mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00
Code Issues Releases Wiki Activity

update change_profile patches

Browse Source
This commit is contained in:
John Johansen
2007-06-21 18:27:17 +00:00
parent 4a844e8d33
commit 4b7150f21b
7 changed files with 1186 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
kernel-patches/for-mainline/change_profile-current.diff Normal file
View File

@@ -0,0 +1,95 @@
make change_hat, change_profile explicit to current instead of a generic
task.
---
security/apparmor/main.c | 27 ++++++++++++---------------
1 file changed, 12 insertions(+), 15 deletions(-)
--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
@@ -929,8 +929,7 @@ repeat:
}
}
-static int do_change_profile(struct task_struct *task, const char *name,
- u64 cookie, int restore_profile,
+static int do_change_profile(const char *name, u64 cookie, int restore_profile,
struct aa_audit *sa)
{
struct aa_profile *profile = NULL, *previous_profile = NULL;
@@ -947,7 +946,7 @@ static int do_change_profile(struct task
if (!profile && !restore_profile)
profile = aa_dup_profile(null_complain_profile);
- cxt = lock_task_and_profiles(task, profile);
+ cxt = lock_task_and_profiles(current, profile);
if (!cxt) {
error = -EPERM;
goto out;
@@ -959,7 +958,7 @@ static int do_change_profile(struct task
sa->info = "killing process";
aa_audit_reject(profile, sa);
/* terminate process */
- (void)send_sig_info(SIGKILL, NULL, task);
+ (void)send_sig_info(SIGKILL, NULL, current);
goto out;
}
@@ -968,7 +967,7 @@ static int do_change_profile(struct task
previous_profile = cxt->profile;
}
- if ((task->ptrace & PT_PTRACED) && aa_may_ptrace(cxt, profile)) {
+ if ((current->ptrace & PT_PTRACED) && aa_may_ptrace(cxt, profile)) {
error = -EACCES;
goto out;
}
@@ -985,15 +984,15 @@ static int do_change_profile(struct task
if (APPARMOR_AUDIT(cxt))
aa_audit_message(cxt->profile, sa, AUDIT_APPARMOR_AUDIT);
if (restore_profile)
- aa_change_task_context(task, new_cxt, profile, 0, NULL);
+ aa_change_task_context(current, new_cxt, profile, 0, NULL);
else
- aa_change_task_context(task, new_cxt, profile, cookie,
+ aa_change_task_context(current, new_cxt, profile, cookie,
previous_profile);
out:
- if (aa_task_context(task) != new_cxt)
+ if (aa_task_context(current) != new_cxt)
aa_free_task_context(new_cxt);
- unlock_task_and_profiles(task, cxt, profile);
+ unlock_task_and_profiles(current, cxt, profile);
aa_put_profile(profile);
return error;
}
@@ -1037,11 +1036,10 @@ int aa_change_profile(const char *name,
mutex_unlock(&aa_interface_lock);
return -EACCES;
}
- error = do_change_profile(current, name, cookie, 0, &sa);
+ error = do_change_profile(name, cookie, 0, &sa);
} else {
if (cxt->previous_profile)
- error = do_change_profile(current,
- cxt->previous_profile->name,
+ error = do_change_profile(cxt->previous_profile->name,
cookie, 1, &sa);
/* else
* Ignore change_profile to restore_previous profile when
@@ -1099,12 +1097,11 @@ int aa_change_hat(const char *hat_name,
return -ENOMEM;
}
sprintf(name, "%s//%s", profile_name, hat_name);
- error = do_change_profile(current, name, cookie, 0, &sa);
+ error = do_change_profile(name, cookie, 0, &sa);
kfree(name);
} else {
if (cxt->previous_profile)
- error = do_change_profile(current,
- cxt->previous_profile->name,
+ error = do_change_profile(cxt->previous_profile->name,
cookie, 1, &sa);
/* else
* Ignore change_hat to restore profile when there is

259
kernel-patches/for-mainline/change_profile-no-return.diff Normal file
View File

