+ Cleanups
- apparmor: remove no-op permission check in policy_unpack + Bug fixes - apparmor: fix an error code in __aa_create_ns() - apparmor: Fix failure to audit context info in build_change_hat - apparmor: Check buffer bounds when mapping permissions mask - apparmor: Fully initialize aa_perms struct when answering userspace query -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE7cSDD705q2rFEEf7BS82cBjVw9gFAlt/ZisACgkQBS82cBjV w9ggNA//T41KN8bduCf9mwLjYkdU/hUu/tdHnV9Ss/OfnLRo5HzH8MxCHkrdPL6+ 3/Ex69un1X/6jWi1SN5lphj5Y09cbbrn5LWZ/MbTrPehmHe6OCN/fhjKx2HbKt09 0IwwrmIEwwlYMmDhCe21JqeP6zvSCwPqWcFj73H6MZ8FCItFRfiUevm97G1lzhpP s9L6E6TNs27dvFb/V2CqWpKCuCs8byDA7Vd6g7MiuV6ciz1IpoFqMZiXbl1cpnpa Qt5vN+b7/BzixQFxC7W8y9D5+5x2nV2U8LEHXP9wn7s+dptTPNilPCEKX2t2qPwq 3p5zK2s4V3oWiyuzb7I3xK5lvbWBfPY6LphaIODbUqqug/PvRYQrfhT/dgR5SNpQ +MnIx742PKn/xZt/q9G2n4vCjVppnWCQNFckyk2+TCT0jWyLqpZPlmp4wwAB0R4e oQrEl8y4G8xUX6ufkNFxF3hm5FoXYQgTnVgnkY4ULZ5ZjdPAUJktwWkI4qnS5zeG WmtuxvAKaPQl9knk0K4VoTAFAGSHWeojaW0+ptEmm+uehmm7Ck8f/lYLW7tvOEdk W1CUv7ubuK4uxIXb38IQxfN2Ehm9xaK5SvUT9wB2sH6HG2WGsZI1Vau0qbOClNdd SArqlZCuuZHMs8suqmmVGlS8VRQy4LdHTwfiIpLl7qYdn9yOz4Y= =TdN2 -----END PGP SIGNATURE----- Merge tag 'apparmor-pr-2018-08-23' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor updates from John Johansen: "There is nothing major this time just four bug fixes and a patch to remove some dead code: Cleanups: - remove no-op permission check in policy_unpack Bug fixes: - fix an error code in __aa_create_ns() - fix failure to audit context info in build_change_hat - check buffer bounds when mapping permissions mask - fully initialize aa_perms struct when answering userspace query" * tag 'apparmor-pr-2018-08-23' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: remove no-op permission check in policy_unpack apparmor: fix an error code in __aa_create_ns() apparmor: Fix failure to audit context info in build_change_hat apparmor: Fully initialize aa_perms struct when answering userspace query apparmor: Check buffer bounds when mapping permissions mask
This commit is contained in:
commit
57bb8e37d7
@ -603,7 +603,7 @@ static const struct file_operations aa_fs_ns_revision_fops = {
|
||||
static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
|
||||
const char *match_str, size_t match_len)
|
||||
{
|
||||
struct aa_perms tmp;
|
||||
struct aa_perms tmp = { };
|
||||
struct aa_dfa *dfa;
|
||||
unsigned int state = 0;
|
||||
|
||||
@ -613,7 +613,6 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
|
||||
dfa = profile->file.dfa;
|
||||
state = aa_dfa_match_len(dfa, profile->file.start,
|
||||
match_str + 1, match_len - 1);
|
||||
tmp = nullperms;
|
||||
if (state) {
|
||||
struct path_cond cond = { };
|
||||
|
||||
@ -627,8 +626,6 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
|
||||
match_str, match_len);
|
||||
if (state)
|
||||
aa_compute_perms(dfa, state, &tmp);
|
||||
else
|
||||
tmp = nullperms;
|
||||
}
|
||||
aa_apply_modes_to_perms(profile, &tmp);
|
||||
aa_perms_accum_raw(perms, &tmp);
|
||||
|
@ -1036,7 +1036,7 @@ static struct aa_label *build_change_hat(struct aa_profile *profile,
|
||||
audit:
|
||||
aa_audit_file(profile, &nullperms, OP_CHANGE_HAT, AA_MAY_CHANGEHAT,
|
||||
name, hat ? hat->base.hname : NULL,
|
||||
hat ? &hat->label : NULL, GLOBAL_ROOT_UID, NULL,
|
||||
hat ? &hat->label : NULL, GLOBAL_ROOT_UID, info,
|
||||
error);
|
||||
if (!hat || (error && error != -ENOENT))
|
||||
return ERR_PTR(error);
|
||||
|
@ -47,7 +47,8 @@ static void audit_file_mask(struct audit_buffer *ab, u32 mask)
|
||||
{
|
||||
char str[10];
|
||||
|
||||
aa_perm_mask_to_str(str, aa_file_perm_chrs, map_mask_to_chr_mask(mask));
