Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
cloud-kernel
提交
2d679f3c
cloud-kernel
项目概览
openanolis
/
cloud-kernel
1 年多 前同步成功
通知
161
Star
36
Fork
7
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
10
列表
看板
标记
里程碑
合并请求
2
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
cloud-kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
10
Issue
10
列表
看板
标记
里程碑
合并请求
2
合并请求
2
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
2d679f3c
编写于
5月 29, 2017
作者:
J
John Johansen
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
apparmor: switch from file_perms to aa_perms
Signed-off-by:
N
John Johansen
<
john.johansen@canonical.com
>
上级
aa9aeea8
变更
5
显示空白变更内容
内联
并排
Showing
5 changed file
with
29 addition
and
48 deletion
+29
-48
security/apparmor/domain.c
security/apparmor/domain.c
+9
-9
security/apparmor/file.c
security/apparmor/file.c
+14
-17
security/apparmor/include/file.h
security/apparmor/include/file.h
+4
-21
security/apparmor/include/perms.h
security/apparmor/include/perms.h
+1
-1
security/apparmor/lib.c
security/apparmor/lib.c
+1
-0
未找到文件。
security/apparmor/domain.c
浏览文件 @
2d679f3c
...
@@ -93,12 +93,12 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile)
...
@@ -93,12 +93,12 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile)
*
*
* Returns: permission set
* Returns: permission set
*/
*/
static
struct
file
_perms
change_profile_perms
(
struct
aa_profile
*
profile
,
static
struct
aa
_perms
change_profile_perms
(
struct
aa_profile
*
profile
,
struct
aa_ns
*
ns
,
struct
aa_ns
*
ns
,
const
char
*
name
,
u32
request
,
const
char
*
name
,
u32
request
,
unsigned
int
start
)
unsigned
int
start
)
{
{
struct
file
_perms
perms
;
struct
aa
_perms
perms
;
struct
path_cond
cond
=
{
};
struct
path_cond
cond
=
{
};
unsigned
int
state
;
unsigned
int
state
;
...
@@ -342,7 +342,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -342,7 +342,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
struct
aa_ns
*
ns
;
struct
aa_ns
*
ns
;
char
*
buffer
=
NULL
;
char
*
buffer
=
NULL
;
unsigned
int
state
;
unsigned
int
state
;
struct
file
_perms
perms
=
{};
struct
aa
_perms
perms
=
{};
struct
path_cond
cond
=
{
struct
path_cond
cond
=
{
file_inode
(
bprm
->
file
)
->
i_uid
,
file_inode
(
bprm
->
file
)
->
i_uid
,
file_inode
(
bprm
->
file
)
->
i_mode
file_inode
(
bprm
->
file
)
->
i_mode
...
@@ -400,7 +400,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -400,7 +400,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
/* find exec permissions for name */
/* find exec permissions for name */
state
=
aa_str_perms
(
profile
->
file
.
dfa
,
state
,
name
,
&
cond
,
&
perms
);
state
=
aa_str_perms
(
profile
->
file
.
dfa
,
state
,
name
,
&
cond
,
&
perms
);
if
(
ctx
->
onexec
)
{
if
(
ctx
->
onexec
)
{
struct
file
_perms
cp
;
struct
aa
_perms
cp
;
info
=
"change_profile onexec"
;
info
=
"change_profile onexec"
;
new_profile
=
aa_get_newest_profile
(
ctx
->
onexec
);
new_profile
=
aa_get_newest_profile
(
ctx
->
onexec
);
if
(
!
(
perms
.
allow
&
AA_MAY_ONEXEC
))
if
(
!
(
perms
.
allow
&
AA_MAY_ONEXEC
))
...
@@ -609,7 +609,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
...
@@ -609,7 +609,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
struct
aa_profile
*
profile
,
*
previous_profile
,
*
hat
=
NULL
;
struct
aa_profile
*
profile
,
*
previous_profile
,
*
hat
=
NULL
;
char
*
name
=
NULL
;
char
*
name
=
NULL
;
int
i
;
int
i
;
struct
file
_perms
perms
=
{};
struct
aa
_perms
perms
=
{};
const
char
*
target
=
NULL
,
*
info
=
NULL
;
const
char
*
target
=
NULL
,
*
info
=
NULL
;
int
error
=
0
;
int
error
=
0
;
...
@@ -748,7 +748,7 @@ int aa_change_profile(const char *fqname, bool onexec,
...
@@ -748,7 +748,7 @@ int aa_change_profile(const char *fqname, bool onexec,
{
{
const
struct
cred
*
cred
;
const
struct
cred
*
cred
;
struct
aa_profile
*
profile
,
*
target
=
NULL
;
struct
aa_profile
*
profile
,
*
target
=
NULL
;
struct
file
_perms
perms
=
{};
struct
aa
_perms
perms
=
{};
const
char
*
info
=
NULL
,
*
op
;
const
char
*
info
=
NULL
,
*
op
;
int
error
=
0
;
int
error
=
0
;
u32
request
;
u32
request
;
...
...
security/apparmor/file.c
浏览文件 @
2d679f3c
...
