Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
cloud-kernel
提交
aebd873e
cloud-kernel
项目概览
openanolis
/
cloud-kernel
1 年多 前同步成功
通知
160
Star
36
Fork
7
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
10
列表
看板
标记
里程碑
合并请求
2
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
cloud-kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
10
Issue
10
列表
看板
标记
里程碑
合并请求
2
合并请求
2
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
aebd873e
编写于
6月 09, 2017
作者:
J
John Johansen
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
apparmor: refactor path name lookup and permission checks around labels
Signed-off-by:
N
John Johansen
<
john.johansen@canonical.com
>
上级
98c3d182
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
85 addition
and
45 deletion
+85
-45
security/apparmor/file.c
security/apparmor/file.c
+77
-35
security/apparmor/include/file.h
security/apparmor/include/file.h
+4
-1
security/apparmor/lsm.c
security/apparmor/lsm.c
+4
-9
未找到文件。
security/apparmor/file.c
浏览文件 @
aebd873e
...
@@ -152,6 +152,39 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
...
@@ -152,6 +152,39 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
return
aa_audit
(
type
,
profile
,
&
sa
,
file_audit_cb
);
return
aa_audit
(
type
,
profile
,
&
sa
,
file_audit_cb
);
}
}
/**
* is_deleted - test if a file has been completely unlinked
* @dentry: dentry of file to test for deletion (NOT NULL)
*
* Returns: %1 if deleted else %0
*/
static
inline
bool
is_deleted
(
struct
dentry
*
dentry
)
{
if
(
d_unlinked
(
dentry
)
&&
d_backing_inode
(
dentry
)
->
i_nlink
==
0
)
return
1
;
return
0
;
}
static
int
path_name
(
const
char
*
op
,
struct
aa_label
*
label
,
const
struct
path
*
path
,
int
flags
,
char
*
buffer
,
const
char
**
name
,
struct
path_cond
*
cond
,
u32
request
)
{
struct
aa_profile
*
profile
;
const
char
*
info
=
NULL
;
int
error
;
error
=
aa_path_name
(
path
,
flags
,
buffer
,
name
,
&
info
,
labels_profile
(
label
)
->
disconnected
);
if
(
error
)
{
fn_for_each_confined
(
label
,
profile
,
aa_audit_file
(
profile
,
&
nullperms
,
op
,
request
,
*
name
,
NULL
,
NULL
,
cond
->
uid
,
info
,
error
));
return
error
;
}
return
0
;
}
/**
/**
* map_old_perms - map old file perms layout to the new layout
* map_old_perms - map old file perms layout to the new layout
* @old: permission set in old mapping
* @old: permission set in old mapping
...
@@ -249,23 +282,46 @@ unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
...
@@ -249,23 +282,46 @@ unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
return
state
;
return
state
;
}
}
/**
int
__aa_path_perm
(
const
char
*
op
,
struct
aa_profile
*
profile
,
const
char
*
name
,
* is_deleted - test if a file has been completely unlinked
u32
request
,
struct
path_cond
*
cond
,
int
flags
,
* @dentry: dentry of file to test for deletion (NOT NULL)
struct
aa_perms
*
perms
)
*
* Returns: %1 if deleted else %0
*/
static
inline
bool
is_deleted
(
struct
dentry
*
dentry
)
{
{
if
(
d_unlinked
(
dentry
)
&&
d_backing_inode
(
dentry
)
->
i_nlink
==
0
)
int
e
=
0
;
return
1
;
return
0
;
if
(
profile_unconfined
(
profile
))
return
0
;
aa_str_perms
(
profile
->
file
.
dfa
,
profile
->
file
.