@@ -0,0 +1,259 @@
Make change_profile one way only, this way it doesn't need to deal
with the change_hat logic
---
security/apparmor/apparmor.h | 3 -
security/apparmor/lsm.c | 2 -
security/apparmor/main.c | 82 ++++++++++++-------------------------------
security/apparmor/procattr.c | 27 ++------------
4 files changed, 29 insertions(+), 85 deletions(-)
--- a/security/apparmor/apparmor.h
+++ b/security/apparmor/apparmor.h
@@ -215,7 +215,7 @@ extern int aa_clone(struct task_struct *
extern int aa_register(struct linux_binprm *bprm);
extern void aa_release(struct task_struct *task);
extern int aa_change_hat(const char *id, u64 hat_magic);
-extern int aa_change_profile(const char *name, u64 cookie, int permanent);
+extern int aa_change_profile(const char *name);
extern struct aa_profile *__aa_find_profile(const char *name,
struct list_head *list);
extern struct aa_profile *__aa_find_profile2(const char *name,
@@ -251,7 +251,6 @@ extern void aa_unconfine_tasks(struct aa
extern int aa_getprocattr(struct aa_profile *profile, char **string,
unsigned *len);
extern int aa_setprocattr_changehat(char *args);
-extern int aa_setprocattr_changeprofile(char *args);
extern int aa_setprocattr_setprofile(struct task_struct *task, char *args);
/* apparmorfs.c */
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -632,7 +632,7 @@ static int apparmor_setprocattr(struct t
} else if (strcmp(command, "changeprofile") == 0) {
if (current != task)
return -EACCES;
- error = aa_setprocattr_changeprofile(args);
+ error = aa_change_profile(args);
} else if (strcmp(command, "setprofile")) {
struct aa_profile *profile;
--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
@@ -932,9 +932,10 @@ repeat:
enum { change_profile, permanent_change_profile, restore_profile };
static int do_change_profile(struct aa_profile *expected, const char *name,
- u64 cookie, int mode, struct aa_audit *sa)
+ u64 cookie, struct aa_profile *previous_profile,
+ struct aa_audit *sa)
{
- struct aa_profile *profile = NULL, *previous_profile = NULL;
+ struct aa_profile *profile = NULL;
struct aa_task_context *new_cxt, *cxt;
int error = 0;
@@ -945,7 +946,7 @@ static int do_change_profile(struct aa_p
return -ENOMEM;
profile = aa_find_profile(name);
- if (!profile && mode != restore_profile)
+ if (!profile)
profile = aa_dup_profile(null_complain_profile);
cxt = lock_task_and_profiles(current, profile);
@@ -959,27 +960,6 @@ static int do_change_profile(struct aa_p
goto out;
}
- if (cxt->previous_profile) {
- if (cxt->cookie != cookie) {
- error = -EACCES;
- sa->info = "killing process";
- aa_audit_reject(profile, sa);
- /* terminate process */
- (void)send_sig_info(SIGKILL, NULL, current);
- goto out;
- }
-
- previous_profile = cxt->previous_profile;
- } else {
- previous_profile = cxt->profile;
- }
-
- if (mode == permanent_change_profile) {
- previous_profile = NULL;
- cookie = 0;
- sa->info = "permanent";
- }
-
if ((current->ptrace & PT_PTRACED) && aa_may_ptrace(cxt, profile)) {
error = -EACCES;
goto out;
@@ -996,11 +976,8 @@ static int do_change_profile(struct aa_p
if (APPARMOR_AUDIT(cxt))
aa_audit_message(cxt->profile, sa, AUDIT_APPARMOR_AUDIT);
- if (mode == restore_profile)
- aa_change_task_context(current, new_cxt, profile, 0, NULL);
- else
- aa_change_task_context(current, new_cxt, profile, cookie,
- previous_profile);
+ aa_change_task_context(current, new_cxt, profile, cookie,
+ previous_profile);
out:
if (aa_task_context(current) != new_cxt)
@@ -1014,8 +991,6 @@ out:
/**
* aa_change_profile - change profile to/from previous stored profile
* @name: name of profile to change to
- * @cookie: magic value to validate the profile change