@@ -19,8 +19,6 @@
...
@@ -19,8 +19,6 @@
#include "include/path.h"
#include "include/path.h"
#include "include/policy.h"
#include "include/policy.h"
struct
file_perms
nullperms
;
static
u32
map_mask_to_chr_mask
(
u32
mask
)
static
u32
map_mask_to_chr_mask
(
u32
mask
)
{
{
u32
m
=
mask
&
PERMS_CHRS_MASK
;
u32
m
=
mask
&
PERMS_CHRS_MASK
;
...
@@ -92,7 +90,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
...
@@ -92,7 +90,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
*
*
* Returns: %0 or error on failure
* Returns: %0 or error on failure
*/
*/
int
aa_audit_file
(
struct
aa_profile
*
profile
,
struct
file
_perms
*
perms
,
int
aa_audit_file
(
struct
aa_profile
*
profile
,
struct
aa
_perms
*
perms
,
const
char
*
op
,
u32
request
,
const
char
*
name
,
const
char
*
op
,
u32
request
,
const
char
*
name
,
const
char
*
target
,
kuid_t
ouid
,
const
char
*
info
,
int
error
)
const
char
*
target
,
kuid_t
ouid
,
const
char
*
info
,
int
error
)
{
{
...
@@ -170,7 +168,7 @@ static u32 map_old_perms(u32 old)
...
@@ -170,7 +168,7 @@ static u32 map_old_perms(u32 old)
}
}
/**
/**
*
compute_
perms - convert dfa compressed perms to internal perms
*
aa_compute_f
perms - convert dfa compressed perms to internal perms
* @dfa: dfa to compute perms for (NOT NULL)
* @dfa: dfa to compute perms for (NOT NULL)
* @state: state in dfa
* @state: state in dfa
* @cond: conditions to consider (NOT NULL)
* @cond: conditions to consider (NOT NULL)
...
@@ -180,17 +178,21 @@ static u32 map_old_perms(u32 old)
...
@@ -180,17 +178,21 @@ static u32 map_old_perms(u32 old)
*
*
* Returns: computed permission set
* Returns: computed permission set
*/
*/
st
atic
struct
file_perms
compute_
perms
(
struct
aa_dfa
*
dfa
,
unsigned
int
state
,
st
ruct
aa_perms
aa_compute_f
perms
(
struct
aa_dfa
*
dfa
,
unsigned
int
state
,
struct
path_cond
*
cond
)
struct
path_cond
*
cond
)
{
{
struct
file
_perms
perms
;
struct
aa
_perms
perms
;
/* FIXME: change over to new dfa format
/* FIXME: change over to new dfa format
* currently file perms are encoded in the dfa, new format
* currently file perms are encoded in the dfa, new format
* splits the permissions from the dfa. This mapping can be
* splits the permissions from the dfa. This mapping can be
* done at profile load
* done at profile load
*/
*/
perms
.
kill
=
0
;
perms
.
deny
=
0
;
perms
.
kill
=
perms
.
stop
=
0
;
perms
.
complain
=
perms
.
cond
=
0
;
perms
.
hide
=
0
;
perms
.
prompt
=
0
;
if
(
uid_eq
(
current_fsuid
(),
cond
->
uid
))
{
if
(
uid_eq
(
current_fsuid
(),
cond
->
uid
))
{
perms
.
allow
=
map_old_perms
(
dfa_user_allow
(
dfa
,
state
));
perms
.
allow
=
map_old_perms
(
dfa_user_allow
(
dfa
,
state
));
...
@@ -226,16 +228,11 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
...
@@ -226,16 +228,11 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
*/
*/
unsigned
int
aa_str_perms
(
struct
aa_dfa
*
dfa
,
unsigned
int
start
,
unsigned
int
aa_str_perms
(
struct
aa_dfa
*
dfa
,
unsigned
int
start
,
const
char
*
name
,
struct
path_cond
*
cond
,
const
char
*
name
,
struct
path_cond
*
cond
,
struct
file
_perms
*
perms
)
struct
aa
_perms
*
perms
)
{
{
unsigned
int
state
;
unsigned
int
state
;
if
(
!
dfa
)
{
*
perms
=
nullperms
;
return
DFA_NOMATCH
;
}
state
=
aa_dfa_match
(
dfa
,
start
,
name
);
state
=
aa_dfa_match
(
dfa
,
start
,
name
);
*
perms
=
compute_
perms
(
dfa
,
state
,
cond
);
*
perms
=
aa_compute_f
perms
(
dfa
,
state
,
cond
);
return
state
;
return
state
;
}
}
...
@@ -269,7 +266,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile,
...
@@ -269,7 +266,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile,
struct
path_cond
*
cond
)
struct
path_cond
*
cond
)
{
{
char
*
buffer
=
NULL
;
char
*
buffer
=
NULL
;
struct
file
_perms
perms
=
{};
struct
aa
_perms
perms
=
{};
const
char
*
name
,
*
info
=
NULL
;
const
char
*
name
,
*
info
=
NULL
;
int
error
;
int
error
;
...
@@ -348,7 +345,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
...
