Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openeuler
raspberrypi-kernel
提交
55a26ebf
R
raspberrypi-kernel
项目概览
openeuler
/
raspberrypi-kernel
通知
13
Star
1
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
raspberrypi-kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
55a26ebf
编写于
1月 16, 2017
作者:
J
John Johansen
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
apparmor: rename context abreviation cxt to the more standard ctx
Signed-off-by:
N
John Johansen
<
john.johansen@canonical.com
>
上级
a20aa95f
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
150 addition
and
144 deletion
+150
-144
security/apparmor/context.c
security/apparmor/context.c
+51
-49
security/apparmor/domain.c
security/apparmor/domain.c
+21
-21
security/apparmor/include/context.h
security/apparmor/include/context.h
+40
-38
security/apparmor/lsm.c
security/apparmor/lsm.c
+37
-35
security/apparmor/policy.c
security/apparmor/policy.c
+1
-1
未找到文件。
security/apparmor/context.c
浏览文件 @
55a26ebf
...
@@ -13,11 +13,11 @@
...
@@ -13,11 +13,11 @@
* License.
* License.
*
*
*
*
* AppArmor sets confinement on every task, via the the aa_task_c
xt
and
* AppArmor sets confinement on every task, via the the aa_task_c
tx
and
* the aa_task_c
xt
.profile, both of which are required and are not allowed
* the aa_task_c
tx
.profile, both of which are required and are not allowed
* to be NULL. The aa_task_c
xt
is not reference counted and is unique
* to be NULL. The aa_task_c
tx
is not reference counted and is unique
* to each cred (which is reference count). The profile pointed to by
* to each cred (which is reference count). The profile pointed to by
* the task_c
xt
is reference counted.
* the task_c
tx
is reference counted.
*
*
* TODO
* TODO
* If a task uses change_hat it currently does not return to the old
* If a task uses change_hat it currently does not return to the old
...
@@ -30,28 +30,28 @@
...
@@ -30,28 +30,28 @@
#include "include/policy.h"
#include "include/policy.h"
/**
/**
* aa_alloc_task_context - allocate a new task_c
xt
* aa_alloc_task_context - allocate a new task_c
tx
* @flags: gfp flags for allocation
* @flags: gfp flags for allocation
*
*
* Returns: allocated buffer or NULL on failure
* Returns: allocated buffer or NULL on failure
*/
*/
struct
aa_task_c
xt
*
aa_alloc_task_context
(
gfp_t
flags
)
struct
aa_task_c
tx
*
aa_alloc_task_context
(
gfp_t
flags
)
{
{
return
kzalloc
(
sizeof
(
struct
aa_task_c
xt
),
flags
);
return
kzalloc
(
sizeof
(
struct
aa_task_c
tx
),
flags
);
}
}
/**
/**
* aa_free_task_context - free a task_c
xt
* aa_free_task_context - free a task_c
tx
* @c
xt: task_cxt
to free (MAYBE NULL)
* @c
tx: task_ctx
to free (MAYBE NULL)
*/
*/
void
aa_free_task_context
(
struct
aa_task_c
xt
*
cxt
)
void
aa_free_task_context
(
struct
aa_task_c
tx
*
ctx
)
{
{
if
(
c
xt
)
{
if
(
c
tx
)
{
aa_put_profile
(
c
xt
->
profile
);
aa_put_profile
(
c
tx
->
profile
);
aa_put_profile
(
c
xt
->
previous
);
aa_put_profile
(
c
tx
->
previous
);
aa_put_profile
(
c
xt
->
onexec
);
aa_put_profile
(
c
tx
->
onexec
);
kzfree
(
c
xt
);
kzfree
(
c
tx
);
}
}
}
}
...
@@ -60,7 +60,7 @@ void aa_free_task_context(struct aa_task_cxt *cxt)
...
@@ -60,7 +60,7 @@ void aa_free_task_context(struct aa_task_cxt *cxt)
* @new: a blank task context (NOT NULL)
* @new: a blank task context (NOT NULL)
* @old: the task context to copy (NOT NULL)
* @old: the task context to copy (NOT NULL)
*/
*/
void
aa_dup_task_context
(
struct
aa_task_c
xt
*
new
,
const
struct
aa_task_cxt
*
old
)
void
aa_dup_task_context
(
struct
aa_task_c
tx
*
new
,
const
struct
aa_task_ctx
*
old
)
{
{
*
new
=
*
old
;
*
new
=
*
old
;
aa_get_profile
(
new
->
profile
);
aa_get_profile
(
new
->
profile
);
...
@@ -93,11 +93,11 @@ struct aa_profile *aa_get_task_profile(struct task_struct *task)
...
@@ -93,11 +93,11 @@ struct aa_profile *aa_get_task_profile(struct task_struct *task)
*/
*/
int
aa_replace_current_profile
(
struct
aa_profile
*
profile
)
int
aa_replace_current_profile
(
struct
aa_profile
*
profile
)
{
{
struct
aa_task_c
xt
*
cxt
=
current_cxt
();
struct
aa_task_c
tx
*
ctx
=
current_ctx
();
struct
cred
*
new
;
struct
cred
*
new
;
BUG_ON
(
!
profile
);
BUG_ON
(
!
profile
);
if
(
c
xt
->
profile
==
profile
)
if
(
c
tx
->
profile
==
profile
)
return
0
;
return
0
;
if
(
current_cred
()
!=
current_real_cred
())
if
(
current_cred
()
!=
current_real_cred
())
...
