Updated AppArmor with a newer backported AppArmor release by UBports
This commit is contained in:
Nathan
@@ -15,38 +15,75 @@
|
||||
#ifndef __AA_FILE_H
|
||||
#define __AA_FILE_H
|
||||
|
||||
#include <linux/spinlock.h>
|
||||
|
||||
#include "domain.h"
|
||||
#include "match.h"
|
||||
#include "label.h"
|
||||
#include "perms.h"
|
||||
|
||||
struct aa_profile;
|
||||
struct path;
|
||||
|
||||
/*
|
||||
* We use MAY_EXEC, MAY_WRITE, MAY_READ, MAY_APPEND and the following flags
|
||||
* for profile permissions
|
||||
*/
|
||||
#define AA_MAY_CREATE 0x0010
|
||||
#define AA_MAY_DELETE 0x0020
|
||||
#define AA_MAY_META_WRITE 0x0040
|
||||
#define AA_MAY_META_READ 0x0080
|
||||
|
||||
#define AA_MAY_CHMOD 0x0100
|
||||
#define AA_MAY_CHOWN 0x0200
|
||||
#define AA_MAY_LOCK 0x0400
|
||||
#define AA_EXEC_MMAP 0x0800
|
||||
|
||||
#define AA_MAY_LINK 0x1000
|
||||
#define AA_LINK_SUBSET AA_MAY_LOCK /* overlaid */
|
||||
#define AA_MAY_ONEXEC 0x40000000 /* exec allows onexec */
|
||||
#define AA_MAY_CHANGE_PROFILE 0x80000000
|
||||
#define AA_MAY_CHANGEHAT 0x80000000 /* ctrl auditing only */
|
||||
#define mask_mode_t(X) (X & (MAY_EXEC | MAY_WRITE | MAY_READ | MAY_APPEND))
|
||||
|
||||
#define AA_AUDIT_FILE_MASK (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND |\
|
||||
AA_MAY_CREATE | AA_MAY_DELETE | \
|
||||
AA_MAY_META_READ | AA_MAY_META_WRITE | \
|
||||
AA_MAY_GETATTR | AA_MAY_SETATTR | \
|
||||
AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_LOCK | \
|
||||
AA_EXEC_MMAP | AA_MAY_LINK)
|
||||
|
||||
#define file_cxt(X) ((struct aa_file_cxt *)(X)->f_security)
|
||||
|
||||
/* struct aa_file_cxt - the AppArmor context the file was opened in
|
||||
* @lock: lock to update the cxt
|
||||
* @label: label currently cached on the cxt
|
||||
* @perms: the permission the file was opened with
|
||||
*/
|
||||
struct aa_file_cxt {
|
||||
spinlock_t lock;
|
||||
struct aa_label __rcu *label;
|
||||
u32 allow;
|
||||
};
|
||||
|
||||
/**
|
||||
* aa_alloc_file_cxt - allocate file_cxt
|
||||
* @label: initial label of task creating the file
|
||||
* @gfp: gfp flags for allocation
|
||||
*
|
||||
* Returns: file_cxt or NULL on failure
|
||||
*/
|
||||
static inline struct aa_file_cxt *aa_alloc_file_cxt(struct aa_label *label, gfp_t gfp)
|
||||
{
|
||||
struct aa_file_cxt *cxt;
|
||||
|
||||
cxt = kzalloc(sizeof(struct aa_file_cxt), gfp);
|
||||
if (cxt) {
|
||||
spin_lock_init(&cxt->lock);
|
||||
rcu_assign_pointer(cxt->label, aa_get_label(label));
|
||||
}
|
||||
return cxt;
|
||||
}
|
||||
|
||||
/**
|
||||
* aa_free_file_cxt - free a file_cxt
|
||||
* @cxt: file_cxt to free (MAYBE_NULL)
|
||||
*/
|
||||
static inline void aa_free_file_cxt(struct aa_file_cxt *cxt)
|
||||
{
|
||||
if (cxt) {
|
||||
aa_put_label(rcu_access_pointer(cxt->label));
|
||||
kzfree(cxt);
|
||||
}
|
||||
}
|
||||
|
||||
static inline struct aa_label *aa_get_file_label(struct aa_file_cxt *cxt)
|
||||
{
|
||||
