apparmor: allow setting any profile into the unconfined state
Allow emulating the default profile behavior from boot, by allowing loading of a profile in the unconfined state into a new NS. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
parent
8651e1d657
commit
038165070a
@ -371,8 +371,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
|
||||
error = aa_path_name(&bprm->file->f_path, profile->path_flags, &buffer,
|
||||
&name, &info);
|
||||
if (error) {
|
||||
if (profile->flags &
|
||||
(PFLAG_IX_ON_NAME_ERROR | PFLAG_UNCONFINED))
|
||||
if (unconfined(profile) ||
|
||||
(profile->flags & PFLAG_IX_ON_NAME_ERROR))
|
||||
error = 0;
|
||||
name = bprm->filename;
|
||||
goto audit;
|
||||
|
@ -56,11 +56,11 @@ enum profile_mode {
|
||||
APPARMOR_ENFORCE, /* enforce access rules */
|
||||
APPARMOR_COMPLAIN, /* allow and log access violations */
|
||||
APPARMOR_KILL, /* kill task on access violation */
|
||||
APPARMOR_UNCONFINED, /* profile set to unconfined */
|
||||
};
|
||||
|
||||
enum profile_flags {
|
||||
PFLAG_HAT = 1, /* profile is a hat */
|
||||
PFLAG_UNCONFINED = 2, /* profile is an unconfined profile */
|
||||
PFLAG_NULL = 4, /* profile is null learning profile */
|
||||
PFLAG_IX_ON_NAME_ERROR = 8, /* fallback to ix on name lookup fail */
|
||||
PFLAG_IMMUTABLE = 0x10, /* don't allow changes/replacement */
|
||||
@ -199,7 +199,7 @@ struct aa_profile {
|
||||
struct aa_dfa *xmatch;
|
||||
int xmatch_len;
|
||||
enum audit_mode audit;
|
||||
enum profile_mode mode;
|
||||
long mode;
|
||||
long flags;
|
||||
u32 path_flags;
|
||||
int size;
|
||||
@ -240,7 +240,7 @@ ssize_t aa_remove_profiles(char *name, size_t size);
|
||||
#define PROF_ADD 1
|
||||
#define PROF_REPLACE 0
|
||||
|
||||
#define unconfined(X) ((X)->flags & PFLAG_UNCONFINED)
|
||||
#define unconfined(X) ((X)->mode == APPARMOR_UNCONFINED)
|
||||
|
||||
|
||||
/**
|
||||
|
@ -27,6 +27,13 @@ struct aa_load_ent {
|
||||
void aa_load_ent_free(struct aa_load_ent *ent);
|
||||
struct aa_load_ent *aa_load_ent_alloc(void);
|
||||
|
||||
#define PACKED_FLAG_HAT 1
|
||||
|
||||
#define PACKED_MODE_ENFORCE 0
|
||||
#define PACKED_MODE_COMPLAIN 1
|
||||
#define PACKED_MODE_KILL 2
|
||||
#define PACKED_MODE_UNCONFINED 3
|
||||
|
||||
int aa_unpack(void *udata, size_t size, struct list_head *lh, const char **ns);
|
||||
|
||||
#endif /* __POLICY_INTERFACE_H */
|
||||
|
@ -96,6 +96,7 @@ const char *const profile_mode_names[] = {
|
||||
"enforce",
|
||||
"complain",
|
||||
"kill",
|
||||
"unconfined",
|
||||
};
|
||||
|
||||
/**
|
||||
@ -290,8 +291,9 @@ static struct aa_namespace *alloc_namespace(const char *prefix,
|
||||
if (!ns->unconfined)
|
||||
goto fail_unconfined;
|
||||
|
||||
ns->unconfined->flags = PFLAG_UNCONFINED | PFLAG_IX_ON_NAME_ERROR |
|
||||
PFLAG_IMMUTABLE | PFLAG_NS_COUNT;
|
||||
ns->unconfined->flags = PFLAG_IX_ON_NAME_ERROR |
|
||||
PFLAG_IMMUTABLE | PFLAG_NS_COUNT;
|
||||
ns->unconfined->mode = APPARMOR_UNCONFINED;
|
||||
|
||||
/* ns and ns->unconfined share ns->unconfined refcount */
|
||||
ns->unconfined->ns = ns;
|
||||
|
@ -511,12 +511,16 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
|
||||
goto fail;
|
||||
if (!unpack_u32(e, &tmp, NULL))
|
||||
goto fail;
|
||||
if (tmp)
|
||||
if (tmp & PACKED_FLAG_HAT)
|
||||
profile->flags |= PFLAG_HAT;
|
||||
if (!unpack_u32(e, &tmp, NULL))
|
||||
goto fail;
|
||||
if (tmp)
|
||||
if (tmp == PACKED_MODE_COMPLAIN)
|
||||
profile->mode = APPARMOR_COMPLAIN;
|
||||
else if (tmp == PACKED_MODE_KILL)
|
||||
profile->mode = APPARMOR_KILL;
|
||||
else if (tmp == PACKED_MODE_UNCONFINED)
|
||||
profile->mode = APPARMOR_UNCONFINED;
|
||||
if (!unpack_u32(e, &tmp, NULL))
|
||||
goto fail;
|
||||
if (tmp)
|
||||
|
Loading…
Reference in New Issue
Block a user