apparmor/kernel-patches/for-mainline/fix-link-subset.diff

---
 security/apparmor/main.c |   37 ++++++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 17 deletions(-)

--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
@@ -68,7 +68,7 @@ static int aa_link_denied(struct aa_prof
 			  int *request_mask)
 {
 	unsigned int state;
-	int l_mode, t_mode, denied_mask = 0;
+	int l_mode, t_mode, l_subset, denied_mask = 0;
 	int link_mask = AA_MAY_LINK << target_mode;
 
 	*request_mask = link_mask;
@@ -83,31 +83,35 @@ static int aa_link_denied(struct aa_prof
 
 		if (!(mode & link_mask))
 			denied_mask |= link_mask;
+		/* return if link subset test is not required */
 		if (!(mode & (AA_LINK_SUBSET_TEST << target_mode)))
 			return denied_mask;
 	}
 
-	/* do link perm subset test */
-	t_mode = aa_match(profile->file_rules, target);
-
-	/* Ignore valid-profile-transition flags. */
-	l_mode &= ~AA_SHARED_PERMS;
-	t_mode &= ~AA_SHARED_PERMS;
-
-	*request_mask = l_mode | link_mask;
-
-	/* Link always requires 'l' on the link for both parts of the pair.
+	/* Do link perm subset test
 	 * If a subset test is required a permission subset test of the
 	 * perms for the link are done against the user:group:other of the
 	 * target's 'r', 'w', 'x', 'a', 'k', and 'm' permissions.
 	 *
 	 * If the link has 'x', an exact match of all the execute flags
-	 * ('i', 'u', 'p').  safe exec is treated as a subset of unsafe exec
+	 * must match.
  	 */
-#define SUBSET_PERMS (AA_FILE_PERMS & ~AA_LINK_BITS)
 	denied_mask |= ~l_mode & link_mask;
-	if (l_mode & SUBSET_PERMS) {
-		denied_mask |= (l_mode & SUBSET_PERMS) & ~t_mode;
+
+	t_mode = aa_match(profile->file_rules, target);
+
+
+	/* For actual subset test ignore valid-profile-transition flags,
+	 * and link bits
+	 */
+	l_mode &= ~(AA_SHARED_PERMS | AA_LINK_BITS);
+	t_mode &= ~(AA_SHARED_PERMS | AA_LINK_BITS);
+	l_subset = l_mode & AA_FILE_PERMS;
+
+	*request_mask = l_mode | link_mask;
+
+	if (l_subset) {
+		denied_mask |= (l_subset) & ~t_mode;
 		if (denied_mask & AA_EXEC_BITS)
 			denied_mask |= l_mode & AA_ALL_EXEC_MODS;
 		else if (l_mode & AA_EXEC_BITS) {
@@ -126,9 +130,8 @@ static int aa_link_denied(struct aa_prof
 				denied_mask |= AA_OTHER_EXEC |
 					(l_mode & AA_OTHER_EXEC_MODS);
 		}
-	} else
+	} else if (t_mode & AA_FILE_PERMS)
 		denied_mask |= t_mode | link_mask;
-#undef SUBSET_PERMS
 