@@ -348,7 +345,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
};
};
char
*
buffer
=
NULL
,
*
buffer2
=
NULL
;
char
*
buffer
=
NULL
,
*
buffer2
=
NULL
;
const
char
*
lname
,
*
tname
=
NULL
,
*
info
=
NULL
;
const
char
*
lname
,
*
tname
=
NULL
,
*
info
=
NULL
;
struct
file
_perms
lperms
,
perms
;
struct
aa
_perms
lperms
,
perms
;
u32
request
=
AA_MAY_LINK
;
u32
request
=
AA_MAY_LINK
;
unsigned
int
state
;
unsigned
int
state
;
int
error
;
int
error
;
...
...
security/apparmor/include/file.h
浏览文件 @
2d679f3c
...
@@ -90,25 +90,6 @@ struct path_cond {
...
@@ -90,25 +90,6 @@ struct path_cond {
umode_t
mode
;
umode_t
mode
;
};
};
/* struct file_perms - file permission
* @allow: mask of permissions that are allowed
* @audit: mask of permissions to force an audit message for
* @quiet: mask of permissions to quiet audit messages for
* @kill: mask of permissions that when matched will kill the task
* @xindex: exec transition index if @allow contains MAY_EXEC
*
* The @audit and @queit mask should be mutually exclusive.
*/
struct
file_perms
{
u32
allow
;
u32
audit
;
u32
quiet
;
u32
kill
;
u16
xindex
;
};
extern
struct
file_perms
nullperms
;
#define COMBINED_PERM_MASK(X) ((X).allow | (X).audit | (X).quiet | (X).kill)
#define COMBINED_PERM_MASK(X) ((X).allow | (X).audit | (X).quiet | (X).kill)
/* FIXME: split perms from dfa and match this to description
/* FIXME: split perms from dfa and match this to description
...
@@ -159,7 +140,7 @@ static inline u16 dfa_map_xindex(u16 mask)
...
@@ -159,7 +140,7 @@ static inline u16 dfa_map_xindex(u16 mask)
#define dfa_other_xindex(dfa, state) \
#define dfa_other_xindex(dfa, state) \
dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
int
aa_audit_file
(
struct
aa_profile
*
profile
,
struct
file
_perms
*
perms
,
int
aa_audit_file
(
struct
aa_profile
*
profile
,
struct
aa
_perms
*
perms
,
const
char
*
op
,
u32
request
,
const
char
*
name
,
const
char
*
op
,
u32
request
,
const
char
*
name
,
const
char
*
target
,
kuid_t
ouid
,
const
char
*
info
,
int
error
);
const
char
*
target
,
kuid_t
ouid
,
const
char
*
info
,
int
error
);
...
@@ -182,9 +163,11 @@ struct aa_file_rules {
...
@@ -182,9 +163,11 @@ struct aa_file_rules {
/* TODO: add delegate table */
/* TODO: add delegate table */
};
};
struct
aa_perms
aa_compute_fperms
(
struct
aa_dfa
*
dfa
,
unsigned
int
state
,
struct
path_cond
*
cond
);
unsigned
int
aa_str_perms
(
struct
aa_dfa
*
dfa
,
unsigned
int
start
,
unsigned
int
aa_str_perms
(
struct
aa_dfa
*
dfa
,
unsigned
int
start
,
const
char
*
name
,
struct
path_cond
*
cond
,
const
char
*
name
,
struct
path_cond
*
cond
,
struct
file
_perms
*
perms
);
struct
aa
_perms
*
perms
);
int
aa_path_perm
(
const
char
*
op
,
struct
aa_profile
*
profile
,
int
aa_path_perm
(
const
char
*
op
,
struct
aa_profile
*
profile
,
const
struct
path
*
path
,
int
flags
,
u32
request
,
const
struct
path
*
path
,
int
flags
,
u32
request
,
...
...
security/apparmor/include/perms.h
浏览文件 @
2d679f3c
...
@@ -88,7 +88,7 @@ struct aa_perms {
...
@@ -88,7 +88,7 @@ struct aa_perms {
};
};
#define ALL_PERMS_MASK 0xffffffff
#define ALL_PERMS_MASK 0xffffffff
extern
struct
aa_perms
nullperms
;
extern
struct
aa_perms
allperms
;
extern
struct
aa_perms
allperms
;
struct
aa_profile
;
struct
aa_profile
;
...
...
security/apparmor/lib.c
浏览文件 @
2d679f3c
...
@@ -24,6 +24,7 @@
...
@@ -24,6 +24,7 @@
#include "include/perms.h"
#include "include/perms.h"
#include "include/policy.h"
#include "include/policy.h"
struct
aa_perms
nullperms
;
struct
aa_perms
allperms
=
{
.
allow
=
ALL_PERMS_MASK
,
struct
aa_perms
allperms
=
{
.
allow
=
ALL_PERMS_MASK
,
.
quiet
=
ALL_PERMS_MASK
,
.
quiet
=
ALL_PERMS_MASK
,
.
hide
=
ALL_PERMS_MASK
};
.
hide
=
ALL_PERMS_MASK
};
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录