Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
cloud-kernel
提交
e00b02bb
cloud-kernel
项目概览
openanolis
/
cloud-kernel
1 年多 前同步成功
通知
160
Star
36
Fork
7
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
10
列表
看板
标记
里程碑
合并请求
2
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
cloud-kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
10
Issue
10
列表
看板
标记
里程碑
合并请求
2
合并请求
2
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
e00b02bb
编写于
6月 09, 2017
作者:
J
John Johansen
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
apparmor: move change_profile mediation to using labels
Signed-off-by:
N
John Johansen
<
john.johansen@canonical.com
>
上级
89dbf196
变更
1
隐藏空白更改
内联
并排
Showing
1 changed file
with
123 addition
and
68 deletion
+123
-68
security/apparmor/domain.c
security/apparmor/domain.c
+123
-68
未找到文件。
security/apparmor/domain.c
浏览文件 @
e00b02bb
...
...
@@ -301,26 +301,6 @@ static int change_profile_perms(struct aa_profile *profile,
return
label_match
(
profile
,
target
,
stack
,
start
,
true
,
request
,
perms
);
}
static
struct
aa_perms
change_profile_perms_wrapper
(
struct
aa_profile
*
profile
,
struct
aa_profile
*
target
,
u32
request
,
unsigned
int
start
)
{
struct
aa_perms
perms
;
if
(
profile_unconfined
(
profile
))
{
perms
.
allow
=
AA_MAY_CHANGE_PROFILE
|
AA_MAY_ONEXEC
;
perms
.
audit
=
perms
.
quiet
=
perms
.
kill
=
0
;
return
perms
;
}
if
(
change_profile_perms
(
profile
,
&
target
->
label
,
false
,
request
,
start
,
&
perms
))
return
nullperms
;
return
perms
;
}
/**
* __attach_match_ - find an attachment match
* @name - to match against (NOT NULL)
...
...
@@ -1140,6 +1120,39 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
}
static
int
change_profile_perms_wrapper
(
const
char
*
op
,
const
char
*
name
,
struct
aa_profile
*
profile
,
struct
aa_label
*
target
,
bool
stack
,
u32
request
,
struct
aa_perms
*
perms
)
{
const
char
*
info
=
NULL
;
int
error
=
0
;
/*
* Fail explicitly requested domain transitions when no_new_privs
* and not unconfined OR the transition results in a stack on
* the current label.
* Stacking domain transitions and transitions from unconfined are
* allowed even when no_new_privs is set because this aways results
* in a reduction of permissions.
*/
if
(
task_no_new_privs
(
current
)
&&
!
stack
&&
!
profile_unconfined
(
profile
)
&&
!
aa_label_is_subset
(
target
,
&
profile
->
label
))
{
info
=
"no new privs"
;
error
=
-
EPERM
;
}
if
(
!
error
)
error
=
change_profile_perms
(
profile
,
target
,
stack
,
request
,
profile
->
file
.
start
,
perms
);
if
(
error
)
error
=
aa_audit_file
(
profile
,
perms
,
op
,
request
,
name
,
NULL
,
target
,
GLOBAL_ROOT_UID
,
info
,
error
);
return
error
;
}
/**
* aa_change_profile - perform a one-way profile transition
...
...
@@ -1157,12 +1170,14 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
*/
int
aa_change_profile
(
const
char
*
fqname
,
int
flags
)
{
const
struct
cred
*
cred
;
struct
aa_label
*
label
;
struct
aa_profile
*
profile
,
*
target
=
NULL
;
struct
aa_label
*
label
,
*
new
=
NULL
,
*
target
=
NULL
;
struct
aa_profile
*
profile
;
struct
aa_perms
perms
=
{};
const
char
*
info
=
NULL
,
*
op
;
const
char
*
info
=
NULL
;
const
char
*
auditname
=
fqname
;
/* retain leading & if stack */
bool
stack
=
flags
&
AA_CHANGE_STACK
;
int
error
=
0
;
char
*
op
;
u32
request
;
if
(
!
fqname
||
!*
fqname
)
{
...
...
@@ -1172,76 +1187,116 @@ int aa_change_profile(const char *fqname, int flags)
if
(
flags
&
AA_CHANGE_ONEXEC
)
{
request
=
AA_MAY_ONEXEC
;
op
=
OP_CHANGE_ONEXEC
;
if
(
stack
)
op
=
OP_STACK_ONEXEC
;
else
op
=
OP_CHANGE_ONEXEC
;
}
else
{
request
=
AA_MAY_CHANGE_PROFILE
;
op
=
OP_CHANGE_PROFILE
;
if
(
stack
)
op
=
OP_STACK
;
else
op
=
OP_CHANGE_PROFILE
;
}
cred
=
get_current_cred
();
label
=
aa_get_newest_cred_label
(
cred
);
profile
=
labels_profile
(
label
);
label
=
aa_get_current_label
();
/*
* Fail explicitly requested domain transitions if no_new_privs
* and not unconfined.