start
,
name
,
cond
,
perms
);
if
(
request
&
~
perms
->
allow
)
e
=
-
EACCES
;
return
aa_audit_file
(
profile
,
perms
,
op
,
request
,
name
,
NULL
,
NULL
,
cond
->
uid
,
NULL
,
e
);
}
static
int
profile_path_perm
(
const
char
*
op
,
struct
aa_profile
*
profile
,
const
struct
path
*
path
,
char
*
buffer
,
u32
request
,
struct
path_cond
*
cond
,
int
flags
,
struct
aa_perms
*
perms
)
{
const
char
*
name
;
int
error
;
if
(
profile_unconfined
(
profile
))
return
0
;
error
=
path_name
(
op
,
&
profile
->
label
,
path
,
flags
|
profile
->
path_flags
,
buffer
,
&
name
,
cond
,
request
);
if
(
error
)
return
error
;
return
__aa_path_perm
(
op
,
profile
,
name
,
request
,
cond
,
flags
,
perms
);
}
}
/**
/**
* aa_path_perm - do permissions check & audit for @path
* aa_path_perm - do permissions check & audit for @path
* @op: operation being checked
* @op: operation being checked
* @
profile
: profile being enforced (NOT NULL)
* @
label
: profile being enforced (NOT NULL)
* @path: path to check permissions of (NOT NULL)
* @path: path to check permissions of (NOT NULL)
* @flags: any additional path flags beyond what the profile specifies
* @flags: any additional path flags beyond what the profile specifies
* @request: requested permissions
* @request: requested permissions
...
@@ -273,36 +329,22 @@ static inline bool is_deleted(struct dentry *dentry)
...
@@ -273,36 +329,22 @@ static inline bool is_deleted(struct dentry *dentry)
*
*
* Returns: %0 else error if access denied or other error
* Returns: %0 else error if access denied or other error
*/
*/
int
aa_path_perm
(
const
char
*
op
,
struct
aa_
profile
*
profile
,
int
aa_path_perm
(
const
char
*
op
,
struct
aa_
label
*
label
,
const
struct
path
*
path
,
int
flags
,
u32
request
,
const
struct
path
*
path
,
int
flags
,
u32
request
,
struct
path_cond
*
cond
)
struct
path_cond
*
cond
)
{
{
char
*
buffer
=
NULL
;
struct
aa_perms
perms
=
{};
struct
aa_perms
perms
=
{};
const
char
*
name
,
*
info
=
NULL
;
struct
aa_profile
*
profile
;
char
*
buffer
=
NULL
;
int
error
;
int
error
;
flags
|=
profile
->
path_flags
|
(
S_ISDIR
(
cond
->
mode
)
?
PATH_IS_DIR
:
0
);
flags
|=
PATH_DELEGATE_DELETED
|
(
S_ISDIR
(
cond
->
mode
)
?
PATH_IS_DIR
:
0
);
get_buffers
(
buffer
);
get_buffers
(
buffer
);
error
=
aa_path_name
(
path
,
flags
,
buffer
,
&
name
,
&
info
,
error
=
fn_for_each_confined
(
label
,
profile
,
profile
->
disconnected
);
profile_path_perm
(
op
,
profile
,
path
,
buffer
,
request
,
if
(
error
)
{
cond
,
flags
,
&
perms
));
if
(
error
==
-
ENOENT
&&
is_deleted
(
path
->
dentry
))
{
/* Access to open files that are deleted are
* give a pass (implicit delegation)
*/
error
=
0
;
info
=
NULL
;
perms
.
allow
=
request
;
}
}
else
{
aa_str_perms
(
profile
->
file
.
dfa
,
profile
->
file
.
start
,
name
,
cond
,
&
perms
);
if
(
request
&
~
perms
.
allow
)
error
=
-
EACCES
;
}
error
=
aa_audit_file
(
profile
,
&
perms
,
op
,
request
,
name
,
NULL
,
NULL
,
cond
->
uid
,
info
,
error
);
put_buffers
(
buffer
);
put_buffers
(
buffer
);
return
error
;
return
error
;
...
@@ -482,7 +524,7 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
...
@@ -482,7 +524,7 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
/* TODO: label cross check */
/* TODO: label cross check */
if
(
file
->
f_path
.
mnt
&&
path_mediated_fs
(
file
->
f_path
.
dentry
))
if
(
file
->
f_path
.
mnt
&&
path_mediated_fs
(
file
->
f_path
.
dentry
))
error
=
aa_path_perm
(
op
,
label
s_profile
(
label
)
,
&
file
->
f_path
,
error
=
aa_path_perm
(
op
,
label
,
&
file
->
f_path
,
PATH_DELEGATE_DELETED
,
request
,
&
cond
);
PATH_DELEGATE_DELETED
,
request
,
&
cond
);
done:
done:
...
