apparmor: allow setting any profile into the unconfined state

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Allow emulating the default profile behavior from boot, by allowing
loading of a profile in the unconfined state into a new NS.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

John Johansen 12 years ago 03816507 8651e1d6

+22 -9

5 changed files

expand all

security

apparmor

domain.c

include

policy.h

policy_unpack.h

policy.c

policy_unpack.c

+2 -2

security/apparmor/domain.c

··· 371 371 error = aa_path_name(&bprm->file->f_path, profile->path_flags, &buffer, 372 372 &name, &info); 373 373 if (error) { 374 - if (profile->flags & 375 - (PFLAG_IX_ON_NAME_ERROR | PFLAG_UNCONFINED)) 374 + if (unconfined(profile) || 375 + (profile->flags & PFLAG_IX_ON_NAME_ERROR)) 376 376 error = 0; 377 377 name = bprm->filename; 378 378 goto audit;

+3 -3

security/apparmor/include/policy.h

··· 56 56 APPARMOR_ENFORCE, /* enforce access rules */ 57 57 APPARMOR_COMPLAIN, /* allow and log access violations */ 58 58 APPARMOR_KILL, /* kill task on access violation */ 59 + APPARMOR_UNCONFINED, /* profile set to unconfined */ 59 60 }; 60 61 61 62 enum profile_flags { 62 63 PFLAG_HAT = 1, /* profile is a hat */ 63 - PFLAG_UNCONFINED = 2, /* profile is an unconfined profile */ 64 64 PFLAG_NULL = 4, /* profile is null learning profile */ 65 65 PFLAG_IX_ON_NAME_ERROR = 8, /* fallback to ix on name lookup fail */ 66 66 PFLAG_IMMUTABLE = 0x10, /* don't allow changes/replacement */ ··· 199 199 struct aa_dfa *xmatch; 200 200 int xmatch_len; 201 201 enum audit_mode audit; 202 - enum profile_mode mode; 202 + long mode; 203 203 long flags; 204 204 u32 path_flags; 205 205 int size; ··· 240 240 #define PROF_ADD 1 241 241 #define PROF_REPLACE 0 242 242 243 - #define unconfined(X) ((X)->flags & PFLAG_UNCONFINED) 243 + #define unconfined(X) ((X)->mode == APPARMOR_UNCONFINED) 244 244 245 245 246 246 /**

security/apparmor/include/policy_unpack.h

··· 27 27 void aa_load_ent_free(struct aa_load_ent *ent); 28 28 struct aa_load_ent *aa_load_ent_alloc(void); 29 29 30 + #define PACKED_FLAG_HAT 1 31 + 32 + #define PACKED_MODE_ENFORCE 0 33 + #define PACKED_MODE_COMPLAIN 1 34 + #define PACKED_MODE_KILL 2 35 + #define PACKED_MODE_UNCONFINED 3 36 + 30 37 int aa_unpack(void *udata, size_t size, struct list_head *lh, const char **ns); 31 38 32 39 #endif /* __POLICY_INTERFACE_H */

+4 -2

security/apparmor/policy.c

··· 96 96 "enforce", 97 97 "complain", 98 98 "kill", 99 + "unconfined", 99 100 }; 100 101 101 102 /** ··· 291 290 if (!ns->unconfined) 292 291 goto fail_unconfined; 293 292 294 - ns->unconfined->flags = PFLAG_UNCONFINED | PFLAG_IX_ON_NAME_ERROR | 295 - PFLAG_IMMUTABLE | PFLAG_NS_COUNT; 293 + ns->unconfined->flags = PFLAG_IX_ON_NAME_ERROR | 294 + PFLAG_IMMUTABLE | PFLAG_NS_COUNT; 295 + ns->unconfined->mode = APPARMOR_UNCONFINED; 296 296 297 297 /* ns and ns->unconfined share ns->unconfined refcount */ 298 298 ns->unconfined->ns = ns;

+6 -2

security/apparmor/policy_unpack.c

··· 511 511 goto fail; 512 512 if (!unpack_u32(e, &tmp, NULL)) 513 513 goto fail; 514 - if (tmp) 514 + if (tmp & PACKED_FLAG_HAT) 515 515 profile->flags |= PFLAG_HAT; 516 516 if (!unpack_u32(e, &tmp, NULL)) 517 517 goto fail; 518 - if (tmp) 518 + if (tmp == PACKED_MODE_COMPLAIN) 519 519 profile->mode = APPARMOR_COMPLAIN; 520 + else if (tmp == PACKED_MODE_KILL) 521 + profile->mode = APPARMOR_KILL; 522 + else if (tmp == PACKED_MODE_UNCONFINED) 523 + profile->mode = APPARMOR_UNCONFINED; 520 524 if (!unpack_u32(e, &tmp, NULL)) 521 525 goto fail; 522 526 if (tmp)