|
||||
aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
|
||||
map_mask_to_chr_mask(mask));
|
||||
audit_log_string(ab, str);
|
||||
}
|
||||
|
||||
|
@ -137,7 +137,8 @@ extern struct aa_perms allperms;
|
||||
xcheck(fn_for_each((L1), (P), (FN1)), fn_for_each((L2), (P), (FN2)))
|
||||
|
||||
|
||||
void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask);
|
||||
void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs,
|
||||
u32 mask);
|
||||
void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names,
|
||||
u32 mask);
|
||||
void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
|
||||
|
@ -198,15 +198,24 @@ const char *aa_file_perm_names[] = {
|
||||
/**
|
||||
* aa_perm_mask_to_str - convert a perm mask to its short string
|
||||
* @str: character buffer to store string in (at least 10 characters)
|
||||
* @str_size: size of the @str buffer
|
||||
* @chrs: NUL-terminated character buffer of permission characters
|
||||
* @mask: permission mask to convert
|
||||
*/
|
||||
void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask)
|
||||
void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs, u32 mask)
|
||||
{
|
||||
unsigned int i, perm = 1;
|
||||
size_t num_chrs = strlen(chrs);
|
||||
|
||||
for (i = 0; i < num_chrs; perm <<= 1, i++) {
|
||||
if (mask & perm) {
|
||||
/* Ensure that one byte is left for NUL-termination */
|
||||
if (WARN_ON_ONCE(str_size <= 1))
|
||||
break;
|
||||
|
||||
for (i = 0; i < 32; perm <<= 1, i++) {
|
||||
if (mask & perm)
|
||||
*str++ = chrs[i];
|
||||
str_size--;
|
||||
}
|
||||
}
|
||||
*str = '\0';
|
||||
}
|
||||
@ -236,7 +245,7 @@ void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
|
||||
|
||||
audit_log_format(ab, "\"");
|
||||
if ((mask & chrsmask) && chrs) {
|
||||
aa_perm_mask_to_str(str, chrs, mask & chrsmask);
|
||||
aa_perm_mask_to_str(str, sizeof(str), chrs, mask & chrsmask);
|
||||
mask &= ~chrsmask;
|
||||
audit_log_format(ab, "%s", str);
|
||||
if (mask & namesmask)
|
||||
|
@ -255,7 +255,7 @@ static struct aa_ns *__aa_create_ns(struct aa_ns *parent, const char *name,
|
||||
|
||||
ns = alloc_ns(parent->base.hname, name);
|
||||
if (!ns)
|
||||
return NULL;
|
||||
return ERR_PTR(-ENOMEM);
|
||||
ns->level = parent->level + 1;
|
||||
mutex_lock_nested(&ns->lock, ns->level);
|
||||
error = __aafs_ns_mkdir(ns, ns_subns_dir(parent), name, dir);
|
||||
|
@ -389,32 +389,6 @@ static int unpack_strdup(struct aa_ext *e, char **string, const char *name)
|
||||
return res;
|
||||
}
|
||||
|
||||
#define DFA_VALID_PERM_MASK 0xffffffff
|
||||
#define DFA_VALID_PERM2_MASK 0xffffffff
|
||||
|
||||
/**
|
||||
* verify_accept - verify the accept tables of a dfa
|
||||
* @dfa: dfa to verify accept tables of (NOT NULL)
|
||||
* @flags: flags governing dfa
|
||||
*
|
||||
* Returns: 1 if valid accept tables else 0 if error
|
||||
*/
|
||||
static bool verify_accept(struct aa_dfa *dfa, int flags)
|
||||
{
|
||||
int i;
|
||||
|
||||
/* verify accept permissions */
|
||||
for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
|
||||
int mode = ACCEPT_TABLE(dfa)[i];
|
||||
|
||||
if (mode & ~DFA_VALID_PERM_MASK)
|
||||
return 0;
|
||||
|
||||
if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* unpack_dfa - unpack a file rule dfa
|
||||
@ -445,15 +419,9 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e)
|
||||
if (IS_ERR(dfa))
|
||||
return dfa;
|
||||
|
||||
if (!verify_accept(dfa, flags))
|
||||
goto fail;
|
||||
}
|
||||
|
||||
return dfa;
|
||||
|
||||
fail:
|
||||
aa_put_dfa(dfa);
|
||||
return ERR_PTR(-EPROTO);
|
||||
}
|
||||
|
||||
/**
|
||||
|
Loading…
x
Reference in New Issue
Block a user