Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
cloud-kernel
提交
98c3d182
cloud-kernel
项目概览
openanolis
/
cloud-kernel
1 年多 前同步成功
通知
160
Star
36
Fork
7
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
10
列表
看板
标记
里程碑
合并请求
2
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
cloud-kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
10
Issue
10
列表
看板
标记
里程碑
合并请求
2
合并请求
2
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
98c3d182
编写于
6月 09, 2017
作者:
J
John Johansen
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
apparmor: update aa_audit_file() to use labels
Signed-off-by:
N
John Johansen
<
john.johansen@canonical.com
>
上级
190a9518
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
18 addition
and
9 deletion
+18
-9
security/apparmor/domain.c
security/apparmor/domain.c
+4
-2
security/apparmor/file.c
security/apparmor/file.c
+12
-6
security/apparmor/include/file.h
security/apparmor/include/file.h
+2
-1
未找到文件。
security/apparmor/domain.c
浏览文件 @
98c3d182
...
...
@@ -518,6 +518,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
audit:
error
=
aa_audit_file
(
profile
,
&
perms
,
OP_EXEC
,
MAY_EXEC
,
name
,
new_profile
?
new_profile
->
base
.
hname
:
NULL
,
new_profile
?
&
new_profile
->
label
:
NULL
,
cond
.
uid
,
info
,
error
);
cleanup:
...
...
@@ -694,7 +695,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
audit:
if
(
!
(
flags
&
AA_CHANGE_TEST
))
error
=
aa_audit_file
(
profile
,
&
perms
,
OP_CHANGE_HAT
,
AA_MAY_CHANGEHAT
,
NULL
,
target
,
AA_MAY_CHANGEHAT
,
NULL
,
target
,
NULL
,
GLOBAL_ROOT_UID
,
info
,
error
);
out:
...
...
@@ -802,7 +803,8 @@ int aa_change_profile(const char *fqname, int flags)
audit:
if
(
!
(
flags
&
AA_CHANGE_TEST
))
error
=
aa_audit_file
(
profile
,
&
perms
,
op
,
request
,
NULL
,
fqname
,
GLOBAL_ROOT_UID
,
info
,
error
);
fqname
,
NULL
,
GLOBAL_ROOT_UID
,
info
,
error
);
aa_put_profile
(
target
);
aa_put_label
(
label
);
...
...
security/apparmor/file.c
浏览文件 @
98c3d182
...
...
@@ -75,7 +75,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
from_kuid
(
&
init_user_ns
,
aad
(
sa
)
->
fs
.
ouid
));
}
if
(
aad
(
sa
)
->
fs
.
target
)
{
if
(
aad
(
sa
)
->
peer
)
{
audit_log_format
(
ab
,
" target="
);
aa_label_xaudit
(
ab
,
labels_ns
(
aad
(
sa
)
->
label
),
aad
(
sa
)
->
peer
,
FLAG_VIEW_SUBNS
,
GFP_ATOMIC
);
}
else
if
(
aad
(
sa
)
->
fs
.
target
)
{
audit_log_format
(
ab
,
" target="
);
audit_log_untrustedstring
(
ab
,
aad
(
sa
)
->
fs
.
target
);
}
...
...
@@ -85,11 +89,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
* aa_audit_file - handle the auditing of file operations
* @profile: the profile being enforced (NOT NULL)
* @perms: the permissions computed for the request (NOT NULL)
* @gfp: allocation flags
* @op: operation being mediated
* @request: permissions requested
* @name: name of object being mediated (MAYBE NULL)
* @target: name of target (MAYBE NULL)
* @tlabel: target label (MAY BE NULL)
* @ouid: object uid
* @info: extra information message (MAYBE NULL)
* @error: 0 if operation allowed else failure error code
...
...
@@ -98,7 +102,8 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
*/
int
aa_audit_file
(
struct
aa_profile
*
profile
,
struct
aa_perms
*
perms
,
const
char
*
op
,
u32
request
,
const
char
*
name
,
const
char
*
target
,
kuid_t
ouid
,
const
char
*
info
,
int
error
)
const
char
*
target
,
struct
aa_label
*
tlabel
,
kuid_t
ouid
,
const
char
*
info
,
int
error
)
{
int
type
=
AUDIT_APPARMOR_AUTO
;
DEFINE_AUDIT_DATA
(
sa
,
LSM_AUDIT_DATA_TASK
,
op
);
...
...
@@ -107,6 +112,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
aad
(
&
sa
)
->
request
=
request
;
aad
(
&
sa
)
->
name
=
name
;
aad
(
&
sa
)
->
fs
.
target
=
target
;
aad
(
&
sa
)
->
peer
=
tlabel
;
aad
(
&
sa
)
->
fs
.
ouid
=
ouid
;
aad
(
&
sa
)
->
info
=
info
;
aad
(
&
sa
)
->
error
=
error
;
...
...
@@ -139,7 +145,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
aad
(
&
sa
)
->
request
&=
~
perms
->
quiet
;
if
(
!
aad
(
&
sa
)
->
request
)
return
COMPLAIN_MODE
(
profile
)
?
0
:
aad
(
&
sa
)
->
error
;
return
aad
(
&
sa
)
->
error
;
}
aad
(
&
sa
)
->
denied
=
aad
(
&
sa
)
->
request
&
~
perms
->
allow
;
...
...
@@ -295,7 +301,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile,
if
(
request
&
~
perms
.
allow
)
error
=
-
EACCES
;
}
error
=
aa_audit_file
(
profile
,
&
perms
,
op
,
request
,
name
,
NULL
,
error
=
aa_audit_file
(
profile
,
&
perms
,
op
,
request
,
name
,
NULL
,
NULL
,
cond
->
uid
,
info
,
error
);
put_buffers
(
buffer
);
...
...
@@ -425,7 +431,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
audit:
error
=
aa_audit_file
(
profile
,
&
lperms
,
OP_LINK
,
request
,
lname
,
tname
,
cond
.
uid
,
info
,
error
);
lname
,
tname
,
NULL
,
cond
.
uid
,
info
,
error
);
put_buffers
(
buffer
,
buffer2
);
return
error
;
...
...
security/apparmor/include/file.h
浏览文件 @
98c3d182
...
...
@@ -162,7 +162,8 @@ static inline u16 dfa_map_xindex(u16 mask)
int
aa_audit_file
(
struct
aa_profile
*
profile
,
struct
aa_perms
*
perms
,
const
char
*
op
,
u32
request
,
const
char
*
name
,
const
char
*
target
,
kuid_t
ouid
,
const
char
*
info
,
int
error
);
const
char
*
target
,
struct
aa_label
*
tlabel
,
kuid_t
ouid
,
const
char
*
info
,
int
error
);
/**
* struct aa_file_rules - components used for file rule permissions
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录