@@ -107,20 +107,22 @@ int aa_replace_current_profile(struct aa_profile *profile)
...
@@ -107,20 +107,22 @@ int aa_replace_current_profile(struct aa_profile *profile)
if
(
!
new
)
if
(
!
new
)
return
-
ENOMEM
;
return
-
ENOMEM
;
c
xt
=
cred_cxt
(
new
);
c
tx
=
cred_ctx
(
new
);
if
(
unconfined
(
profile
)
||
(
c
xt
->
profile
->
ns
!=
profile
->
ns
))
if
(
unconfined
(
profile
)
||
(
c
tx
->
profile
->
ns
!=
profile
->
ns
))
/* if switching to unconfined or a different profile namespace
/* if switching to unconfined or a different profile namespace
* clear out context state
* clear out context state
*/
*/
aa_clear_task_c
xt_trans
(
cxt
);
aa_clear_task_c
tx_trans
(
ctx
);
/* be careful switching cxt->profile, when racing replacement it
/*
* is possible that cxt->profile->proxy->profile is the reference
* be careful switching ctx->profile, when racing replacement it
* is possible that ctx->profile->proxy->profile is the reference
* keeping @profile valid, so make sure to get its reference before
* keeping @profile valid, so make sure to get its reference before
* dropping the reference on cxt->profile */
* dropping the reference on ctx->profile
*/
aa_get_profile
(
profile
);
aa_get_profile
(
profile
);
aa_put_profile
(
c
xt
->
profile
);
aa_put_profile
(
c
tx
->
profile
);
c
xt
->
profile
=
profile
;
c
tx
->
profile
=
profile
;
commit_creds
(
new
);
commit_creds
(
new
);
return
0
;
return
0
;
...
@@ -134,15 +136,15 @@ int aa_replace_current_profile(struct aa_profile *profile)
...
@@ -134,15 +136,15 @@ int aa_replace_current_profile(struct aa_profile *profile)
*/
*/
int
aa_set_current_onexec
(
struct
aa_profile
*
profile
)
int
aa_set_current_onexec
(
struct
aa_profile
*
profile
)
{
{
struct
aa_task_c
xt
*
cxt
;
struct
aa_task_c
tx
*
ctx
;
struct
cred
*
new
=
prepare_creds
();
struct
cred
*
new
=
prepare_creds
();
if
(
!
new
)
if
(
!
new
)
return
-
ENOMEM
;
return
-
ENOMEM
;
c
xt
=
cred_cxt
(
new
);
c
tx
=
cred_ctx
(
new
);
aa_get_profile
(
profile
);
aa_get_profile
(
profile
);
aa_put_profile
(
c
xt
->
onexec
);
aa_put_profile
(
c
tx
->
onexec
);
c
xt
->
onexec
=
profile
;
c
tx
->
onexec
=
profile
;
commit_creds
(
new
);
commit_creds
(
new
);
return
0
;
return
0
;
...
@@ -160,28 +162,28 @@ int aa_set_current_onexec(struct aa_profile *profile)
...
@@ -160,28 +162,28 @@ int aa_set_current_onexec(struct aa_profile *profile)
*/
*/
int
aa_set_current_hat
(
struct
aa_profile
*
profile
,
u64
token
)
int
aa_set_current_hat
(
struct
aa_profile
*
profile
,
u64
token
)
{
{
struct
aa_task_c
xt
*
cxt
;
struct
aa_task_c
tx
*
ctx
;
struct
cred
*
new
=
prepare_creds
();
struct
cred
*
new
=
prepare_creds
();
if
(
!
new
)
if
(
!
new
)
return
-
ENOMEM
;
return
-
ENOMEM
;
BUG_ON
(
!
profile
);
BUG_ON
(
!
profile
);
c
xt
=
cred_cxt
(
new
);
c
tx
=
cred_ctx
(
new
);
if
(
!
c
xt
->
previous
)
{
if
(
!
c
tx
->
previous
)
{
/* transfer refcount */
/* transfer refcount */
c
xt
->
previous
=
cxt
->
profile
;
c
tx
->
previous
=
ctx
->
profile
;
c
xt
->
token
=
token
;
c
tx
->
token
=
token
;
}
else
if
(
c
xt
->
token
==
token
)
{
}
else
if
(
c
tx
->
token
==
token
)
{
aa_put_profile
(
c
xt
->
profile
);
aa_put_profile
(
c
tx
->
profile
);
}
else
{
}
else
{
/* previous_profile && c
xt
->token != token */
/* previous_profile && c
tx
->token != token */
abort_creds
(
new
);
abort_creds
(
new
);
return
-
EACCES
;
return
-
EACCES
;
}
}
c
xt
->
profile
=
aa_get_newest_profile
(
profile
);
c
tx
->
profile
=
aa_get_newest_profile
(
profile
);
/* clear exec on switching context */
/* clear exec on switching context */
aa_put_profile
(
c
xt
->
onexec
);
aa_put_profile
(
c
tx
->
onexec
);
c
xt
->
onexec
=
NULL
;
c
tx
->
onexec
=
NULL
;
commit_creds
(
new
);
commit_creds
(
new
);
return
0
;
return
0
;
...
