Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openeuler
Kernel
提交
a6f23300
K
Kernel
项目概览
openeuler
/
Kernel
1 年多 前同步成功
通知
8
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
K
Kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
提交
a6f23300
编写于
1月 16, 2017
作者:
J
John Johansen
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
apparmor: allow specifying the profile doing the management
Signed-off-by:
N
John Johansen
<
john.johansen@canonical.com
>
上级
3e3e5695
变更
1
隐藏空白更改
内联
并排
Showing
1 changed file
with
21 addition
and
11 deletion
+21
-11
security/apparmor/policy.c
security/apparmor/policy.c
+21
-11
未找到文件。
security/apparmor/policy.c
浏览文件 @
a6f23300
...
@@ -582,6 +582,7 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace,
...
@@ -582,6 +582,7 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace,
/**
/**
* aa_audit_policy - Do auditing of policy changes
* aa_audit_policy - Do auditing of policy changes
* @profile: profile to check if it can manage policy
* @op: policy operation being performed
* @op: policy operation being performed
* @gfp: memory allocation flags
* @gfp: memory allocation flags
* @name: name of profile being manipulated (NOT NULL)
* @name: name of profile being manipulated (NOT NULL)
...
@@ -590,8 +591,8 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace,
...
@@ -590,8 +591,8 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace,
*
*
* Returns: the error to be returned after audit is done
* Returns: the error to be returned after audit is done
*/
*/
static
int
audit_policy
(
int
op
,
gfp_t
gfp
,
const
char
*
name
,
const
char
*
info
,
static
int
audit_policy
(
struct
aa_profile
*
profile
,
int
op
,
gfp_t
gfp
,
int
error
)
const
char
*
name
,
const
char
*
info
,
int
error
)
{
{
struct
common_audit_data
sa
;
struct
common_audit_data
sa
;
struct
apparmor_audit_data
aad
=
{
0
,};
struct
apparmor_audit_data
aad
=
{
0
,};
...
@@ -602,7 +603,7 @@ static int audit_policy(int op, gfp_t gfp, const char *name, const char *info,
...
@@ -602,7 +603,7 @@ static int audit_policy(int op, gfp_t gfp, const char *name, const char *info,
aad
.
info
=
info
;
aad
.
info
=
info
;
aad
.
error
=
error
;
aad
.
error
=
error
;
return
aa_audit
(
AUDIT_APPARMOR_STATUS
,
__aa_current_profile
()
,
gfp
,
return
aa_audit
(
AUDIT_APPARMOR_STATUS
,
profile
,
gfp
,
&
sa
,
NULL
);
&
sa
,
NULL
);
}
}
...
@@ -632,12 +633,14 @@ bool aa_may_manage_policy(int op)
...
@@ -632,12 +633,14 @@ bool aa_may_manage_policy(int op)
{
{
/* check if loading policy is locked out */
/* check if loading policy is locked out */
if
(
aa_g_lock_policy
)
{
if
(
aa_g_lock_policy
)
{
audit_policy
(
op
,
GFP_KERNEL
,
NULL
,
"policy_locked"
,
-
EACCES
);
audit_policy
(
__aa_current_profile
(),
op
,
GFP_KERNEL
,
NULL
,
"policy_locked"
,
-
EACCES
);
return
0
;
return
0
;
}
}
if
(
!
policy_admin_capable
())
{
if
(
!
policy_admin_capable
())
{
audit_policy
(
op
,
GFP_KERNEL
,
NULL
,
"not policy admin"
,
-
EACCES
);
audit_policy
(
__aa_current_profile
(),
op
,
GFP_KERNEL
,
NULL
,
"not policy admin"
,
-
EACCES
);
return
0
;
return
0
;
}
}
...
@@ -762,6 +765,7 @@ static int __lookup_replace(struct aa_ns *ns, const char *hname,
...
@@ -762,6 +765,7 @@ static int __lookup_replace(struct aa_ns *ns, const char *hname,
/**
/**
* aa_replace_profiles - replace profile(s) on the profile list
* aa_replace_profiles - replace profile(s) on the profile list
* @view: namespace load is viewed from
* @view: namespace load is viewed from
* @profile: profile that is attempting to load/replace policy
* @udata: serialized data stream (NOT NULL)
* @udata: serialized data stream (NOT NULL)
* @size: size of the serialized data stream
* @size: size of the serialized data stream
* @noreplace: true if only doing addition, no replacement allowed
* @noreplace: true if only doing addition, no replacement allowed
...
@@ -790,7 +794,8 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
...
