mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-04 00:05:14 +00:00
Code Issues Releases Wiki Activity

remove comm from apparmor messages. They are only human readable hints and getting task->comm using proper locking results in a deadlock in interrupt context

Browse Source
This commit is contained in:
John Johansen
2007-04-30 22:53:38 +00:00
parent 53c97e6696
commit 85beaaac65
2 changed files with 237 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

236
kernel-patches/for-mainline/apparmor-del-comm.diff Normal file
View File

@@ -0,0 +1,236 @@
---
security/apparmor/apparmor.h | 8 ++++----
security/apparmor/apparmorfs.c | 4 ++--
security/apparmor/lsm.c | 7 ++-----
security/apparmor/main.c | 29 ++++++++++-------------------
security/apparmor/module_interface.c | 4 ++--
security/apparmor/procattr.c | 24 +++++++++++-------------
6 files changed, 31 insertions(+), 45 deletions(-)
--- a/security/apparmor/apparmor.h
+++ b/security/apparmor/apparmor.h
@@ -77,8 +77,8 @@ extern unsigned int apparmor_path_max;
#define AA_REJECT_MSG(p, gfp, fmt, args...) \
aa_audit_message((p), (gfp), 0, \
"REJECTING " fmt \
- " (%s(%d) profile %s active %s)", ##args, \
- current->comm, current->pid, \
+ " (%d profile %s active %s)", ##args, \
+ current->pid, \
(p)->parent->name, (p)->name)
#define AA_ERROR(fmt, args...) printk(KERN_ERR "AppArmor: " fmt, ##args)
@@ -198,8 +198,8 @@ struct aa_audit {
#define LOG_HINT(p, gfp, hint, fmt, args...) \
aa_audit_message((p), (gfp), 0, \
"LOGPROF-HINT " hint " " fmt \
- " (%s(%d) profile %s active %s)", ##args, \
- current->comm, current->pid, \
+ " (%d profile %s active %s)", ##args, \
+ current->pid, \
(p)->parent->name, (p)->name)
/* Flags for the permission check functions */
Files a/security/apparmor/apparmor.o and b/security/apparmor/apparmor.o differ
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -38,9 +38,9 @@ static char *aa_simple_write_to_buffer(c
*/
profile = aa_get_profile(current);
if (profile) {
- AA_WARN(GFP_KERNEL, "REJECTING access to profile %s (%s(%d) "
+ AA_WARN(GFP_KERNEL, "REJECTING access to profile %s (%d "
"profile %s active %s)",
- msg, current->comm, current->pid,
+ msg, current->pid,
profile->parent->name, profile->name);
aa_put_profile(profile);
Files a/security/apparmor/apparmorfs.o and b/security/apparmor/apparmorfs.o differ
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -623,9 +623,8 @@ static int apparmor_setprocattr(struct t
if (profile) {
aa_put_profile(profile);
AA_WARN(GFP_KERNEL,
- "Attempt by confined task %s(%d) "
+ "Attempt by confined task %d "
"[user %d] to assign profile to task %s(%d)",
- current->comm,
current->pid,
current->uid,
task->comm,
@@ -635,13 +634,11 @@ static int apparmor_setprocattr(struct t
error = aa_setprocattr_setprofile(task, args);
} else {
AA_ERROR("Unknown setprocattr command '%.*s' "
- "by task %s(%d) [user %d] for task %s(%d)",
+ "by task %d [user %d] for task %d",
size < 16 ? (int)size : 16,
command,
- current->comm,
current->pid,
current->uid,
- task->comm,
task->pid);
error = -EINVAL;
}
Files a/security/apparmor/lsm.o and b/security/apparmor/lsm.o differ
--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
@@ -403,7 +403,6 @@ int aa_audit(struct aa_profile *profile,
opspec_error = -EACCES;
const gfp_t gfp_mask = sa->gfp_mask;
- char comm_buffer[2 * sizeof(current->comm)], *comm;
/*
* sa->result: 1 success, 0 failure
@@ -535,15 +534,8 @@ int aa_audit(struct aa_profile *profile,
return error;
}
- comm = comm_buffer + sizeof(comm_buffer) - sizeof(current->comm);
- get_task_comm(comm, current);
- comm = mangle(comm, comm_buffer);
- if (!comm)
- comm = "?";
-
- audit_log_format(ab, "(%s(%d) profile %s active %s)",
- comm, current->pid,
- profile->parent->name, profile->name);
+ audit_log_format(ab, "(%d profile %s active %s)",
+ current->pid, profile->parent->name, profile->name);
audit_log_end(ab);
@@ -943,10 +935,10 @@ repeat:
default:
AA_ERROR("Rejecting exec(2) of image '%s'. "
