tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

apparmor: make sure perm indexes are accumulated

accumulate permission indexes on a first encountered basis. This
favors original rulesets so that new ones can not override without
profile replacement.

Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 0bece4fa 670f3177

+25 -2
+2 -2
security/apparmor/include/file.h
··· 88 88 * - exec type - which determines how the executable name and index are used 89 89 * - flags - which modify how the destination name is applied 90 90 */ 91 - #define AA_X_INDEX_MASK 0x00ffffff 91 + #define AA_X_INDEX_MASK AA_INDEX_MASK 92 92 93 93 #define AA_X_TYPE_MASK 0x0c000000 94 - #define AA_X_NONE 0x00000000 94 + #define AA_X_NONE AA_INDEX_NONE 95 95 #define AA_X_NAME 0x04000000 /* use executable name px */ 96 96 #define AA_X_TABLE 0x08000000 /* use a specified name ->n# */ 97 97
+9
security/apparmor/include/perms.h
··· 78 78 u32 quiet; /* set only when ~allow | deny */ 79 79 u32 hide; /* set only when ~allow | deny */ 80 80 81 + 81 82 u32 xindex; 82 83 u32 tag; /* tag string index, if present */ 83 84 u32 label; /* label string index, if present */ 84 85 }; 86 + 87 + /* 88 + * Indexes are broken into a 24 bit index and 8 bit flag. 89 + * For the index to be valid there must be a value in the flag 90 + */ 91 + #define AA_INDEX_MASK 0x00ffffff 92 + #define AA_INDEX_FLAG_MASK 0xff000000 93 + #define AA_INDEX_NONE 0 85 94 86 95 #define ALL_PERMS_MASK 0xffffffff 87 96 extern struct aa_perms nullperms;
+14
security/apparmor/lib.c
··· 348 348 accum->hide &= addend->hide & ~addend->allow; 349 349 accum->prompt |= addend->prompt & ~addend->allow & ~addend->deny; 350 350 accum->subtree |= addend->subtree & ~addend->deny; 351 + 352 + if (!accum->xindex) 353 + accum->xindex = addend->xindex; 354 + if (!accum->tag) 355 + accum->tag = addend->tag; 356 + if (!accum->label) 357 + accum->label = addend->label; 351 358 } 352 359 353 360 /** ··· 374 367 accum->hide &= addend->hide & ~accum->allow; 375 368 accum->prompt |= addend->prompt & ~accum->allow & ~accum->deny; 376 369 accum->subtree &= addend->subtree & ~accum->deny; 370 + 371 + if (!accum->xindex) 372 + accum->xindex = addend->xindex; 373 + if (!accum->tag) 374 + accum->tag = addend->tag; 375 + if (!accum->label) 376 + accum->label = addend->label; 377 377 } 378 378 379 379 void aa_profile_match_label(struct aa_profile *profile, struct aa_label *label,