@@ -198,27 +200,27 @@ int aa_set_current_hat(struct aa_profile *profile, u64 token)
...
@@ -198,27 +200,27 @@ int aa_set_current_hat(struct aa_profile *profile, u64 token)
*/
*/
int
aa_restore_previous_profile
(
u64
token
)
int
aa_restore_previous_profile
(
u64
token
)
{
{
struct
aa_task_c
xt
*
cxt
;
struct
aa_task_c
tx
*
ctx
;
struct
cred
*
new
=
prepare_creds
();
struct
cred
*
new
=
prepare_creds
();
if
(
!
new
)
if
(
!
new
)
return
-
ENOMEM
;
return
-
ENOMEM
;
c
xt
=
cred_cxt
(
new
);
c
tx
=
cred_ctx
(
new
);
if
(
c
xt
->
token
!=
token
)
{
if
(
c
tx
->
token
!=
token
)
{
abort_creds
(
new
);
abort_creds
(
new
);
return
-
EACCES
;
return
-
EACCES
;
}
}
/* ignore restores when there is no saved profile */
/* ignore restores when there is no saved profile */
if
(
!
c
xt
->
previous
)
{
if
(
!
c
tx
->
previous
)
{
abort_creds
(
new
);
abort_creds
(
new
);
return
0
;
return
0
;
}
}
aa_put_profile
(
c
xt
->
profile
);
aa_put_profile
(
c
tx
->
profile
);
c
xt
->
profile
=
aa_get_newest_profile
(
cxt
->
previous
);
c
tx
->
profile
=
aa_get_newest_profile
(
ctx
->
previous
);
BUG_ON
(
!
cxt
->
profile
);
AA_BUG
(
!
ctx
->
profile
);
/* clear exec && prev information when restoring to previous context */
/* clear exec && prev information when restoring to previous context */
aa_clear_task_c
xt_trans
(
cxt
);
aa_clear_task_c
tx_trans
(
ctx
);
commit_creds
(
new
);
commit_creds
(
new
);
return
0
;
return
0
;
...
...
security/apparmor/domain.c
浏览文件 @
55a26ebf
...
@@ -337,7 +337,7 @@ static struct aa_profile *x_to_profile(struct aa_profile *profile,
...
@@ -337,7 +337,7 @@ static struct aa_profile *x_to_profile(struct aa_profile *profile,
*/
*/
int
apparmor_bprm_set_creds
(
struct
linux_binprm
*
bprm
)
int
apparmor_bprm_set_creds
(
struct
linux_binprm
*
bprm
)
{
{
struct
aa_task_c
xt
*
cxt
;
struct
aa_task_c
tx
*
ctx
;
struct
aa_profile
*
profile
,
*
new_profile
=
NULL
;
struct
aa_profile
*
profile
,
*
new_profile
=
NULL
;
struct
aa_ns
*
ns
;
struct
aa_ns
*
ns
;
char
*
buffer
=
NULL
;
char
*
buffer
=
NULL
;
...
@@ -353,10 +353,10 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -353,10 +353,10 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
if
(
bprm
->
cred_prepared
)
if
(
bprm
->
cred_prepared
)
return
0
;
return
0
;
c
xt
=
cred_cxt
(
bprm
->
cred
);
c
tx
=
cred_ctx
(
bprm
->
cred
);
BUG_ON
(
!
cxt
);
AA_BUG
(
!
ctx
);
profile
=
aa_get_newest_profile
(
c
xt
->
profile
);
profile
=
aa_get_newest_profile
(
c
tx
->
profile
);
/*
/*
* get the namespace from the replacement profile as replacement
* get the namespace from the replacement profile as replacement
* can change the namespace
* can change the namespace
...
@@ -380,9 +380,9 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -380,9 +380,9 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
*/
*/
if
(
unconfined
(
profile
))
{
if
(
unconfined
(
profile
))
{
/* unconfined task */
/* unconfined task */
if
(
c
xt
->
onexec
)
if
(
c
tx
->
onexec
)
/* change_profile on exec already been granted */
/* change_profile on exec already been granted */
new_profile
=
aa_get_profile
(
c
xt
->
onexec
);
new_profile
=
aa_get_profile
(
c
tx
->
onexec
);
else
else
new_profile
=
find_attach
(
ns
,
&
ns
->
base
.
profiles
,
name
);
new_profile
=
find_attach
(
ns
,
&
ns
->
base
.
profiles
,
name
);
if
(
!
new_profile
)
if
(
!
new_profile
)
...
@@ -397,10 +397,10 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -397,10 +397,10 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
/* find exec permissions for name */
/* find exec permissions for name */
state
=
aa_str_perms
(
profile
->
file
.
dfa
,
state
,
name
,
&
cond
,
&
perms
);
state
=
aa_str_perms
(
profile
->
file
.
dfa
,
state
,
name
,
&
cond
,
&
perms
);
if
(
c
xt
->
onexec
)
{
if
(
c
tx
->
onexec
)
{
struct
file_perms
cp
;
struct
file_perms
cp
;
info
=
"change_profile onexec"
;
info
=
"change_profile onexec"
;
new_profile
=
aa_get_newest_profile
(
c
xt
->
onexec
);
new_profile
=
aa_get_newest_profile
(
c
tx
->
onexec
);
if
(
!
(
perms
.
allow
&
AA_MAY_ONEXEC
))
if
(
!