...
security/apparmor/include/file.h
浏览文件 @
aebd873e
...
@@ -190,7 +190,10 @@ unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
...
@@ -190,7 +190,10 @@ unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
const
char
*
name
,
struct
path_cond
*
cond
,
const
char
*
name
,
struct
path_cond
*
cond
,
struct
aa_perms
*
perms
);
struct
aa_perms
*
perms
);
int
aa_path_perm
(
const
char
*
op
,
struct
aa_profile
*
profile
,
int
__aa_path_perm
(
const
char
*
op
,
struct
aa_profile
*
profile
,
const
char
*
name
,
u32
request
,
struct
path_cond
*
cond
,
int
flags
,
struct
aa_perms
*
perms
);
int
aa_path_perm
(
const
char
*
op
,
struct
aa_label
*
label
,
const
struct
path
*
path
,
int
flags
,
u32
request
,
const
struct
path
*
path
,
int
flags
,
u32
request
,
struct
path_cond
*
cond
);
struct
path_cond
*
cond
);
...
...
security/apparmor/lsm.c
浏览文件 @
aebd873e
...
@@ -196,8 +196,7 @@ static int common_perm(const char *op, const struct path *path, u32 mask,
...
@@ -196,8 +196,7 @@ static int common_perm(const char *op, const struct path *path, u32 mask,
label
=
__begin_current_label_crit_section
();
label
=
__begin_current_label_crit_section
();
if
(
!
unconfined
(
label
))
if
(
!
unconfined
(
label
))
error
=
aa_path_perm
(
op
,
labels_profile
(
label
),
path
,
0
,
mask
,
error
=
aa_path_perm
(
op
,
label
,
path
,
0
,
mask
,
cond
);
cond
);
__end_current_label_crit_section
(
label
);
__end_current_label_crit_section
(
label
);
return
error
;
return
error
;
...
@@ -359,15 +358,12 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d
...
@@ -359,15 +358,12 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d
d_backing_inode
(
old_dentry
)
->
i_mode
d_backing_inode
(
old_dentry
)
->
i_mode
};
};
error
=
aa_path_perm
(
OP_RENAME_SRC
,
labels_profile
(
label
),
error
=
aa_path_perm
(
OP_RENAME_SRC
,
label
,
&
old_path
,
0
,
&
old_path
,
0
,
MAY_READ
|
AA_MAY_GETATTR
|
MAY_WRITE
|
MAY_READ
|
AA_MAY_GETATTR
|
MAY_WRITE
|
AA_MAY_SETATTR
|
AA_MAY_DELETE
,
AA_MAY_SETATTR
|
AA_MAY_DELETE
,
&
cond
);
&
cond
);
if
(
!
error
)
if
(
!
error
)
error
=
aa_path_perm
(
OP_RENAME_DEST
,
error
=
aa_path_perm
(
OP_RENAME_DEST
,
label
,
&
new_path
,
labels_profile
(
label
),
&
new_path
,
0
,
MAY_WRITE
|
AA_MAY_SETATTR
|
0
,
MAY_WRITE
|
AA_MAY_SETATTR
|
AA_MAY_CREATE
,
&
cond
);
AA_MAY_CREATE
,
&
cond
);
...
@@ -416,8 +412,7 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
...
@@ -416,8 +412,7 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
struct
inode
*
inode
=
file_inode
(
file
);
struct
inode
*
inode
=
file_inode
(
file
);
struct
path_cond
cond
=
{
inode
->
i_uid
,
inode
->
i_mode
};
struct
path_cond
cond
=
{
inode
->
i_uid
,
inode
->
i_mode
};
error
=
aa_path_perm
(
OP_OPEN
,
labels_profile
(
label
),
error
=
aa_path_perm
(
OP_OPEN
,
label
,
&
file
->
f_path
,
0
,
&
file
->
f_path
,
0
,
aa_map_file_to_perms
(
file
),
&
cond
);
aa_map_file_to_perms
(
file
),
&
cond
);
/* todo cache full allowed permissions set and state */
/* todo cache full allowed permissions set and state */
fctx
->
allow
=
aa_map_file_to_perms
(
file
);
fctx
->
allow
=
aa_map_file_to_perms
(
file
);
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录