mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-31 22:35:35 +00:00
Add 64bit capabilities
This commit is contained in:
John Johansen
@@ -92,11 +92,11 @@ struct codomain {
|
|||||||
|
|
||||||
struct flagval flags;
|
struct flagval flags;
|
||||||
|
|
||||||
unsigned int capabilities;
|
uint64_t capabilities;
|
||||||
unsigned int audit_caps;
|
uint64_t audit_caps;
|
||||||
unsigned int deny_caps;
|
uint64_t deny_caps;
|
||||||
unsigned int quiet_caps;
|
uint64_t quiet_caps;
|
||||||
unsigned int set_caps;
|
uint64_t set_caps;
|
||||||
|
|
||||||
unsigned int *network_allowed; /* array of type masks
|
unsigned int *network_allowed; /* array of type masks
|
||||||
* indexed by AF_FAMILY */
|
* indexed by AF_FAMILY */
|
||||||
|
|||||||
@@ -610,7 +610,7 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
|
|||||||
int flattened)
|
int flattened)
|
||||||
{
|
{
|
||||||
struct cod_entry *entry;
|
struct cod_entry *entry;
|
||||||
u32 allowed_caps;
|
uint64_t allowed_caps;
|
||||||
|
|
||||||
if (!sd_write_struct(p, "profile"))
|
if (!sd_write_struct(p, "profile"))
|
||||||
return 0;
|
return 0;
|
||||||
@@ -650,14 +650,31 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
|
|||||||
return 0;
|
return 0;
|
||||||
if (!sd_write_structend(p))
|
if (!sd_write_structend(p))
|
||||||
return 0;
|
return 0;
|
||||||
allowed_caps = (profile->capabilities | profile->set_caps) & ~profile->deny_caps;
|
|
||||||
if (!sd_write32(p, allowed_caps))
|
#define low_caps(X) ((u32) ((X) & 0xffffffff))
|
||||||
|
#define high_caps(X) ((u32) (((X) >> 32) & 0xffffffff))
|
||||||
|
allowed_caps = (profile->capabilities | profile->set_caps) &
|
||||||
|
~profile->deny_caps;
|
||||||
|
if (!sd_write32(p, low_caps(allowed_caps)))
|
||||||
return 0;
|
return 0;
|
||||||
if (!sd_write32(p, allowed_caps & profile->audit_caps))
|
if (!sd_write32(p, low_caps(allowed_caps & profile->audit_caps)))
|
||||||
return 0;
|
return 0;
|
||||||
if (!sd_write32(p, profile->deny_caps & profile->quiet_caps))
|
if (!sd_write32(p, low_caps(profile->deny_caps & profile->quiet_caps)))
|
||||||
return 0;
|
return 0;
|
||||||
if (!sd_write32(p, profile->set_caps & ~profile->deny_caps))
|
if (!sd_write32(p, low_caps(profile->set_caps & ~profile->deny_caps)))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
if (!sd_write_struct(p, "caps64"))
|
||||||
|
return 0;
|
||||||
|
if (!sd_write32(p, high_caps(allowed_caps)))
|
||||||
|
return 0;
|
||||||
|
if (!sd_write32(p, high_caps(allowed_caps & profile->audit_caps)))
|
||||||
|
return 0;
|
||||||
|
if (!sd_write32(p, high_caps(profile->deny_caps & profile->quiet_caps)))
|
||||||
|
return 0;
|
||||||
|
if (!sd_write32(p, high_caps(profile->set_caps & ~profile->deny_caps)))
|
||||||
|
return 0;
|
||||||
|
if (!sd_write_structend(p))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (!sd_serialize_rlimits(p, &profile->rlimits))
|
if (!sd_serialize_rlimits(p, &profile->rlimits))
|
||||||
|
|||||||
@@ -806,7 +806,9 @@ static const char *capnames[] = {
|
|||||||
"mknod",
|
"mknod",
|
||||||
"lease",
|
"lease",
|
||||||
"audit_write",
|
"audit_write",
|
||||||
"audit_control"
|
"audit_control",
|
||||||
|
"setfcap",
|
||||||
|
"mac_override"
|
||||||
};
|
};
|
||||||
|
|
||||||
const char *capability_to_name(unsigned int cap)
|
const char *capability_to_name(unsigned int cap)
|
||||||
@@ -837,7 +839,7 @@ void debug_cod_list(struct codomain *cod)
|
|||||||
|
|
||||||
printf("Capabilities:\t");
|
printf("Capabilities:\t");
|
||||||
for (i = 0; i < (sizeof(capnames)/sizeof(char *)); i++) {
|
for (i = 0; i < (sizeof(capnames)/sizeof(char *)); i++) {