(
perms
.
allow
&
AA_MAY_ONEXEC
))
goto
audit
;
goto
audit
;
...
@@ -409,8 +409,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -409,8 +409,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
* exec\0change_profile
* exec\0change_profile
*/
*/
state
=
aa_dfa_null_transition
(
profile
->
file
.
dfa
,
state
);
state
=
aa_dfa_null_transition
(
profile
->
file
.
dfa
,
state
);
cp
=
change_profile_perms
(
profile
,
c
xt
->
onexec
->
ns
,
cp
=
change_profile_perms
(
profile
,
c
tx
->
onexec
->
ns
,
c
xt
->
onexec
->
base
.
name
,
c
tx
->
onexec
->
base
.
name
,
AA_MAY_ONEXEC
,
state
);
AA_MAY_ONEXEC
,
state
);
if
(
!
(
cp
.
allow
&
AA_MAY_ONEXEC
))
if
(
!
(
cp
.
allow
&
AA_MAY_ONEXEC
))
...
@@ -499,13 +499,13 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -499,13 +499,13 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
bprm
->
per_clear
|=
PER_CLEAR_ON_SETID
;
bprm
->
per_clear
|=
PER_CLEAR_ON_SETID
;
x_clear:
x_clear:
aa_put_profile
(
c
xt
->
profile
);
aa_put_profile
(
c
tx
->
profile
);
/* transfer new profile reference will be released when c
xt
is freed */
/* transfer new profile reference will be released when c
tx
is freed */
c
xt
->
profile
=
new_profile
;
c
tx
->
profile
=
new_profile
;
new_profile
=
NULL
;
new_profile
=
NULL
;
/* clear out all temporary/transitional state from the context */
/* clear out all temporary/transitional state from the context */
aa_clear_task_c
xt_trans
(
cxt
);
aa_clear_task_c
tx_trans
(
ctx
);
audit:
audit:
error
=
aa_audit_file
(
profile
,
&
perms
,
GFP_KERNEL
,
OP_EXEC
,
MAY_EXEC
,
error
=
aa_audit_file
(
profile
,
&
perms
,
GFP_KERNEL
,
OP_EXEC
,
MAY_EXEC
,
...
@@ -545,17 +545,17 @@ int apparmor_bprm_secureexec(struct linux_binprm *bprm)
...
@@ -545,17 +545,17 @@ int apparmor_bprm_secureexec(struct linux_binprm *bprm)
void
apparmor_bprm_committing_creds
(
struct
linux_binprm
*
bprm
)
void
apparmor_bprm_committing_creds
(
struct
linux_binprm
*
bprm
)
{
{
struct
aa_profile
*
profile
=
__aa_current_profile
();
struct
aa_profile
*
profile
=
__aa_current_profile
();
struct
aa_task_c
xt
*
new_cxt
=
cred_cxt
(
bprm
->
cred
);
struct
aa_task_c
tx
*
new_ctx
=
cred_ctx
(
bprm
->
cred
);
/* bail out if unconfined or not changing profile */
/* bail out if unconfined or not changing profile */
if
((
new_c
xt
->
profile
==
profile
)
||
if
((
new_c
tx
->
profile
==
profile
)
||
(
unconfined
(
new_c
xt
->
profile
)))
(
unconfined
(
new_c
tx
->
profile
)))
return
;
return
;
current
->
pdeath_signal
=
0
;
current
->
pdeath_signal
=
0
;
/* reset soft limits and set hard limits for the new profile */
/* reset soft limits and set hard limits for the new profile */
__aa_transition_rlimits
(
profile
,
new_c
xt
->
profile
);
__aa_transition_rlimits
(
profile
,
new_c
tx
->
profile
);
}
}
/**
/**
...
@@ -604,7 +604,7 @@ static char *new_compound_name(const char *n1, const char *n2)
...
@@ -604,7 +604,7 @@ static char *new_compound_name(const char *n1, const char *n2)
int
aa_change_hat
(
const
char
*
hats
[],
int
count
,
u64
token
,
bool
permtest
)
int
aa_change_hat
(
const
char
*
hats
[],
int
count
,
u64
token
,
bool
permtest
)
{
{
const
struct
cred
*
cred
;
const
struct
cred
*
cred
;
struct
aa_task_c
xt
*
cxt
;
struct
aa_task_c
tx
*
ctx
;
struct
aa_profile
*
profile
,
*
previous_profile
,
*
hat
=
NULL
;
struct
aa_profile
*
profile
,
*
previous_profile
,
*
hat
=
NULL
;
char
*
name
=
NULL
;
char
*
name
=
NULL
;
int
i
;
int
i
;
...
@@ -622,9 +622,9 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
...
@@ -622,9 +622,9 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
/* released below */
/* released below */
cred
=
get_current_cred
();
cred
=
get_current_cred
();
c
xt
=
cred_cxt
(
cred
);
c
tx
=
cred_ctx
(
cred
);
profile
=
aa_get_newest_profile
(
aa_cred_profile
(
cred
));
profile
=
aa_get_newest_profile
(
aa_cred_profile
(
cred
));
previous_profile
=
aa_get_newest_profile
(
c
xt
->
previous
);
previous_profile
=
aa_get_newest_profile
(
c
tx
->
previous
);
if
(
unconfined
(
profile
))
{
if
(
unconfined
(
profile
))
{
info
=
"unconfined"
;
info
=
"unconfined"
;
...