- * @permanent: whether the profile change is permanent
*
* Change to new profile @name, and store the @cookie in the current task
* context. If the new @name is %NULL and the @cookie matches that
@@ -1023,7 +998,7 @@ out:
*
* Returns %0 on success, error otherwise.
*/
-int aa_change_profile(const char *name, u64 cookie, int permanent)
+int aa_change_profile(const char *name)
{
struct aa_profile *profile;
struct aa_audit sa;
@@ -1031,7 +1006,6 @@ int aa_change_profile(const char *name,
memset(&sa, 0, sizeof(sa));
sa.gfp_mask = GFP_ATOMIC;
- sa.cookie = cookie;
sa.operation = "change_profile";
repeat:
@@ -1047,30 +1021,9 @@ repeat:
aa_put_profile(profile);
return -EACCES;
}
- if (permanent)
- error = do_change_profile(profile, name, cookie,
- permanent_change_profile,
- &sa);
- else
- error = do_change_profile(profile, name, cookie,
- change_profile, &sa);
+ error = do_change_profile(profile, name, 0, NULL, &sa);
} else {
- struct aa_profile *previous_profile;
- task_lock(current);
- previous_profile =
- aa_dup_profile(aa_task_context(current)->previous_profile);
- task_unlock(current);
-
- if (previous_profile)
- error = do_change_profile(profile,
- previous_profile->name,
- cookie, restore_profile,
- &sa);
- aa_put_profile(previous_profile);
- /* else
- * Ignore change_profile to restore_previous profile when
- * it doesn't exist
- */
+ error = -EPERM;
}
aa_put_profile(profile);
@@ -1116,6 +1069,18 @@ repeat:
profile = aa_dup_profile(cxt->profile);
previous_profile = aa_dup_profile(cxt->previous_profile);
+
+ if (previous_profile) {
+ if (cxt->cookie != cookie) {
+ task_unlock(current);
+ error = -EACCES;
+ sa.info = "killing process";
+ aa_audit_reject(profile, &sa);
+ /* terminate process */
+ (void)send_sig_info(SIGKILL, NULL, current);
+ goto out;
+ }
+ }
task_unlock(current);
if (hat_name) {
@@ -1133,14 +1098,13 @@ repeat:
}
sprintf(name, "%s//%s", profile_name, hat_name);
error = do_change_profile(profile, name, cookie,
- change_profile, &sa);
+ previous_profile, &sa);
kfree(name);
} else {
if (previous_profile)
error = do_change_profile(profile,
previous_profile->name,
- cookie, restore_profile,
- &sa);
+ 0, NULL, &sa);
/* else
* Ignore change_hat to restore profile when there is
* no profile to restore
--- a/security/apparmor/procattr.c
+++ b/security/apparmor/procattr.c
@@ -50,20 +50,16 @@ int aa_getprocattr(struct aa_profile *pr
return 0;
}
-static char *split_token_from_name(const char *op, int *cookie_set,
- char *args, u64 *cookie)
+static char *split_token_from_name(const char *op, char *args, u64 *cookie)
{
char *name;
*cookie = simple_strtoull(args, &name, 16);
- if ((name == args && *cookie_set) || *name != '^') {
+ if ((name == args) || *name != '^') {
AA_ERROR("%s: Invalid input '%s'", op, args);
return ERR_PTR(-EINVAL);
- } else if (name == args) {
- *cookie_set = 0;
- } else {
- *cookie_set = 1;
}
+
name++; /* skip ^ */
if (!*name)
name = NULL;
@@ -74,9 +70,8 @@ int aa_setprocattr_changehat(char *args)
{
char *hat;
u64 cookie;
- int cookie_set = 1;
- hat = split_token_from_name("change_hat", &cookie_set, args, &cookie);
+ hat = split_token_from_name("change_hat", args, &cookie);
if (IS_ERR(hat))
return PTR_ERR(hat);
@@ -91,20 +86,6 @@ int aa_setprocattr_changehat(char *args)
return aa_change_hat(hat, cookie);
}
-int aa_setprocattr_changeprofile(char *args)
-{
- char *name;
- u64 cookie;
- int cookie_set = 0;
-
- name = split_token_from_name("change_profile", &cookie_set, args,
- &cookie);
- if (IS_ERR(name))
- return PTR_ERR(name);
-
- return aa_change_profile(name, cookie, !cookie_set);
-}
-
int aa_setprocattr_setprofile(struct task_struct *task, char *args)
{
struct aa_profile *old_profile, *new_profile;