* Domain transitions from unconfined are allowed even when
* no_new_privs is set because this aways results in a reduction
* of permissions.
*/
if
(
task_no_new_privs
(
current
)
&&
!
profile_unconfined
(
profile
))
{
put_cred
(
cred
);
return
-
EPERM
;
if
(
*
fqname
==
'&'
)
{
stack
=
true
;
/* don't have label_parse() do stacking */
fqname
++
;
}
target
=
aa_label_parse
(
label
,
fqname
,
GFP_KERNEL
,
true
,
false
);
if
(
IS_ERR
(
target
))
{
struct
aa_profile
*
tprofile
;
target
=
aa_fqlookupn_profile
(
label
,
fqname
,
strlen
(
fqname
));
if
(
!
target
)
{
info
=
"profile not found"
;
error
=
-
ENOENT
;
info
=
"label not found"
;
error
=
PTR_ERR
(
target
);
target
=
NULL
;
/*
* TODO: fixme using labels_profile is not right - do profile
* per complain profile
*/
if
((
flags
&
AA_CHANGE_TEST
)
||
!
COMPLAIN_MODE
(
profile
))
!
COMPLAIN_MODE
(
labels_profile
(
label
)
))
goto
audit
;
/* released below */
t
arget
=
aa_new_null_profile
(
profile
,
false
,
fqnam
e
,
GFP_KERNEL
);
if
(
!
t
arget
)
{
t
profile
=
aa_new_null_profile
(
labels_profile
(
label
),
fals
e
,
fqname
,
GFP_KERNEL
);
if
(
!
t
profile
)
{
info
=
"failed null profile create"
;
error
=
-
ENOMEM
;
goto
audit
;
}
target
=
&
tprofile
->
label
;
goto
check
;
}
perms
=
change_profile_perms_wrapper
(
profile
,
target
,
request
,
profile
->
file
.
start
);
if
(
!
(
perms
.
allow
&
request
))
{
error
=
-
EACCES
;
goto
audit
;
}
/*
* self directed transitions only apply to current policy ns
* TODO: currently requiring perms for stacking and straight change
* stacking doesn't strictly need this. Determine how much
* we want to loosen this restriction for stacking
*
* if (!stack) {
*/
error
=
fn_for_each_in_ns
(
label
,
profile
,
change_profile_perms_wrapper
(
op
,
auditname
,
profile
,
target
,
stack
,
request
,
&
perms
));
if
(
error
)
/* auditing done in change_profile_perms_wrapper */
goto
out
;
/* } */
check:
/* check if tracing task is allowed to trace target domain */
error
=
may_change_ptraced_domain
(
&
target
->
label
,
&
info
);
if
(
error
)
{
info
=
"ptrace prevents transition"
;
error
=
may_change_ptraced_domain
(
target
,
&
info
);
if
(
error
&&
!
fn_for_each_in_ns
(
label
,
profile
,
COMPLAIN_MODE
(
profile
)))
goto
audit
;
}
/* TODO: add permission check to allow this
* if ((flags & AA_CHANGE_ONEXEC) && !current_is_single_threaded()) {
* info = "not a single threaded task";
* error = -EACCES;
* goto audit;
* }
*/
if
(
flags
&
AA_CHANGE_TEST
)
goto
audi
t
;
goto
ou
t
;
if
(
flags
&
AA_CHANGE_ONEXEC
)
error
=
aa_set_current_onexec
(
&
target
->
label
,
0
);
else
error
=
aa_replace_current_label
(
&
target
->
label
);
if
(
!
(
flags
&
AA_CHANGE_ONEXEC
))
{
/* only transition profiles in the current ns */
if
(
stack
)
new
=
aa_label_merge
(
label
,
target
,
GFP_KERNEL
);
else
new
=
fn_label_build_in_ns
(
label
,
profile
,
GFP_KERNEL
,
aa_get_label
(
target
),
aa_get_label
(
&
profile
->
label
));
if
(
IS_ERR_OR_NULL
(
new
))
{
info
=
"failed to build target label"
;
error
=
PTR_ERR
(
new
);
new
=
NULL
;
perms
.
allow
=
0
;
goto
audit
;
}
error
=
aa_replace_current_label
(
new
);
}
else
/* full transition will be built in exec path */
error
=
aa_set_current_onexec
(
target
,
stack
);
audit:
if
(
!
(
flags
&
AA_CHANGE_TEST
))
error
=
aa_audit_file
(
profile
,
&
perms
,
op
,
request
,
NULL
,
fqname
,
NULL
,
GLOBAL_ROOT_UID
,
info
,
error
);
error
=
fn_for_each_in_ns
(
label
,
profile
,
aa_audit_file
(
profile
,
&
perms
,
op
,
request
,
auditname
,
NULL
,
new
?
new
:
target
,
GLOBAL_ROOT_UID
,
info
,
error
)
);
aa_put_profile
(
target
);
out:
aa_put_label
(
new
);
aa_put_label
(
target
);
aa_put_label
(
label
);
put_cred
(
cred
);
return
error
;
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录