int required, const char **ns)
 	/* get the interface version */
 	if (!unpack_u32(e, &e->version, "version")) {
 		if (required) {
-			audit_iface(NULL, NULL, "invalid profile format", e,
-				    error);
-			return error;
-		}
-
-		/* check that the interface version is currently supported */
-		if (e->version != 5) {
-			audit_iface(NULL, NULL, "unsupported interface version",
+			audit_iface(NULL, NULL, "invalid profile format",
 				    e, error);
 			return error;
 		}
 	}

+	/* Check that the interface version is currently supported.
+	 * if not specified use previous version
+	 * Mask off everything that is not kernel abi version
+	 */
+	if (VERSION_LT(e->version, v5) && VERSION_GT(e->version, v7)) {
+		audit_iface(NULL, NULL, "unsupported interface version",
+			    e, error);
+		return error;
+	}

 	/* read the namespace if present */
 	if (unpack_str(e, &name, "namespace")) {