169
kernel-patches/for-mainline/change_profile-permenent.diff Normal file
View File

@@ -0,0 +1,169 @@
Give change_profile the ability to do a permanent transition
---
security/apparmor/apparmor.h | 2 +-
security/apparmor/main.c | 33 +++++++++++++++++++++++++--------
security/apparmor/procattr.c | 18 +++++++++++++-----
3 files changed, 39 insertions(+), 14 deletions(-)
--- a/security/apparmor/apparmor.h
+++ b/security/apparmor/apparmor.h
@@ -215,7 +215,7 @@ extern int aa_clone(struct task_struct *
extern int aa_register(struct linux_binprm *bprm);
extern void aa_release(struct task_struct *task);
extern int aa_change_hat(const char *id, u64 hat_magic);
-extern int aa_change_profile(const char *name, u64 cookie);
+extern int aa_change_profile(const char *name, u64 cookie, int permanent);
extern struct aa_profile *__aa_find_profile(const char *name,
struct list_head *list);
extern struct aa_profile *__aa_find_profile2(const char *name,
--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
@@ -929,7 +929,9 @@ repeat:
}
}
-static int do_change_profile(const char *name, u64 cookie, int restore_profile,
+enum { change_profile, permanent_change_profile, restore_profile };
+
+static int do_change_profile(const char *name, u64 cookie, int mode,
struct aa_audit *sa)
{
struct aa_profile *profile = NULL, *previous_profile = NULL;
@@ -943,7 +945,7 @@ static int do_change_profile(const char
return -ENOMEM;
profile = aa_find_profile(name);
- if (!profile && !restore_profile)
+ if (!profile && mode != restore_profile)
profile = aa_dup_profile(null_complain_profile);
cxt = lock_task_and_profiles(current, profile);
@@ -967,6 +969,12 @@ static int do_change_profile(const char
previous_profile = cxt->profile;
}
+ if (mode == permanent_change_profile) {
+ previous_profile = NULL;
+ cookie = 0;
+ sa->info = "permanent";
+ }
+
if ((current->ptrace & PT_PTRACED) && aa_may_ptrace(cxt, profile)) {
error = -EACCES;
goto out;
@@ -983,7 +991,7 @@ static int do_change_profile(const char
if (APPARMOR_AUDIT(cxt))
aa_audit_message(cxt->profile, sa, AUDIT_APPARMOR_AUDIT);
- if (restore_profile)
+ if (mode == restore_profile)
aa_change_task_context(current, new_cxt, profile, 0, NULL);
else
aa_change_task_context(current, new_cxt, profile, cookie,
@@ -1002,6 +1010,7 @@ out:
* aa_change_profile - change profile to/from previous stored profile
* @name: name of profile to change to
* @cookie: magic value to validate the profile change
+ * @permanent: whether the profile change is permanent
*
* Change to new profile @name, and store the @cookie in the current task
* context. If the new @name is %NULL and the @cookie matches that
@@ -1009,7 +1018,7 @@ out:
*
* Returns %0 on success, error otherwise.
*/
-int aa_change_profile(const char *name, u64 cookie)
+int aa_change_profile(const char *name, u64 cookie, int permanent)
{
struct aa_task_context *cxt;
struct aa_audit sa;
@@ -1036,11 +1045,18 @@ int aa_change_profile(const char *name,
mutex_unlock(&aa_interface_lock);
return -EACCES;
}
- error = do_change_profile(name, cookie, 0, &sa);
+ if (permanent)
+ error = do_change_profile(name, cookie,
+ permanent_change_profile,
+ &sa);
+ else
+ error = do_change_profile(name, cookie, change_profile,
+ &sa);
} else {
if (cxt->previous_profile)
error = do_change_profile(cxt->previous_profile->name,
- cookie, 1, &sa);
+ cookie, restore_profile,
+ &sa);
/* else
* Ignore change_profile to restore_previous profile when
* it doesn't exist
@@ -1097,12 +1113,13 @@ int aa_change_hat(const char *hat_name,
return -ENOMEM;
}
sprintf(name, "%s//%s", profile_name, hat_name);
- error = do_change_profile(name, cookie, 0, &sa);
+ error = do_change_profile(name, cookie, change_profile, &sa);
kfree(name);
} else {
if (cxt->previous_profile)
error = do_change_profile(cxt->previous_profile->name,
- cookie, 1, &sa);
+ cookie, restore_profile,
+ &sa);
/* else
* Ignore change_hat to restore profile when there is
* no profile to restore
--- a/security/apparmor/procattr.c
+++ b/security/apparmor/procattr.c
@@ -50,14 +50,19 @@ int aa_getprocattr(struct aa_profile *pr
return 0;
}
-static char *split_token_from_name(const char *op, char *args, u64 *cookie)
+static char *split_token_from_name(const char *op, int *cookie_set,
+ char *args, u64 *cookie)
{
char *name;
*cookie = simple_strtoull(args, &name, 16);
- if (name == args || *name != '^') {
+ if ((name == args && *cookie_set) || *name != '^') {
AA_ERROR("%s: Invalid input '%s'", op, args);
return ERR_PTR(-EINVAL);
+ } else if (name == args) {
+ *cookie_set = 0;
+ } else {
+ *cookie_set = 1;
}
name++; /* skip ^ */
if (!*name)
@@ -69,8 +74,9 @@ int aa_setprocattr_changehat(char *args)
{
char *hat;
u64 cookie;
+ int cookie_set = 1;
- hat = split_token_from_name("change_hat", args, &cookie);
+ hat = split_token_from_name("change_hat", &cookie_set, args, &cookie);
if (IS_ERR(hat))
return PTR_ERR(hat);
@@ -89,12 +95,14 @@ int aa_setprocattr_changeprofile(char *a
{
char *name;
u64 cookie;
+ int cookie_set = 0;
- name = split_token_from_name("change_profile", args, &cookie);
+ name = split_token_from_name("change_profile", &cookie_set, args,
+ &cookie);
if (IS_ERR(name))
return PTR_ERR(name);
- return aa_change_profile(name, cookie);
+ return aa_change_profile(name, cookie, !cookie_set);
}
int aa_setprocattr_setprofile(struct task_struct *task, char *args)

