tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

apparmor: verify loaded permission bits masks don't overlap

Add an additional verification that loaded permission sets don't
overlap in ways that are not intended. This will help ensure that
permission accumulation can't result in an invalid permission set.

Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 3bf3d728 3dfd16ab

+30 -4
+30 -4
security/apparmor/policy_unpack.c
··· 1150 1150 return true; 1151 1151 } 1152 1152 1153 - static bool verify_perm_indexes(struct aa_policydb *pdb) 1153 + static bool verify_perm(struct aa_perms *perm) 1154 + { 1155 + /* TODO: allow option to just force the perms into a valid state */ 1156 + if (perm->allow & perm->deny) 1157 + return false; 1158 + if (perm->subtree & ~perm->allow) 1159 + return false; 1160 + if (perm->cond & (perm->allow | perm->deny)) 1161 + return false; 1162 + if (perm->kill & perm->allow) 1163 + return false; 1164 + if (perm->complain & (perm->allow | perm->deny)) 1165 + return false; 1166 + if (perm->prompt & (perm->allow | perm->deny)) 1167 + return false; 1168 + if (perm->complain & perm->prompt) 1169 + return false; 1170 + if (perm->hide & perm->allow) 1171 + return false; 1172 + 1173 + return true; 1174 + } 1175 + 1176 + static bool verify_perms(struct aa_policydb *pdb) 1154 1177 { 1155 1178 int i; 1156 1179 1157 1180 for (i = 0; i < pdb->size; i++) { 1181 + if (!verify_perm(&pdb->perms[i])) 1182 + return false; 1183 + /* verify indexes into str table */ 1158 1184 if (pdb->perms[i].xindex >= pdb->trans.size) 1159 1185 return false; 1160 1186 if (pdb->perms[i].tag >= pdb->trans.size) ··· 1213 1187 return -EPROTO; 1214 1188 } 1215 1189 1216 - if (!verify_perm_indexes(&profile->file)) { 1190 + if (!verify_perms(&profile->file)) { 1217 1191 audit_iface(profile, NULL, NULL, 1218 1192 "Unpack: Invalid perm index", NULL, -EPROTO); 1219 1193 return -EPROTO; 1220 1194 } 1221 - if (!verify_perm_indexes(&profile->policy)) { 1195 + if (!verify_perms(&profile->policy)) { 1222 1196 audit_iface(profile, NULL, NULL, 1223 1197 "Unpack: Invalid perm index", NULL, -EPROTO); 1224 1198 return -EPROTO; 1225 1199 } 1226 - if (!verify_perm_indexes(&profile->xmatch)) { 1200 + if (!verify_perms(&profile->xmatch)) { 1227 1201 audit_iface(profile, NULL, NULL, 1228 1202 "Unpack: Invalid perm index", NULL, -EPROTO); 1229 1203 return -EPROTO;