mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-31 06:16:03 +00:00
Add patch to check perms/exec modifiers on profile load instead of checking them at run time
This commit is contained in:
John Johansen
74
kernel-patches/for-mainline/no-unknown-exec-mod.diff
Normal file
74
kernel-patches/for-mainline/no-unknown-exec-mod.diff
Normal file
@@ -0,0 +1,74 @@
|
||||
---
|
||||
security/apparmor/apparmor.h | 5 +++++
|
||||
security/apparmor/main.c | 12 ------------
|
||||
security/apparmor/match.c | 15 +++++++++++++++
|
||||
3 files changed, 20 insertions(+), 12 deletions(-)
|
||||
|
||||
--- a/security/apparmor/apparmor.h
|
||||
+++ b/security/apparmor/apparmor.h
|
||||
@@ -32,8 +32,13 @@
|
||||
AA_EXEC_UNCONFINED | \
|
||||
AA_EXEC_PROFILE)
|
||||
|
||||
+#define AA_VALID_PERM_MASK (MAY_READ | MAY_WRITE | MAY_EXEC | \
|
||||
+ AA_MAY_LINK | AA_EXEC_MODIFIERS | \
|
||||
+ AA_EXEC_MMAP | AA_EXEC_UNSAFE)
|
||||
+
|
||||
#define AA_SECURE_EXEC_NEEDED 1
|
||||
|
||||
+
|
||||
/* Control parameters (0 or 1), settable thru module/boot flags or
|
||||
* via /sys/kernel/security/apparmor/control */
|
||||
extern int apparmor_complain;
|
||||
--- a/security/apparmor/main.c
|
||||
+++ b/security/apparmor/main.c
|
||||
@@ -918,18 +918,6 @@ repeat:
|
||||
buffer, 1,
|
||||
complain);
|
||||
break;
|
||||
-
|
||||
- default:
|
||||
- AA_ERROR("Rejecting exec(2) of image '%s'. "
|
||||
- "Unknown exec qualifier %x "
|
||||
- "(%d profile %s active %s)\n",
|
||||
- filename,
|
||||
- exec_mode & AA_EXEC_MODIFIERS,
|
||||
- current->pid,
|
||||
- profile->parent->name,
|
||||
- profile->name);
|
||||
- new_profile = ERR_PTR(-EPERM);
|
||||
- break;
|
||||
}
|
||||
|
||||
} else if (complain) {
|
||||
--- a/security/apparmor/match.c
|
||||
+++ b/security/apparmor/match.c
|
||||
@@ -12,6 +12,7 @@
|
||||
#include <linux/kernel.h>
|
||||
#include <linux/slab.h>
|
||||
#include <linux/errno.h>
|
||||
+#include "apparmor.h"
|
||||
#include "match.h"
|
||||
|
||||
static struct table_header *unpack_table(void *blob, size_t bsize)
|
||||
@@ -170,6 +171,20 @@ int verify_dfa(struct aa_dfa *dfa)
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ /* verify accept permissions */
|
||||
+ for (i = 0; i < state_count; i++) {
|
||||
+ int mode = ACCEPT_TABLE(dfa)[i];
|
||||
+ if (mode & ~AA_VALID_PERM_MASK)
|
||||
+ goto out;
|
||||
+
|
||||
+ /* if MAY_EXEC, exactly 1 exec modifier must be set */
|
||||
+ if (mode & MAY_EXEC) {
|
||||
+ mode &= AA_EXEC_MODIFIERS;
|
||||
+ if (mode & (mode -1))
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
error = 0;
|
||||
out:
|
||||
return error;
|
||||
Reference in New Issue
Block a user