216
kernel-patches/for-mainline/change_profile-spin-onstale.diff Normal file
View File

@@ -0,0 +1,216 @@
change the way change_profile/change_hat work so that they spin on stale
instead of taking the interface lock
---
security/apparmor/main.c | 85 ++++++++++++++++++++++++++++---------------
security/apparmor/procattr.c | 4 --
2 files changed, 56 insertions(+), 33 deletions(-)
--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
@@ -931,8 +931,8 @@ repeat:
enum { change_profile, permanent_change_profile, restore_profile };
-static int do_change_profile(const char *name, u64 cookie, int mode,
- struct aa_audit *sa)
+static int do_change_profile(struct aa_profile *expected, const char *name,
+ u64 cookie, int mode, struct aa_audit *sa)
{
struct aa_profile *profile = NULL, *previous_profile = NULL;
struct aa_task_context *new_cxt, *cxt;
@@ -954,6 +954,11 @@ static int do_change_profile(const char
goto out;
}
+ if (cxt->profile != expected) {
+ error = -ESTALE;
+ goto out;
+ }
+
if (cxt->previous_profile) {
if (cxt->cookie != cookie) {
error = -EACCES;
@@ -1020,7 +1025,7 @@ out:
*/
int aa_change_profile(const char *name, u64 cookie, int permanent)
{
- struct aa_task_context *cxt;
+ struct aa_profile *profile;
struct aa_audit sa;
int error = 0;
@@ -1029,41 +1034,49 @@ int aa_change_profile(const char *name,
sa.cookie = cookie;
sa.operation = "change_profile";
- mutex_lock(&aa_interface_lock);
-
- cxt = aa_task_context(current);
- if (!cxt) {
- mutex_unlock(&aa_interface_lock);
+repeat:
+ profile = aa_get_profile(current);
+ if (!profile)
return -EPERM;
- }
if (name) {
- if (cxt->profile != null_complain_profile &&
- !(aa_match(cxt->profile->file_rules, name) &
+ if (profile != null_complain_profile &&
+ !(aa_match(profile->file_rules, name) &
AA_CHANGE_PROFILE)) {
/* no permission to transition to profile @name */
- mutex_unlock(&aa_interface_lock);
+ aa_put_profile(profile);
return -EACCES;
}
if (permanent)
- error = do_change_profile(name, cookie,
+ error = do_change_profile(profile, name, cookie,
permanent_change_profile,
&sa);
else
- error = do_change_profile(name, cookie, change_profile,
- &sa);
+ error = do_change_profile(profile, name, cookie,
+ change_profile, &sa);
} else {
- if (cxt->previous_profile)
- error = do_change_profile(cxt->previous_profile->name,
+ struct aa_profile *previous_profile;
+ task_lock(current);
+ previous_profile =
+ aa_dup_profile(aa_task_context(current)->previous_profile);
+ task_unlock(current);
+
+ if (previous_profile)
+ error = do_change_profile(profile,
+ previous_profile->name,
cookie, restore_profile,
&sa);
+ aa_put_profile(previous_profile);
/* else
* Ignore change_profile to restore_previous profile when
* it doesn't exist
*/
}
- mutex_unlock(&aa_interface_lock);
+ aa_put_profile(profile);
+ if (error == -ESTALE)
+ goto repeat;
+
return error;
}
@@ -1081,6 +1094,7 @@ int aa_change_profile(const char *name,
int aa_change_hat(const char *hat_name, u64 cookie)
{
struct aa_task_context *cxt;
+ struct aa_profile *profile, *previous_profile;
struct aa_audit sa;
int error = 0;
@@ -1089,35 +1103,42 @@ int aa_change_hat(const char *hat_name,
sa.cookie = cookie;
sa.operation = "change_hat";
- mutex_lock(&aa_interface_lock);
+repeat:
+ task_lock(current);
cxt = aa_task_context(current);
if (!cxt) {
- mutex_unlock(&aa_interface_lock);
+ task_unlock(current);
return -EPERM;
}
/* FIXME: there is currently no way to tell if a profile doesn't have
* hats so that we can return -ECHILD
*/
+ profile = aa_dup_profile(cxt->profile);
+ previous_profile = aa_dup_profile(cxt->previous_profile);
+ task_unlock(current);
+
if (hat_name) {
char *name, *profile_name;
- if (cxt->previous_profile)
- profile_name = cxt->previous_profile->name;
+ if (previous_profile)
+ profile_name = previous_profile->name;
else
- profile_name = cxt->profile->name;
+ profile_name = profile->name;
name = kmalloc(strlen(hat_name) + 3 + strlen(profile_name),
GFP_KERNEL);
if (!name) {
- mutex_unlock(&aa_interface_lock);
- return -ENOMEM;
+ error = -ENOMEM;
+ goto out;
}
sprintf(name, "%s//%s", profile_name, hat_name);
- error = do_change_profile(name, cookie, change_profile, &sa);
+ error = do_change_profile(profile, name, cookie,
+ change_profile, &sa);
kfree(name);
} else {
- if (cxt->previous_profile)
- error = do_change_profile(cxt->previous_profile->name,
+ if (previous_profile)
+ error = do_change_profile(profile,
+ previous_profile->name,
cookie, restore_profile,
&sa);
/* else
@@ -1125,7 +1146,13 @@ int aa_change_hat(const char *hat_name,
* no profile to restore
*/
}
- mutex_unlock(&aa_interface_lock);
+
+out:
+ aa_put_profile(previous_profile);
+ aa_put_profile(profile);
+ if (error == -ESTALE)
+ goto repeat;
+
return error;
}
--- a/security/apparmor/procattr.c
+++ b/security/apparmor/procattr.c
@@ -118,7 +118,6 @@ int aa_setprocattr_setprofile(struct tas
AA_DEBUG("%s: current %d\n",
__FUNCTION__, current->pid);
- mutex_lock(&aa_interface_lock);
repeat:
if (strcmp(args, "unconfined") == 0)
new_profile = NULL;
@@ -128,7 +127,6 @@ repeat:
sa.name = args;
sa.info = "unknown profile";
aa_audit_reject(NULL, &sa);
- mutex_unlock(&aa_interface_lock);
return -EINVAL;
}
}
@@ -141,7 +139,6 @@ repeat:
error = PTR_ERR(old_profile);
if (error == -ESTALE)
goto repeat;
- mutex_unlock(&aa_interface_lock);
return error;
}
@@ -162,6 +159,5 @@ repeat:
}
aa_put_profile(old_profile);
aa_put_profile(new_profile);
- mutex_unlock(&aa_interface_lock);
return 0;
}

45
kernel-patches/for-mainline/fix_link_perm.diff Normal file
View File

@@ -0,0 +1,45 @@
link perms were failing when 1 of the permissions was empty
---
security/apparmor/main.c | 20 +++++++-------------
1 file changed, 7 insertions(+), 13 deletions(-)
--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
@@ -68,29 +68,23 @@ static int aa_link_denied(struct aa_prof
l_mode = aa_match(profile->file_rules, link);
t_mode = aa_match(profile->file_rules, target);
- *request_mask = l_mode;
+ *request_mask = l_mode | AA_MAY_LINK;
/* Link always requires 'l' on the link, a subset of the
* target's 'r', 'w', 'x', and 'm' permissions on the link, and
* if the link has 'x', an exact match of all the execute flags
* ('i', 'u', 'U', 'p', 'P').
*/
+#define RWXM (MAY_READ | MAY_WRITE | MAY_EXEC | AA_EXEC_MMAP)
denied_mask = ~l_mode & AA_MAY_LINK;
- denied_mask |= l_mode & ~t_mode;
+ if (l_mode & RWXM)
+ denied_mask |= (l_mode & ~ AA_MAY_LINK) & ~t_mode;
+ else
+ denied_mask |= t_mode | AA_MAY_LINK;
if (denied_mask & AA_EXEC_MODIFIERS)
denied_mask |= MAY_EXEC;
- /* FIXME: denied mask has no way of reporting that the secure
- * execmode required is safe exec. This means that if link
- * has safe exec and target unsafe exec, the difference is not
- * reported, back, this isn't a significant problem since
- * safe exec is a subset of unsafe exec, but it violates the
- * exec should be exactly equal rule.
- *
- * The reverse situation does not cause a problem, if link
- * requires an unsafe exec and target a safe exec we report
- * the missing unsafe exec bit.
- */
+#undef RWXM
return denied_mask;
}

