提交 38305a4b 编写于 作者: J John Johansen

AppArmor: fix mapping of META_READ to audit and quiet flags

The mapping of AA_MAY_META_READ for the allow mask was also being mapped
to the audit and quiet masks. This would result in some operations being
audited when the should not.

This flaw was hidden by the previous audit bug which would drop some
messages that where supposed to be audited.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NKees Cook <kees@ubuntu.com>
上级 8b964eae
...@@ -173,8 +173,6 @@ static u32 map_old_perms(u32 old) ...@@ -173,8 +173,6 @@ static u32 map_old_perms(u32 old)
if (old & 0x40) /* AA_EXEC_MMAP */ if (old & 0x40) /* AA_EXEC_MMAP */
new |= AA_EXEC_MMAP; new |= AA_EXEC_MMAP;
new |= AA_MAY_META_READ;
return new; return new;
} }
...@@ -212,6 +210,7 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state, ...@@ -212,6 +210,7 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
perms.quiet = map_old_perms(dfa_other_quiet(dfa, state)); perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
perms.xindex = dfa_other_xindex(dfa, state); perms.xindex = dfa_other_xindex(dfa, state);
} }
perms.allow |= AA_MAY_META_READ;
/* change_profile wasn't determined by ownership in old mapping */ /* change_profile wasn't determined by ownership in old mapping */
if (ACCEPT_TABLE(dfa)[state] & 0x80000000) if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册