...
security/apparmor/include/context.h
浏览文件 @
55a26ebf
...
@@ -22,43 +22,43 @@
...
@@ -22,43 +22,43 @@
#include "policy.h"
#include "policy.h"
#include "policy_ns.h"
#include "policy_ns.h"
#define cred_c
xt(X) (X)->security
#define cred_c
tx(X) ((X)->security)
#define current_c
xt() cred_cxt
(current_cred())
#define current_c
tx() cred_ctx
(current_cred())
/* struct aa_file_c
xt
- the AppArmor context the file was opened in
/* struct aa_file_c
tx
- the AppArmor context the file was opened in
* @perms: the permission the file was opened with
* @perms: the permission the file was opened with
*
*
* The file_c
xt
could currently be directly stored in file->f_security
* The file_c
tx
could currently be directly stored in file->f_security
* as the profile reference is now stored in the f_cred. However the
* as the profile reference is now stored in the f_cred. However the
* c
xt
struct will expand in the future so we keep the struct.
* c
tx
struct will expand in the future so we keep the struct.
*/
*/
struct
aa_file_c
xt
{
struct
aa_file_c
tx
{
u16
allow
;
u16
allow
;
};
};
/**
/**
* aa_alloc_file_context - allocate file_c
xt
* aa_alloc_file_context - allocate file_c
tx
* @gfp: gfp flags for allocation
* @gfp: gfp flags for allocation
*
*
* Returns: file_c
xt
or NULL on failure
* Returns: file_c
tx
or NULL on failure
*/
*/
static
inline
struct
aa_file_c
xt
*
aa_alloc_file_context
(
gfp_t
gfp
)
static
inline
struct
aa_file_c
tx
*
aa_alloc_file_context
(
gfp_t
gfp
)
{
{
return
kzalloc
(
sizeof
(
struct
aa_file_c
xt
),
gfp
);
return
kzalloc
(
sizeof
(
struct
aa_file_c
tx
),
gfp
);
}
}
/**
/**
* aa_free_file_context - free a file_c
xt
* aa_free_file_context - free a file_c
tx
* @c
xt: file_cxt
to free (MAYBE_NULL)
* @c
tx: file_ctx
to free (MAYBE_NULL)
*/
*/
static
inline
void
aa_free_file_context
(
struct
aa_file_c
xt
*
cxt
)
static
inline
void
aa_free_file_context
(
struct
aa_file_c
tx
*
ctx
)
{
{
if
(
c
xt
)
if
(
c
tx
)
kzfree
(
c
xt
);
kzfree
(
c
tx
);
}
}
/**
/**
* struct aa_task_c
xt
- primary label for confined tasks
* struct aa_task_c
tx
- primary label for confined tasks
* @profile: the current profile (NOT NULL)
* @profile: the current profile (NOT NULL)
* @exec: profile to transition to on next exec (MAYBE NULL)
* @exec: profile to transition to on next exec (MAYBE NULL)
* @previous: profile the task may return to (MAYBE NULL)
* @previous: profile the task may return to (MAYBE NULL)
...
@@ -69,17 +69,17 @@ static inline void aa_free_file_context(struct aa_file_cxt *cxt)
...
@@ -69,17 +69,17 @@ static inline void aa_free_file_context(struct aa_file_cxt *cxt)
*
*
* TODO: make so a task can be confined by a stack of contexts
* TODO: make so a task can be confined by a stack of contexts
*/
*/
struct
aa_task_c
xt
{
struct
aa_task_c
tx
{
struct
aa_profile
*
profile
;
struct
aa_profile
*
profile
;
struct
aa_profile
*
onexec
;
struct
aa_profile
*
onexec
;
struct
aa_profile
*
previous
;
struct
aa_profile
*
previous
;
u64
token
;
u64
token
;
};
};
struct
aa_task_c
xt
*
aa_alloc_task_context
(
gfp_t
flags
);
struct
aa_task_c
tx
*
aa_alloc_task_context
(
gfp_t
flags
);
void
aa_free_task_context
(
struct
aa_task_c
xt
*
cxt
);
void
aa_free_task_context
(
struct
aa_task_c
tx
*
ctx
);
void
aa_dup_task_context
(
struct
aa_task_c
xt
*
new
,
void
aa_dup_task_context
(
struct
aa_task_c
tx
*
new
,
const
struct
aa_task_c
xt
*
old
);
const
struct
aa_task_c
tx
*
old
);
int
aa_replace_current_profile
(
struct
aa_profile
*
profile
);
int
aa_replace_current_profile
(
struct
aa_profile
*
profile
);
int
aa_set_current_onexec
(
struct
aa_profile
*
profile
);
int
aa_set_current_onexec
(
struct
aa_profile
*
profile
);
int
aa_set_current_hat
(
struct
aa_profile
*
profile
,
u64
token
);
int
aa_set_current_hat
(
struct
aa_profile
*
profile
,
u64
token
);
...
@@ -97,9 +97,10 @@ struct aa_profile *aa_get_task_profile(struct task_struct *task);
...