397
kernel-patches/for-mainline/flatten-hats-2.diff Normal file
View File

@@ -0,0 +1,397 @@
---
security/apparmor/apparmor.h | 18 +++----
security/apparmor/inline.h | 2
security/apparmor/main.c | 88 +++++++++++++++++------------------
security/apparmor/module_interface.c | 4 -
security/apparmor/procattr.c | 20 +++----
5 files changed, 67 insertions(+), 65 deletions(-)
--- a/security/apparmor/apparmor.h
+++ b/security/apparmor/apparmor.h
@@ -120,8 +120,8 @@ extern struct mutex aa_interface_lock;
/**
* struct aa_task_context - primary label for confined tasks
* @profile: the current profile
- * @token_profile: previous profile that may be returned to by matching @token
- * @token: the token controling the ability to return to previous profile
+ * @previous_profile: profile the task may return to
+ * @cookie: magic value the task must know for returning to @previous_profile
* @list: list this aa_task_context is on
* @task: task that the aa_task_context confines
* @rcu: rcu head used when freeing the aa_task_context
@@ -131,9 +131,9 @@ extern struct mutex aa_interface_lock;
* change_hat). Plus the hat_magic needed during change_hat.
*/
struct aa_task_context {
- struct aa_profile *profile; /* The current profile */
- struct aa_profile *token_profile;
- u64 token; /* used with change_profile */
+ struct aa_profile *profile;
+ struct aa_profile *previous_profile;
+ u64 cookie;
struct list_head list;
struct task_struct *task;
struct rcu_head rcu;
@@ -156,7 +156,7 @@ struct aa_audit {
int requested_mask, denied_mask;
struct iattr *iattr;
pid_t task, parent;
- u64 token;
+ u64 cookie;
int error_code;
};
@@ -215,7 +215,7 @@ extern int aa_clone(struct task_struct *
extern int aa_register(struct linux_binprm *bprm);
extern void aa_release(struct task_struct *task);
extern int aa_change_hat(const char *id, u64 hat_magic);
-extern int aa_change_profile(const char *name, u64 token);
+extern int aa_change_profile(const char *name, u64 cookie);
extern struct aa_profile *__aa_find_profile(const char *name,
struct list_head *list);
extern struct aa_profile *__aa_find_profile2(const char *name,
@@ -230,8 +230,8 @@ extern void unlock_task_and_profiles(str
struct aa_profile *profile);
extern void aa_change_task_context(struct task_struct *task,
struct aa_task_context *new_cxt,
- struct aa_profile *profile, u64 token,
- struct aa_profile *token_profile);
+ struct aa_profile *profile, u64 cookie,
+ struct aa_profile *previous_profile);
extern int aa_may_ptrace(struct aa_task_context *cxt,
struct aa_profile *tracee);
--- a/security/apparmor/inline.h
+++ b/security/apparmor/inline.h
@@ -101,7 +101,7 @@ static inline void aa_free_task_context(
{
if (cxt) {
aa_put_profile(cxt->profile);
- aa_put_profile(cxt->token_profile);
+ aa_put_profile(cxt->previous_profile);
kfree(cxt);
}
}
--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
@@ -323,8 +323,8 @@ static int aa_audit_base(struct aa_profi
audit_log_untrustedstring(ab, sa->name2);
}
- if (sa->token)
- audit_log_format(ab, " token=%llu", sa->token);
+ if (sa->cookie)
+ audit_log_format(ab, " cookie=%llu", sa->cookie);
audit_log_format(ab, " pid=%d", current->pid);
@@ -677,7 +677,7 @@ repeat:
/* No need to grab the child's task lock here. */
aa_change_task_context(child, child_cxt, profile,
- cxt->token, cxt->token_profile);
+ cxt->cookie, cxt->previous_profile);
unlock_profile(profile);
if (APPARMOR_COMPLAIN(child_cxt) &&
@@ -915,9 +915,9 @@ repeat:
}
static int do_change_profile(struct task_struct *task, const char *name,
- const char *hat, u64 token, struct aa_audit *sa)
+ const char *hat, u64 cookie, struct aa_audit *sa)
{
- struct aa_profile *profile = NULL, *token_profile = NULL,
+ struct aa_profile *profile = NULL, *previous_profile = NULL,
*name_profile = NULL;
struct aa_task_context *new_cxt, *cxt, *old_cxt = NULL;
int error = 0;
@@ -948,8 +948,8 @@ repeat:
if (!name || (hat && old_cxt && old_cxt != cxt)) {
/* need to find the change_hat name */
aa_put_profile(name_profile);
- if (cxt->token_profile)
- name_profile = aa_dup_profile(cxt->token_profile);
+ if (cxt->previous_profile)
+ name_profile = aa_dup_profile(cxt->previous_profile);
else
name_profile = aa_dup_profile(cxt->profile);
name = name_profile->name;
@@ -964,8 +964,8 @@ repeat:
goto repeat;
}
- if (cxt->token_profile) {
- if (cxt->token != token) {
+ if (cxt->previous_profile) {
+ if (cxt->cookie != cookie) {