 	return denied_mask;
 }
M vfs-mkdir.diff - pass vfsmnt param for cgroups A fix-user-audit.diff - nothing A fix-link-subset.diff - fix reporting of failed link subsets A apparmor-fix-lock-letter.diff - fix the reported lock letter in apparmorfs/matching - reverted audit request_mask back to requested_mask A apparmor-fix-sysctl-refcount.diff - fix a refcount leak in sysctl audit 2008-02-09 14:07:22 +00:00			`---`
M split_init.diff - fix split init so that apparmor can be enabled at the boot command line. The init was broken so that apparmor couldn't be enabled unless enabled by default. M apparmor-fix-lock-letter.diff - fix the lock letter being reported (z -> k) and update some comments A apparmor-create-append.diff - fix semanitc bug where full write perms were needed to create a new file, where only append is needed. M fix-link-subset.diff - partial fix of link subset A no-safex-link-subset.diff - more link subset fixes A audit-log-type-in-syslog.diff - fix audit type being missing when messages go to syslog. This patch is needed for apparmor to work when messages go to syslog instead of auditd. This patch can be dropped when upstream includes the patch to report audit number when reporting to syslog A audit-uid.diff - report the fsuid to the log A hat_perm.diff - setup to use hat permissions instead of just profile search for 2.3 A apparmor-failed-name-error.diff - fix a bug where on failed name resolution no error or information is output. It now reports info in the status field and includes an error_code A extend-x-mods.diff - extend the x-mods in preparation of audit ctl A apparmor-secondary-accept.diff - extend the dfa to have a second accept table used for audit ctl A apparmor-audit-flags2.diff - extend apparmor to support audit ctl of individual permissions. - finish fixing link-subset A fix-change_profile-namespace.diff - Not applied, ignore 2008-03-13 16:36:38 +00:00			`security/apparmor/main.c \| 37 ++++++++++++++++++++-----------------`
			`1 file changed, 20 insertions(+), 17 deletions(-)`
M vfs-mkdir.diff - pass vfsmnt param for cgroups A fix-user-audit.diff - nothing A fix-link-subset.diff - fix reporting of failed link subsets A apparmor-fix-lock-letter.diff - fix the reported lock letter in apparmorfs/matching - reverted audit request_mask back to requested_mask A apparmor-fix-sysctl-refcount.diff - fix a refcount leak in sysctl audit 2008-02-09 14:07:22 +00:00
			`--- a/security/apparmor/main.c`
			`+++ b/security/apparmor/main.c`
			`@@ -68,7 +68,7 @@ static int aa_link_denied(struct aa_prof`
			`int *request_mask)`
			`{`
			`unsigned int state;`
			`- int l_mode, t_mode, denied_mask = 0;`
			`+ int l_mode, t_mode, l_subset, denied_mask = 0;`
			`int link_mask = AA_MAY_LINK << target_mode;`

			`*request_mask = link_mask;`
			`@@ -83,31 +83,35 @@ static int aa_link_denied(struct aa_prof`

			`if (!(mode & link_mask))`
			`denied_mask \|= link_mask;`
			`+ /* return if link subset test is not required */`
			`if (!(mode & (AA_LINK_SUBSET_TEST << target_mode)))`
			`return denied_mask;`
			`}`