@@ -97,9 +97,10 @@ struct aa_profile *aa_get_task_profile(struct task_struct *task);
*/
*/
static
inline
struct
aa_profile
*
aa_cred_profile
(
const
struct
cred
*
cred
)
static
inline
struct
aa_profile
*
aa_cred_profile
(
const
struct
cred
*
cred
)
{
{
struct
aa_task_cxt
*
cxt
=
cred_cxt
(
cred
);
struct
aa_task_ctx
*
ctx
=
cred_ctx
(
cred
);
BUG_ON
(
!
cxt
||
!
cxt
->
profile
);
return
cxt
->
profile
;
AA_BUG
(
!
ctx
||
!
ctx
->
profile
);
return
ctx
->
profile
;
}
}
/**
/**
...
@@ -149,18 +150,19 @@ static inline struct aa_profile *__aa_current_profile(void)
...
@@ -149,18 +150,19 @@ static inline struct aa_profile *__aa_current_profile(void)
*/
*/
static
inline
struct
aa_profile
*
aa_current_profile
(
void
)
static
inline
struct
aa_profile
*
aa_current_profile
(
void
)
{
{
const
struct
aa_task_c
xt
*
cxt
=
current_cxt
();
const
struct
aa_task_c
tx
*
ctx
=
current_ctx
();
struct
aa_profile
*
profile
;
struct
aa_profile
*
profile
;
BUG_ON
(
!
cxt
||
!
cxt
->
profile
);
if
(
profile_is_stale
(
cxt
->
profile
))
{
AA_BUG
(
!
ctx
||
!
ctx
->
profile
);
profile
=
aa_get_newest_profile
(
cxt
->
profile
);
if
(
profile_is_stale
(
ctx
->
profile
))
{
profile
=
aa_get_newest_profile
(
ctx
->
profile
);
aa_replace_current_profile
(
profile
);
aa_replace_current_profile
(
profile
);
aa_put_profile
(
profile
);
aa_put_profile
(
profile
);
c
xt
=
current_cxt
();
c
tx
=
current_ctx
();
}
}
return
c
xt
->
profile
;
return
c
tx
->
profile
;
}
}
static
inline
struct
aa_ns
*
aa_get_current_ns
(
void
)
static
inline
struct
aa_ns
*
aa_get_current_ns
(
void
)
...
@@ -169,16 +171,16 @@ static inline struct aa_ns *aa_get_current_ns(void)
...
@@ -169,16 +171,16 @@ static inline struct aa_ns *aa_get_current_ns(void)
}
}
/**
/**
* aa_clear_task_c
xt_trans - clear transition tracking info from the cxt
* aa_clear_task_c
tx_trans - clear transition tracking info from the ctx
* @c
xt
: task context to clear (NOT NULL)
* @c
tx
: task context to clear (NOT NULL)
*/
*/
static
inline
void
aa_clear_task_c
xt_trans
(
struct
aa_task_cxt
*
cxt
)
static
inline
void
aa_clear_task_c
tx_trans
(
struct
aa_task_ctx
*
ctx
)
{
{
aa_put_profile
(
c
xt
->
previous
);
aa_put_profile
(
c
tx
->
previous
);
aa_put_profile
(
c
xt
->
onexec
);
aa_put_profile
(
c
tx
->
onexec
);
c
xt
->
previous
=
NULL
;
c
tx
->
previous
=
NULL
;
c
xt
->
onexec
=
NULL
;
c
tx
->
onexec
=
NULL
;
c
xt
->
token
=
0
;
c
tx
->
token
=
0
;
}
}
#endif
/* __AA_CONTEXT_H */
#endif
/* __AA_CONTEXT_H */
security/apparmor/lsm.c
浏览文件 @
55a26ebf
...
@@ -45,12 +45,12 @@ int apparmor_initialized __initdata;
...
@@ -45,12 +45,12 @@ int apparmor_initialized __initdata;
*/
*/
/*
/*
* free the associated aa_task_c
xt
and put its profiles
* free the associated aa_task_c
tx
and put its profiles
*/
*/
static
void
apparmor_cred_free
(
struct
cred
*
cred
)
static
void
apparmor_cred_free
(
struct
cred
*
cred
)
{
{
aa_free_task_context
(
cred_c
xt
(
cred
));
aa_free_task_context
(
cred_c
tx
(
cred
));
cred_c
xt
(
cred
)
=
NULL
;
cred_c
tx
(
cred
)
=
NULL
;
}
}
/*
/*
...
@@ -59,27 +59,29 @@ static void apparmor_cred_free(struct cred *cred)
...
@@ -59,27 +59,29 @@ static void apparmor_cred_free(struct cred *cred)
static
int
apparmor_cred_alloc_blank
(
struct
cred
*
cred
,
gfp_t
gfp
)
static
int
apparmor_cred_alloc_blank
(
struct
cred
*
cred
,
gfp_t
gfp
)
{
{
/* freed by apparmor_cred_free */
/* freed by apparmor_cred_free */
struct
aa_task_cxt
*
cxt
=
aa_alloc_task_context
(
gfp
);
struct
aa_task_ctx
*
ctx
=
aa_alloc_task_context
(
gfp
);
if
(
!
cxt
)
if
(
!