error = -EACCES;
sa->info = "killing process";
aa_audit_reject(profile, sa);
@@ -974,9 +974,9 @@ repeat:
goto out;
}
- token_profile = cxt->token_profile;
+ previous_profile = cxt->previous_profile;
} else {
- token_profile = cxt->profile;
+ previous_profile = cxt->profile;
}
if ((task->ptrace & PT_PTRACED) && aa_may_ptrace(cxt, profile)) {
@@ -995,7 +995,8 @@ repeat:
if (APPARMOR_AUDIT(cxt))
aa_audit_message(cxt->profile, sa, AUDIT_APPARMOR_AUDIT);
- aa_change_task_context(task, new_cxt, profile, token, token_profile);
+ aa_change_task_context(task, new_cxt, profile, cookie,
+ previous_profile);
out:
if (aa_task_context(task) != new_cxt)
@@ -1006,7 +1007,7 @@ out:
return error;
}
-static int do_restore_profile(struct task_struct *task, u64 token,
+static int do_restore_profile(struct task_struct *task, u64 cookie,
struct aa_audit *sa)
{
struct aa_profile *profile = NULL;
@@ -1025,25 +1026,26 @@ repeat:
}
/* ignore returning to stored profile when there isn't one */
- if (!cxt->token_profile)
+ if (!cxt->previous_profile)
goto out;
if (!profile)
- /* setting profile with token_profile is locking safe */
- profile = aa_dup_profile(cxt->token_profile);
+ /* setting profile with previous_profile is locking safe */
+ profile = aa_dup_profile(cxt->previous_profile);
if (profile->isstale || (old_cxt && old_cxt != cxt)) {
- struct aa_profile *token_profile;
- token_profile = aa_dup_profile(cxt->token_profile);
+ struct aa_profile *previous_profile;
+
+ previous_profile = aa_dup_profile(cxt->previous_profile);
old_cxt = cxt;
unlock_task_and_profiles(task, cxt, profile);
aa_put_profile(profile);
- profile = aa_find_profile(token_profile->name);
- aa_put_profile(token_profile);
+ profile = aa_find_profile(previous_profile->name);
+ aa_put_profile(previous_profile);
goto repeat;
}
- if (cxt->token != token) {
+ if (cxt->cookie != cookie) {
error = -EACCES;
sa->info = "killing process";
aa_audit_reject(profile, sa);
@@ -1074,15 +1076,15 @@ out:
/**
* aa_change_profile - change profile to/from previous stored profile
* @name: name of profile to change to
- * @token: token to validate the profile change
+ * @cookie: magic value to validate the profile change
*
- * Change to new profile @name, and store the @token in the current task
- * context. If the new @name is %NULL and the @token matches that
- * stored in the current task context, return to the stored token_profile.
+ * Change to new profile @name, and store the @cookie in the current task
+ * context. If the new @name is %NULL and the @cookie matches that
+ * stored in the current task context, return to the previous profile.
*
* Returns %0 on success, error otherwise.
*/
-int aa_change_profile(const char *name, u64 token)
+int aa_change_profile(const char *name, u64 cookie)
{
struct aa_profile *profile;
struct aa_audit sa;
@@ -1090,7 +1092,7 @@ int aa_change_profile(const char *name,
memset(&sa, 0, sizeof(sa));
sa.gfp_mask = GFP_ATOMIC;
- sa.token = token;
+ sa.cookie = cookie;
sa.name = name;
sa.operation = "change_profile";
@@ -1107,9 +1109,9 @@ int aa_change_profile(const char *name,
return -EACCES;
}
- error = do_change_profile(current, name, NULL, token, &sa);
+ error = do_change_profile(current, name, NULL, cookie, &sa);
} else {
- error = do_restore_profile(current, token, &sa);
+ error = do_restore_profile(current, cookie, &sa);
}
aa_put_profile(profile);
@@ -1119,22 +1121,22 @@ int aa_change_profile(const char *name,
/**
* aa_change_hat - change hat to/from subprofile
* @hat_name: hat to change to
- * @token: token to validate the hat change
+ * @cookie: magic value to validate the hat change
*
* Change to new @hat_name, and store the @hat_magic in the current task
- * context. If the new @hat_name is %NULL and the @token matches that
+ * context. If the new @hat_name is %NULL and the @cookie matches that
* stored in the current task context and is not 0, return to the top level
* profile.
* Returns %0 on success, error otherwise.
*/
-int aa_change_hat(const char *hat_name, u64 token)
+int aa_change_hat(const char *hat_name, u64 cookie)
{
struct aa_audit sa;
int error = 0;
memset(&sa, 0, sizeof(sa));
sa.gfp_mask = GFP_ATOMIC;
- sa.token = token;
+ sa.cookie = cookie;
sa.name = hat_name;
sa.operation = "change_hat";
@@ -1142,9 +1144,9 @@ int aa_change_hat(const char *hat_name,
* hats so that we can return -ECHILD
*/
if (hat_name)