|
||||||
if (((1 << i) & cod->capabilities) != 0) {
|
if (((1ull << i) & cod->capabilities) != 0) {
|
||||||
printf ("%s ", capability_to_name(i));
|
printf ("%s ", capability_to_name(i));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -639,11 +639,11 @@ struct codomain *merge_policy(struct codomain *a, struct codomain *b)
|
|||||||
a->flags.complain = a->flags.complain || b->flags.complain;
|
a->flags.complain = a->flags.complain || b->flags.complain;
|
||||||
a->flags.audit = a->flags.audit || b->flags.audit;
|
a->flags.audit = a->flags.audit || b->flags.audit;
|
||||||
|
|
||||||
a->capabilities = a->capabilities | b->capabilities;
|
a->capabilities |= b->capabilities;
|
||||||
a->audit_caps = a->audit_caps | b->audit_caps;
|
a->audit_caps |= b->audit_caps;
|
||||||
a->deny_caps = a->deny_caps | b->deny_caps;
|
a->deny_caps |= b->deny_caps;
|
||||||
a->quiet_caps = a->quiet_caps | b->quiet_caps;
|
a->quiet_caps |= b->quiet_caps;
|
||||||
a->set_caps = a->set_caps | b->set_caps;
|
a->set_caps |= b->set_caps;
|
||||||
|
|
||||||
if (a->network_allowed) {
|
if (a->network_allowed) {
|
||||||
size_t i;
|
size_t i;
|
||||||
|
|||||||
@@ -44,15 +44,24 @@
|
|||||||
#ifndef CAP_AUDIT_CONTROL
|
#ifndef CAP_AUDIT_CONTROL
|
||||||
#define CAP_AUDIT_CONTROL 30
|
#define CAP_AUDIT_CONTROL 30
|
||||||
#endif
|
#endif
|
||||||
|
#ifndef CAP_SETFCAP
|
||||||
/* A few utility defines */
|
#define CAP_SETFCAP 31
|
||||||
|
#endif
|
||||||
|
#ifndef CAP_MAC_OVERRIDE
|
||||||
|
#define CAP_MAC_OVERRIDE 32
|
||||||
|
#endif
|
||||||
|
|
||||||
#define CIDR_32 htonl(0xffffffff)
|
#define CIDR_32 htonl(0xffffffff)
|
||||||
#define CIDR_24 htonl(0xffffff00)
|
#define CIDR_24 htonl(0xffffff00)
|
||||||
#define CIDR_16 htonl(0xffff0000)
|
#define CIDR_16 htonl(0xffff0000)
|
||||||
#define CIDR_8 htonl(0xff000000)
|
#define CIDR_8 htonl(0xff000000)
|
||||||
|
|
||||||
#define CAP_TO_MASK(x) (1 << (x))
|
/* undefine linux/capability.h CAP_TO_MASK */
|
||||||
|
#ifdef CAP_TO_MASK
|
||||||
|
#undef CAP_TO_MASK
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#define CAP_TO_MASK(x) (1ull << (x))
|
||||||
|
|
||||||
/* from lex_config, for nice error messages */
|
/* from lex_config, for nice error messages */
|
||||||
/* extern char *current_file; */
|
/* extern char *current_file; */
|
||||||
@@ -147,7 +156,7 @@ struct codomain *do_local_profile(struct codomain *cod, char *name, int mode, in
|
|||||||
struct cod_entry *user_entry;
|
struct cod_entry *user_entry;
|
||||||
struct flagval flags;
|
struct flagval flags;
|
||||||
int fmode;
|
int fmode;
|
||||||
unsigned int cap;
|
uint64_t cap;
|
||||||
unsigned int allowed_protocol;
|
unsigned int allowed_protocol;
|
||||||
char *set_var;
|
char *set_var;
|
||||||
char *bool_var;
|
char *bool_var;
|
||||||
@@ -1045,6 +1054,7 @@ caps: caps TOK_ID
|
|||||||
int cap = name_to_capability($2);
|
int cap = name_to_capability($2);
|
||||||
if (cap == -1)
|
if (cap == -1)
|
||||||
yyerror(_("Invalid capability %s."), $2);
|
yyerror(_("Invalid capability %s."), $2);
|
||||||
|
free($2);
|
||||||
$$ = $1 | CAP_TO_MASK(cap);
|
$$ = $1 | CAP_TO_MASK(cap);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1053,6 +1063,7 @@ caps: TOK_ID
|
|||||||
int cap = name_to_capability($1);
|
int cap = name_to_capability($1);
|
||||||
if (cap == -1)
|
if (cap == -1)
|
||||||
yyerror(_("Invalid capability %s."), $1);
|
yyerror(_("Invalid capability %s."), $1);
|
||||||
|
free($1);
|
||||||
$$ = CAP_TO_MASK(cap);
|
$$ = CAP_TO_MASK(cap);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user