@@ -790,7 +794,8 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
/* released below */
/* released below */
ns
=
aa_prepare_ns
(
view
,
ns_name
);
ns
=
aa_prepare_ns
(
view
,
ns_name
);
if
(
!
ns
)
{
if
(
!
ns
)
{
error
=
audit_policy
(
op
,
GFP_KERNEL
,
ns_name
,
error
=
audit_policy
(
__aa_current_profile
(),
op
,
GFP_KERNEL
,
ns_name
,
"failed to prepare namespace"
,
-
ENOMEM
);
"failed to prepare namespace"
,
-
ENOMEM
);
goto
free
;
goto
free
;
}
}
...
@@ -867,7 +872,8 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
...
@@ -867,7 +872,8 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
list_del_init
(
&
ent
->
list
);
list_del_init
(
&
ent
->
list
);
op
=
(
!
ent
->
old
&&
!
ent
->
rename
)
?
OP_PROF_LOAD
:
OP_PROF_REPL
;
op
=
(
!
ent
->
old
&&
!
ent
->
rename
)
?
OP_PROF_LOAD
:
OP_PROF_REPL
;
audit_policy
(
op
,
GFP_ATOMIC
,
ent
->
new
->
base
.
hname
,
NULL
,
error
);
audit_policy
(
__aa_current_profile
(),
op
,
GFP_ATOMIC
,
ent
->
new
->
base
.
hname
,
NULL
,
error
);
if
(
ent
->
old
)
{
if
(
ent
->
old
)
{
__replace_profile
(
ent
->
old
,
ent
->
new
,
1
);
__replace_profile
(
ent
->
old
,
ent
->
new
,
1
);
...
@@ -921,7 +927,8 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
...
@@ -921,7 +927,8 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
/* audit cause of failure */
/* audit cause of failure */
op
=
(
!
ent
->
old
)
?
OP_PROF_LOAD
:
OP_PROF_REPL
;
op
=
(
!
ent
->
old
)
?
OP_PROF_LOAD
:
OP_PROF_REPL
;
audit_policy
(
op
,
GFP_KERNEL
,
ent
->
new
->
base
.
hname
,
info
,
error
);
audit_policy
(
__aa_current_profile
(),
op
,
GFP_KERNEL
,
ent
->
new
->
base
.
hname
,
info
,
error
);
/* audit status that rest of profiles in the atomic set failed too */
/* audit status that rest of profiles in the atomic set failed too */
info
=
"valid profile in failed atomic policy load"
;
info
=
"valid profile in failed atomic policy load"
;
list_for_each_entry
(
tmp
,
&
lh
,
list
)
{
list_for_each_entry
(
tmp
,
&
lh
,
list
)
{
...
@@ -931,7 +938,8 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
...
@@ -931,7 +938,8 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
continue
;
continue
;
}
}
op
=
(
!
ent
->
old
)
?
OP_PROF_LOAD
:
OP_PROF_REPL
;
op
=
(
!
ent
->
old
)
?
OP_PROF_LOAD
:
OP_PROF_REPL
;
audit_policy
(
op
,
GFP_KERNEL
,
tmp
->
new
->
base
.
hname
,
info
,
error
);
audit_policy
(
__aa_current_profile
(),
op
,
GFP_KERNEL
,
tmp
->
new
->
base
.
hname
,
info
,
error
);
}
}
free:
free:
list_for_each_entry_safe
(
ent
,
tmp
,
&
lh
,
list
)
{
list_for_each_entry_safe
(
ent
,
tmp
,
&
lh
,
list
)
{
...
@@ -1004,7 +1012,8 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
...
@@ -1004,7 +1012,8 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
}
}
/* don't fail removal if audit fails */
/* don't fail removal if audit fails */
(
void
)
audit_policy
(
OP_PROF_RM
,
GFP_KERNEL
,
name
,
info
,
error
);
(
void
)
audit_policy
(
__aa_current_profile
(),
OP_PROF_RM
,
GFP_KERNEL
,
name
,
info
,
error
);
aa_put_ns
(
ns
);
aa_put_ns
(
ns
);
aa_put_profile
(
profile
);
aa_put_profile
(
profile
);
return
size
;
return
size
;
...
@@ -1014,6 +1023,7 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
...
@@ -1014,6 +1023,7 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
aa_put_ns
(
ns
);
aa_put_ns
(
ns
);
fail:
fail:
(
void
)
audit_policy
(
OP_PROF_RM
,
GFP_KERNEL
,
name
,
info
,
error
);
(
void
)
audit_policy
(
__aa_current_profile
(),
OP_PROF_RM
,
GFP_KERNEL
,
name
,
info
,
error
);
return
error
;
return
error
;
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录