- error = do_change_profile(current, NULL, hat_name, token, &sa);
+ error = do_change_profile(current, NULL, hat_name, cookie, &sa);
else
- error = do_restore_profile(current, token, &sa);
+ error = do_restore_profile(current, cookie, &sa);
return error;
}
@@ -1214,7 +1216,7 @@ repeat:
if (cxt) {
old_profile = cxt->profile;
if (lock_token)
- profile = cxt->token_profile;
+ profile = cxt->previous_profile;
}
lock_both_profiles(profile, old_profile);
task_lock(task);
@@ -1238,7 +1240,7 @@ void unlock_task_and_profiles(struct tas
{
task_unlock(task);
if (cxt && !profile)
- profile = cxt->token_profile;
+ profile = cxt->previous_profile;
unlock_both_profiles(profile, cxt ? cxt->profile : NULL);
}
@@ -1256,13 +1258,13 @@ static void free_aa_task_context_rcu_cal
* @task: task that is having its task context changed
* @new_cxt: new task context to use after the switch
* @profile: new profile to use after the switch
- * @token: token value to switch to
- * @token_profile: profile that can be returned to
+ * @cookie: magic value to switch to
+ * @previous_profile: profile the task can return to
*/
void aa_change_task_context(struct task_struct *task,
struct aa_task_context *new_cxt,
- struct aa_profile *profile, u64 token,
- struct aa_profile *token_profile)
+ struct aa_profile *profile, u64 cookie,
+ struct aa_profile *previous_profile)
{
struct aa_task_context *old_cxt = aa_task_context(task);
@@ -1274,10 +1276,10 @@ void aa_change_task_context(struct task_
/* clear the caps_logged cache, so that new profile/hat has
* chance to emit its own set of cap messages */
new_cxt->caps_logged = CAP_EMPTY_SET;
- new_cxt->token = token;
+ new_cxt->cookie = cookie;
new_cxt->task = task;
new_cxt->profile = aa_dup_profile(profile);
- new_cxt->token_profile = aa_dup_profile(token_profile);
+ new_cxt->previous_profile = aa_dup_profile(previous_profile);
list_move(&new_cxt->list, &profile->task_contexts);
}
rcu_assign_pointer(task->security, new_cxt);
--- a/security/apparmor/module_interface.c
+++ b/security/apparmor/module_interface.c
@@ -391,8 +391,8 @@ static inline void task_replace(struct t
cxt->task->pid,
cxt->profile->name, cxt->profile);
- aa_change_task_context(task, new_cxt, new_profile, cxt->token,
- cxt->token_profile);
+ aa_change_task_context(task, new_cxt, new_profile, cxt->cookie,
+ cxt->previous_profile);
}
/**
--- a/security/apparmor/procattr.c
+++ b/security/apparmor/procattr.c
@@ -50,11 +50,11 @@ int aa_getprocattr(struct aa_profile *pr
return 0;
}
-static char *split_token_from_name(const char *op, char *args, u64 *token)
+static char *split_token_from_name(const char *op, char *args, u64 *cookie)
{
char *name;
- *token = simple_strtoull(args, &name, 16);
+ *cookie = simple_strtoull(args, &name, 16);
if (name == args || *name != '^') {
AA_ERROR("%s: Invalid input '%s'", op, args);
return ERR_PTR(-EINVAL);
@@ -68,33 +68,33 @@ static char *split_token_from_name(const
int aa_setprocattr_changehat(char *args)
{
char *hat;
- u64 token;
+ u64 cookie;
- hat = split_token_from_name("change_hat", args, &token);
+ hat = split_token_from_name("change_hat", args, &cookie);
if (IS_ERR(hat))
return PTR_ERR(hat);
- if (!hat && !token) {
+ if (!hat && !cookie) {
AA_ERROR("change_hat: Invalid input, NULL hat and NULL magic");
return -EINVAL;
}
AA_DEBUG("%s: Magic 0x%llx Hat '%s'\n",
- __FUNCTION__, token, hat ? hat : NULL);
+ __FUNCTION__, cookie, hat ? hat : NULL);
- return aa_change_hat(hat, token);
+ return aa_change_hat(hat, cookie);
}
int aa_setprocattr_changeprofile(char *args)
{
char *name;
- u64 token;
+ u64 cookie;
- name = split_token_from_name("change_profile", args, &token);
+ name = split_token_from_name("change_profile", args, &cookie);
if (IS_ERR(name))
return PTR_ERR(name);
- return aa_change_profile(name, token);
+ return aa_change_profile(name, cookie);
}
int aa_setprocattr_setprofile(struct task_struct *task, char *args)

5
kernel-patches/for-mainline/series
View File

@@ -60,11 +60,16 @@ audit-pairs-4.diff
audit-link-perms.diff
audit-remove-buffer.diff
#multi-profile-load.diff
fix_link_perm.diff
change_profile.diff
flatten-hats.diff
flatten-hats-2.diff
#change_hat-to-change_profile.diff
use-interface_lock.diff
change_profile-current.diff
change_profile-permenent.diff
change_profile-spin-onstale.diff
change_profile-no-return.diff
do_path_lookup-nameidata.diff
sys_fchdir-nameidata.diff
file_permission-nameidata.diff