return aa_get_label_rcu(&cxt->label);
|
||||
}
|
||||
|
||||
#define inode_cxt(X) (X)->i_security
|
||||
|
||||
/*
|
||||
* The xindex is broken into 3 parts
|
||||
* - index - an index into either the exec name table or the variable table
|
||||
@@ -145,8 +182,8 @@ static inline u16 dfa_map_xindex(u16 mask)
|
||||
dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
|
||||
|
||||
int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
|
||||
gfp_t gfp, int op, u32 request, const char *name,
|
||||
const char *target, kuid_t ouid, const char *info, int error);
|
||||
int op, u32 request, const char *name, const char *target,
|
||||
kuid_t ouid, const char *info, int error);
|
||||
|
||||
/**
|
||||
* struct aa_file_rules - components used for file rule permissions
|
||||
@@ -171,26 +208,26 @@ unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
|
||||
const char *name, struct path_cond *cond,
|
||||
struct file_perms *perms);
|
||||
|
||||
int aa_path_perm(int op, struct aa_profile *profile, struct path *path,
|
||||
int __aa_path_perm(int op, struct aa_profile *profile, const char *name,
|
||||
u32 request, struct path_cond *cond, int flags,
|
||||
struct file_perms *perms);
|
||||
int aa_path_perm(int op, struct aa_label *label, struct path *path,
|
||||
int flags, u32 request, struct path_cond *cond);
|
||||
|
||||
int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
|
||||
int aa_path_link(struct aa_label *label, struct dentry *old_dentry,
|
||||
struct path *new_dir, struct dentry *new_dentry);
|
||||
|
||||
int aa_file_perm(int op, struct aa_profile *profile, struct file *file,
|
||||
int aa_file_perm(int op, struct aa_label *label, struct file *file,
|
||||
u32 request);
|
||||
|
||||
void aa_inherit_files(const struct cred *cred, struct files_struct *files);
|
||||
|
||||
static inline void aa_free_file_rules(struct aa_file_rules *rules)
|
||||
{
|
||||
aa_put_dfa(rules->dfa);
|
||||
aa_free_domain_entries(&rules->trans);
|
||||
}
|
||||
|
||||
#define ACC_FMODE(x) (("\000\004\002\006"[(x)&O_ACCMODE]) | (((x) << 1) & 0x40))
|
||||
|
||||
/* from namei.c */
|
||||
#define MAP_OPEN_FLAGS(x) ((((x) + 1) & O_ACCMODE) ? (x) + 1 : (x))
|
||||
|
||||
/**
|
||||
* aa_map_file_perms - map file flags to AppArmor permissions
|
||||
* @file: open file to map flags to AppArmor permissions
|
||||
@@ -199,8 +236,13 @@ static inline void aa_free_file_rules(struct aa_file_rules *rules)
|
||||
*/
|
||||
static inline u32 aa_map_file_to_perms(struct file *file)
|
||||
{
|
||||
int flags = MAP_OPEN_FLAGS(file->f_flags);
|
||||
u32 perms = ACC_FMODE(file->f_mode);
|
||||
int flags = file->f_flags;
|
||||
u32 perms = 0;
|
||||
|
||||
if (file->f_mode & FMODE_WRITE)
|
||||
perms |= MAY_WRITE;
|
||||
if (file->f_mode & FMODE_READ)
|
||||
perms |= MAY_READ;
|
||||
|
||||
if ((flags & O_APPEND) && (perms & MAY_WRITE))
|
||||
perms = (perms & ~MAY_WRITE) | MAY_APPEND;
|
||||
|
||||
Reference in New Issue
Block a user