"Unknown exec qualifier %x "
- "(%s (pid %d) profile %s active %s)\n",
+ "(%d profile %s active %s)\n",
filename,
exec_mode & AA_EXEC_MODIFIERS,
- current->comm, current->pid,
+ current->pid,
profile->parent->name,
profile->name);
new_profile = ERR_PTR(-EPERM);
@@ -1105,10 +1097,10 @@ static int do_change_hat(const char *hat
} else {
AA_DEBUG("%s: Unknown hatname '%s'. "
"Changing to NULL profile "
- "(%s(%d) profile %s active %s)\n",
+ "(%d profile %s active %s)\n",
__FUNCTION__,
hat_name,
- current->comm, current->pid,
+ current->pid,
profile->parent->name,
profile->name);
error = -EACCES;
@@ -1203,11 +1195,10 @@ int aa_change_hat(const char *hat_name,
cxt->hat_magic);
}
} else if (cxt->hat_magic) {
- AA_ERROR("KILLING process %s(%d) "
+ AA_ERROR("KILLING process %d "
"Invalid change_hat() magic# 0x%llx "
"(hatname %s profile %s active %s)\n",
- current->comm, current->pid,
- hat_magic,
+ current->pid, hat_magic,
hat_name ? hat_name : "NULL",
profile->parent->name,
profile->name);
@@ -1215,10 +1206,10 @@ int aa_change_hat(const char *hat_name,
/* terminate current process */
(void)send_sig_info(SIGKILL, NULL, current);
} else { /* cxt->hat_magic == 0 */
- AA_ERROR("KILLING process %s(%d) "
+ AA_ERROR("KILLING process %d "
"Task was confined to current subprofile "
"(profile %s active %s)\n",
- current->comm, current->pid,
+ current->pid,
profile->parent->name,
profile->name);
Files a/security/apparmor/main.o and b/security/apparmor/main.o differ
--- a/security/apparmor/module_interface.c
+++ b/security/apparmor/module_interface.c
@@ -407,10 +407,10 @@ static inline void task_replace(struct t
{
struct aa_task_context *cxt = aa_task_context(task);
- AA_DEBUG("%s: replacing profile for task %s(%d) "
+ AA_DEBUG("%s: replacing profile for task %d "
"profile=%s (%p) hat=%s (%p)\n",
__FUNCTION__,
- cxt->task->comm, cxt->task->pid,
+ cxt->task->pid,
cxt->profile->parent->name, cxt->profile->parent,
cxt->profile->name, cxt->profile);
Files a/security/apparmor/module_interface.o and b/security/apparmor/module_interface.o differ
--- a/security/apparmor/procattr.c
+++ b/security/apparmor/procattr.c
@@ -82,8 +82,8 @@ int aa_setprocattr_setprofile(struct tas
{
struct aa_profile *old_profile, *new_profile;
- AA_DEBUG("%s: current %s(%d)\n",
- __FUNCTION__, current->comm, current->pid);
+ AA_DEBUG("%s: current %d\n",
+ __FUNCTION__, current->pid);
repeat:
if (strcmp(args, "unconfined") == 0)
@@ -92,10 +92,9 @@ repeat:
new_profile = aa_find_profile(args);
if (!new_profile) {
AA_WARN(GFP_KERNEL,
- "Unable to switch task %s(%d) to profile"
+ "Unable to switch task %d to profile"
"'%s'. No such profile.",
- task->comm, task->pid,
- args);
+ task->pid, args);
return -EINVAL;
}
@@ -114,9 +113,9 @@ repeat:
if (new_profile) {
AA_WARN(GFP_KERNEL,
- "Switching task %s(%d) "
- "profile %s active %s to new profile %s",
- task->comm, task->pid,
+ "Switching task %d profile %s "
+ "active %s to new profile %s",
+ task->pid,
old_profile ? old_profile->parent->name :
"unconfined",
old_profile ? old_profile->name : "unconfined",
@@ -124,15 +123,14 @@ repeat:
} else {
if (old_profile) {
AA_WARN(GFP_KERNEL,
- "Unconfining task %s(%d) "
- "profile %s active %s",
- task->comm, task->pid,
+ "Unconfining task %d profile %s active %s",
+ task->pid,
old_profile->parent->name,
old_profile->name);
} else {
AA_WARN(GFP_KERNEL,
- "task %s(%d) is already unconfined",
- task->comm, task->pid);
+ "task %d is already unconfined",
+ task->pid);
}
}
Files a/security/apparmor/procattr.o and b/security/apparmor/procattr.o differ

1
kernel-patches/for-mainline/series
View File

@@ -41,6 +41,7 @@ apparmor-lsm.diff
apparmor-module_interface.diff apparmor-module_interface.diff
apparmor-misc.diff apparmor-misc.diff
apparmor-intree.diff apparmor-intree.diff
apparmor-del-comm.diff
do_path_lookup-nameidata.diff do_path_lookup-nameidata.diff
sys_fchdir-nameidata.diff sys_fchdir-nameidata.diff
file_permission-nameidata.diff file_permission-nameidata.diff