From c50858a8779102405fcaddbb92cc3be8430e6dfc Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 15 Mar 2012 12:54:34 -0700 Subject: [PATCH] Update permission mapping for changes made to the upstream kernel patch. The changes are around how user data is handled. 1. permissions are mapped before data is matched 2. If data is to be mapped a AA_CONT_MATCH flag is set in the permissions which allows data matching to continue. 3. If data auditing is to occur the AA_AUDIT_MNT_DATA flag is set This allows better control over matching and auditing of data which can be binary and should not be matched or audited Signed-off-by: John Johansen Acked-By: Steve Beattie --- parser/mount.h | 6 +++-- parser/parser_regex.c | 56 ++++++++++++++++++++++++++++++++++++------- 2 files changed, 52 insertions(+), 10 deletions(-) diff --git a/parser/mount.h b/parser/mount.h index 8a102edb3..ebadfddcf 100644 --- a/parser/mount.h +++ b/parser/mount.h @@ -103,8 +103,10 @@ #define AA_MAY_PIVOTROOT 1 #define AA_MAY_MOUNT 2 #define AA_MAY_UMOUNT 4 -#define AA_DUMMY_REMOUNT 32 /* dummy perm for remount rule - is remapped - * to a mount option*/ +#define AA_MATCH_CONT 0x40 +#define AA_AUDIT_MNT_DATA AA_MATCH_CONT +#define AA_DUMMY_REMOUNT 0x40000000 /* dummy perm for remount rule - is + * remapped to a mount option*/ struct mnt_entry { diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 0e6e4490a..8c34799a0 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -784,6 +784,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry) if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_REMOUNT) && !entry->device && !entry->dev_type) { + int allow; /* remount can't be conditional on device and type */ p = mntbuf; /* rule class single byte header */ @@ -816,11 +817,31 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry) vec[3] = flagsbuf; if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts)) goto fail; - vec[4] = optsbuf; - if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow, - entry->audit, 5, vec, dfaflags)) + + if (entry->opts) + allow = AA_MATCH_CONT; + else + allow = entry->allow; + + /* rule for match without required data || data MATCH_CONT */ + if (!aare_add_rule_vec(dfarules, entry->deny, allow, + entry->audit | AA_AUDIT_MNT_DATA, 4, + vec, dfaflags)) goto fail; count++; + + if (entry->opts) { + /* rule with data match required */ + if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts)) + goto fail; + vec[4] = optsbuf; + if (!aare_add_rule_vec(dfarules, entry->deny, + entry->allow, + entry->audit | AA_AUDIT_MNT_DATA, + 5, vec, dfaflags)) + goto fail; + count++; + } } if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_BIND) && !entry->dev_type && !entry->opts) { @@ -919,6 +940,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry) } if ((entry->allow & AA_MAY_MOUNT) && (entry->flags | entry->inv_flags) & ~MS_CMDS) { + int allow; /* generic mount if flags are set that are not covered by * above commands */ @@ -944,13 +966,31 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry) if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags)) goto fail; vec[3] = flagsbuf; - if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts)) - goto fail; - vec[4] = optsbuf; - if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow, - entry->audit, 5, vec, dfaflags)) + + if (entry->opts) + allow = AA_MATCH_CONT; + else + allow = entry->allow; + + /* rule for match without required data || data MATCH_CONT */ + if (!aare_add_rule_vec(dfarules, entry->deny, allow, + entry->audit | AA_AUDIT_MNT_DATA, 4, + vec, dfaflags)) goto fail; count++; + + if (entry->opts) { + /* rule with data match required */ + if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts)) + goto fail; + vec[4] = optsbuf; + if (!aare_add_rule_vec(dfarules, entry->deny, + entry->allow, + entry->audit | AA_AUDIT_MNT_DATA, + 5, vec, dfaflags)) + goto fail; + count++; + } } if (entry->allow & AA_MAY_UMOUNT) { p = mntbuf;