ctx
)
return
-
ENOMEM
;
return
-
ENOMEM
;
cred_c
xt
(
cred
)
=
cxt
;
cred_c
tx
(
cred
)
=
ctx
;
return
0
;
return
0
;
}
}
/*
/*
* prepare new aa_task_c
xt
for modification by prepare_cred block
* prepare new aa_task_c
tx
for modification by prepare_cred block
*/
*/
static
int
apparmor_cred_prepare
(
struct
cred
*
new
,
const
struct
cred
*
old
,
static
int
apparmor_cred_prepare
(
struct
cred
*
new
,
const
struct
cred
*
old
,
gfp_t
gfp
)
gfp_t
gfp
)
{
{
/* freed by apparmor_cred_free */
/* freed by apparmor_cred_free */
struct
aa_task_cxt
*
cxt
=
aa_alloc_task_context
(
gfp
);
struct
aa_task_ctx
*
ctx
=
aa_alloc_task_context
(
gfp
);
if
(
!
cxt
)
if
(
!
ctx
)
return
-
ENOMEM
;
return
-
ENOMEM
;
aa_dup_task_context
(
c
xt
,
cred_cxt
(
old
));
aa_dup_task_context
(
c
tx
,
cred_ctx
(
old
));
cred_c
xt
(
new
)
=
cxt
;
cred_c
tx
(
new
)
=
ctx
;
return
0
;
return
0
;
}
}
...
@@ -88,10 +90,10 @@ static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
...
@@ -88,10 +90,10 @@ static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
*/
*/
static
void
apparmor_cred_transfer
(
struct
cred
*
new
,
const
struct
cred
*
old
)
static
void
apparmor_cred_transfer
(
struct
cred
*
new
,
const
struct
cred
*
old
)
{
{
const
struct
aa_task_c
xt
*
old_cxt
=
cred_cxt
(
old
);
const
struct
aa_task_c
tx
*
old_ctx
=
cred_ctx
(
old
);
struct
aa_task_c
xt
*
new_cxt
=
cred_cxt
(
new
);
struct
aa_task_c
tx
*
new_ctx
=
cred_ctx
(
new
);
aa_dup_task_context
(
new_c
xt
,
old_cxt
);
aa_dup_task_context
(
new_c
tx
,
old_ctx
);
}
}
static
int
apparmor_ptrace_access_check
(
struct
task_struct
*
child
,
static
int
apparmor_ptrace_access_check
(
struct
task_struct
*
child
,
...
@@ -345,7 +347,7 @@ static int apparmor_inode_getattr(const struct path *path)
...
@@ -345,7 +347,7 @@ static int apparmor_inode_getattr(const struct path *path)
static
int
apparmor_file_open
(
struct
file
*
file
,
const
struct
cred
*
cred
)
static
int
apparmor_file_open
(
struct
file
*
file
,
const
struct
cred
*
cred
)
{
{
struct
aa_file_c
xt
*
fcxt
=
file
->
f_security
;
struct
aa_file_c
tx
*
fctx
=
file
->
f_security
;
struct
aa_profile
*
profile
;
struct
aa_profile
*
profile
;
int
error
=
0
;
int
error
=
0
;
...
@@ -358,7 +360,7 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
...
@@ -358,7 +360,7 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
* actually execute the image.
* actually execute the image.
*/
*/
if
(
current
->
in_execve
)
{
if
(
current
->
in_execve
)
{
fc
xt
->
allow
=
MAY_EXEC
|
MAY_READ
|
AA_EXEC_MMAP
;
fc
tx
->
allow
=
MAY_EXEC
|
MAY_READ
|
AA_EXEC_MMAP
;
return
0
;
return
0
;
}
}
...
@@ -370,7 +372,7 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
...
@@ -370,7 +372,7 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
error
=
aa_path_perm
(
OP_OPEN
,
profile
,
&
file
->
f_path
,
0
,
error
=
aa_path_perm
(
OP_OPEN
,
profile
,
&
file
->
f_path
,
0
,
aa_map_file_to_perms
(
file
),
&
cond
);
aa_map_file_to_perms
(
file
),
&
cond
);
/* todo cache full allowed permissions set and state */
/* todo cache full allowed permissions set and state */
fc
xt
->
allow
=
aa_map_file_to_perms
(
file
);
fc
tx
->
allow
=
aa_map_file_to_perms
(
file
);
}
}
return
error
;
return
error
;
...
@@ -388,14 +390,14 @@ static int apparmor_file_alloc_security(struct file *file)
...
@@ -388,14 +390,14 @@ static int apparmor_file_alloc_security(struct file *file)
static
void
apparmor_file_free_security
(
struct
file
*
file
)
static
void
apparmor_file_free_security
(
struct
file
*
file
)
{
{
struct
aa_file_c
xt
*
cxt
=
file
->
f_security
;
struct
aa_file_c
tx
*
ctx
=
file
->
f_security
;
aa_free_file_context
(
c
xt
);
aa_free_file_context
(
c
tx
);
}
}
static
int
common_file_perm
(
int
op
,
struct
file
*
file
,
u32
mask
)
static
int
common_file_perm
(
int
op
,
struct
file
*
file
,
u32
mask
)
{
{
struct
aa_file_c
xt
*
fcxt
=
file
->
f_security
;
struct
aa_file_c
tx
*
fctx
=
file
->
f_security
;
struct
aa_profile
*
profile
,
*
fprofile
=
aa_cred_profile
(
file
->
f_cred
);
struct
aa_profile
*
profile
,
*
fprofile
=
aa_cred_profile
(
file
->
f_cred
);
int
error
=
0
;
int
error
=
0
;
...
@@ -415,7 +417,7 @@ static int common_file_perm(int op, struct file *file, u32 mask)
...