			`- /* do link perm subset test */`
			`- t_mode = aa_match(profile->file_rules, target);`
			`-`
			`- /* Ignore valid-profile-transition flags. */`
			`- l_mode &= ~AA_SHARED_PERMS;`
			`- t_mode &= ~AA_SHARED_PERMS;`
			`-`
			`- *request_mask = l_mode \| link_mask;`
			`-`
			`- /* Link always requires 'l' on the link for both parts of the pair.`
			`+ /* Do link perm subset test`
			`* If a subset test is required a permission subset test of the`
			`* perms for the link are done against the user:group:other of the`
			`* target's 'r', 'w', 'x', 'a', 'k', and 'm' permissions.`
			`*`
			`* If the link has 'x', an exact match of all the execute flags`
			`- * ('i', 'u', 'p'). safe exec is treated as a subset of unsafe exec`
			`+ * must match.`
			`*/`
			`-#define SUBSET_PERMS (AA_FILE_PERMS & ~AA_LINK_BITS)`
			`denied_mask \|= ~l_mode & link_mask;`
			`- if (l_mode & SUBSET_PERMS) {`
			`- denied_mask \|= (l_mode & SUBSET_PERMS) & ~t_mode;`
			`+`
			`+ t_mode = aa_match(profile->file_rules, target);`
			`+`
			`+`
			`+ /* For actual subset test ignore valid-profile-transition flags,`
			`+ * and link bits`
			`+ */`
fix bitmasking 2008-02-09 14:16:07 +00:00			`+ l_mode &= ~(AA_SHARED_PERMS \| AA_LINK_BITS);`
			`+ t_mode &= ~(AA_SHARED_PERMS \| AA_LINK_BITS);`
M vfs-mkdir.diff - pass vfsmnt param for cgroups A fix-user-audit.diff - nothing A fix-link-subset.diff - fix reporting of failed link subsets A apparmor-fix-lock-letter.diff - fix the reported lock letter in apparmorfs/matching - reverted audit request_mask back to requested_mask A apparmor-fix-sysctl-refcount.diff - fix a refcount leak in sysctl audit 2008-02-09 14:07:22 +00:00			`+ l_subset = l_mode & AA_FILE_PERMS;`
			`+`
			`+ *request_mask = l_mode \| link_mask;`
			`+`
			`+ if (l_subset) {`
			`+ denied_mask \|= (l_subset) & ~t_mode;`
			`if (denied_mask & AA_EXEC_BITS)`
			`denied_mask \|= l_mode & AA_ALL_EXEC_MODS;`
			`else if (l_mode & AA_EXEC_BITS) {`
M split_init.diff - fix split init so that apparmor can be enabled at the boot command line. The init was broken so that apparmor couldn't be enabled unless enabled by default. M apparmor-fix-lock-letter.diff - fix the lock letter being reported (z -> k) and update some comments A apparmor-create-append.diff - fix semanitc bug where full write perms were needed to create a new file, where only append is needed. M fix-link-subset.diff - partial fix of link subset A no-safex-link-subset.diff - more link subset fixes A audit-log-type-in-syslog.diff - fix audit type being missing when messages go to syslog. This patch is needed for apparmor to work when messages go to syslog instead of auditd. This patch can be dropped when upstream includes the patch to report audit number when reporting to syslog A audit-uid.diff - report the fsuid to the log A hat_perm.diff - setup to use hat permissions instead of just profile search for 2.3 A apparmor-failed-name-error.diff - fix a bug where on failed name resolution no error or information is output. It now reports info in the status field and includes an error_code A extend-x-mods.diff - extend the x-mods in preparation of audit ctl A apparmor-secondary-accept.diff - extend the dfa to have a second accept table used for audit ctl A apparmor-audit-flags2.diff - extend apparmor to support audit ctl of individual permissions. - finish fixing link-subset A fix-change_profile-namespace.diff - Not applied, ignore 2008-03-13 16:36:38 +00:00			`@@ -126,9 +130,8 @@ static int aa_link_denied(struct aa_prof`
			`denied_mask \|= AA_OTHER_EXEC \|`
			`(l_mode & AA_OTHER_EXEC_MODS);`
M vfs-mkdir.diff - pass vfsmnt param for cgroups A fix-user-audit.diff - nothing A fix-link-subset.diff - fix reporting of failed link subsets A apparmor-fix-lock-letter.diff - fix the reported lock letter in apparmorfs/matching - reverted audit request_mask back to requested_mask A apparmor-fix-sysctl-refcount.diff - fix a refcount leak in sysctl audit 2008-02-09 14:07:22 +00:00			`}`
M split_init.diff - fix split init so that apparmor can be enabled at the boot command line. The init was broken so that apparmor couldn't be enabled unless enabled by default. M apparmor-fix-lock-letter.diff - fix the lock letter being reported (z -> k) and update some comments A apparmor-create-append.diff - fix semanitc bug where full write perms were needed to create a new file, where only append is needed. M fix-link-subset.diff - partial fix of link subset A no-safex-link-subset.diff - more link subset fixes A audit-log-type-in-syslog.diff - fix audit type being missing when messages go to syslog. This patch is needed for apparmor to work when messages go to syslog instead of auditd. This patch can be dropped when upstream includes the patch to report audit number when reporting to syslog A audit-uid.diff - report the fsuid to the log A hat_perm.diff - setup to use hat permissions instead of just profile search for 2.3 A apparmor-failed-name-error.diff - fix a bug where on failed name resolution no error or information is output. It now reports info in the status field and includes an error_code A extend-x-mods.diff - extend the x-mods in preparation of audit ctl A apparmor-secondary-accept.diff - extend the dfa to have a second accept table used for audit ctl A apparmor-audit-flags2.diff - extend apparmor to support audit ctl of individual permissions. - finish fixing link-subset A fix-change_profile-namespace.diff - Not applied, ignore 2008-03-13 16:36:38 +00:00			`- } else`
			`+ } else if (t_mode & AA_FILE_PERMS)`
M vfs-mkdir.diff - pass vfsmnt param for cgroups A fix-user-audit.diff - nothing A fix-link-subset.diff - fix reporting of failed link subsets A apparmor-fix-lock-letter.diff - fix the reported lock letter in apparmorfs/matching - reverted audit request_mask back to requested_mask A apparmor-fix-sysctl-refcount.diff - fix a refcount leak in sysctl audit 2008-02-09 14:07:22 +00:00			`denied_mask \|= t_mode \| link_mask;`
			`-#undef SUBSET_PERMS`

			`return denied_mask;`
			`}`