@@ -415,7 +417,7 @@ static int common_file_perm(int op, struct file *file, u32 mask)
* delegation from unconfined tasks
* delegation from unconfined tasks
*/
*/
if
(
!
unconfined
(
profile
)
&&
!
unconfined
(
fprofile
)
&&
if
(
!
unconfined
(
profile
)
&&
!
unconfined
(
fprofile
)
&&
((
fprofile
!=
profile
)
||
(
mask
&
~
fc
xt
->
allow
)))
((
fprofile
!=
profile
)
||
(
mask
&
~
fc
tx
->
allow
)))
error
=
aa_file_perm
(
op
,
profile
,
file
,
mask
);
error
=
aa_file_perm
(
op
,
profile
,
file
,
mask
);
return
error
;
return
error
;
...
@@ -477,15 +479,15 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
...
@@ -477,15 +479,15 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
int
error
=
-
ENOENT
;
int
error
=
-
ENOENT
;
/* released below */
/* released below */
const
struct
cred
*
cred
=
get_task_cred
(
task
);
const
struct
cred
*
cred
=
get_task_cred
(
task
);
struct
aa_task_c
xt
*
cxt
=
cred_cxt
(
cred
);
struct
aa_task_c
tx
*
ctx
=
cred_ctx
(
cred
);
struct
aa_profile
*
profile
=
NULL
;
struct
aa_profile
*
profile
=
NULL
;
if
(
strcmp
(
name
,
"current"
)
==
0
)
if
(
strcmp
(
name
,
"current"
)
==
0
)
profile
=
aa_get_newest_profile
(
c
xt
->
profile
);
profile
=
aa_get_newest_profile
(
c
tx
->
profile
);
else
if
(
strcmp
(
name
,
"prev"
)
==
0
&&
c
xt
->
previous
)
else
if
(
strcmp
(
name
,
"prev"
)
==
0
&&
c
tx
->
previous
)
profile
=
aa_get_newest_profile
(
c
xt
->
previous
);
profile
=
aa_get_newest_profile
(
c
tx
->
previous
);
else
if
(
strcmp
(
name
,
"exec"
)
==
0
&&
c
xt
->
onexec
)
else
if
(
strcmp
(
name
,
"exec"
)
==
0
&&
c
tx
->
onexec
)
profile
=
aa_get_newest_profile
(
c
xt
->
onexec
);
profile
=
aa_get_newest_profile
(
c
tx
->
onexec
);
else
else
error
=
-
EINVAL
;
error
=
-
EINVAL
;
...
@@ -849,21 +851,21 @@ static int param_set_mode(const char *val, struct kernel_param *kp)
...
@@ -849,21 +851,21 @@ static int param_set_mode(const char *val, struct kernel_param *kp)
*/
*/
/**
/**
* set_init_c
xt
- set a task context and profile on the first task.
* set_init_c
tx
- set a task context and profile on the first task.
*
*
* TODO: allow setting an alternate profile than unconfined
* TODO: allow setting an alternate profile than unconfined
*/
*/
static
int
__init
set_init_c
xt
(
void
)
static
int
__init
set_init_c
tx
(
void
)
{
{
struct
cred
*
cred
=
(
struct
cred
*
)
current
->
real_cred
;
struct
cred
*
cred
=
(
struct
cred
*
)
current
->
real_cred
;
struct
aa_task_c
xt
*
cxt
;
struct
aa_task_c
tx
*
ctx
;
c
xt
=
aa_alloc_task_context
(
GFP_KERNEL
);
c
tx
=
aa_alloc_task_context
(
GFP_KERNEL
);
if
(
!
c
xt
)
if
(
!
c
tx
)
return
-
ENOMEM
;
return
-
ENOMEM
;
c
xt
->
profile
=
aa_get_profile
(
root_ns
->
unconfined
);
c
tx
->
profile
=
aa_get_profile
(
root_ns
->
unconfined
);
cred_c
xt
(
cred
)
=
cxt
;
cred_c
tx
(
cred
)
=
ctx
;
return
0
;
return
0
;
}
}
...
@@ -890,7 +892,7 @@ static int __init apparmor_init(void)
...
@@ -890,7 +892,7 @@ static int __init apparmor_init(void)
goto
alloc_out
;
goto
alloc_out
;
}
}
error
=
set_init_c
xt
();
error
=
set_init_c
tx
();
if
(
error
)
{
if
(
error
)
{
AA_ERROR
(
"Failed to set context on init task
\n
"
);
AA_ERROR
(
"Failed to set context on init task
\n
"
);
aa_free_root_ns
();
aa_free_root_ns
();
...
...
security/apparmor/policy.c
浏览文件 @
55a26ebf
...
@@ -808,7 +808,7 @@ static int __lookup_replace(struct aa_ns *ns, const char *hname,
...
@@ -808,7 +808,7 @@ static int __lookup_replace(struct aa_ns *ns, const char *hname,
* @udata: serialized data stream (NOT NULL)
* @udata: serialized data stream (NOT NULL)
*
*
* unpack and replace a profile on the profile list and uses of that profile
* unpack and replace a profile on the profile list and uses of that profile
* by any aa_task_c
xt
. If the profile does not exist on the profile list
* by any aa_task_c
tx
. If the profile does not exist on the profile list
* it is added.
* it is added.
*
*
* Returns: size of data consumed else error code on failure.
* Returns: size of data consumed else error code on failure.
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录