tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
apparmor: allow profiles to provide info to disconnected paths
Signed-off-by: John Johansen <john.johansen@canonical.com>
+34
-17
+1
-1
security/apparmor/domain.c
+1
-1
security/apparmor/domain.c
···
366
366
367
367
/* buffer freed below, name is pointer into buffer */
368
368
error = aa_path_name(&bprm->file->f_path, profile->path_flags, &buffer,
369
-
&name, &info);
369
+
&name, &info, profile->disconnected);
370
370
if (error) {
371
371
if (unconfined(profile) ||
372
372
(profile->flags & PFLAG_IX_ON_NAME_ERROR))
+4
-3
security/apparmor/file.c
+4
-3
security/apparmor/file.c
···
285
285
int error;
286
286
287
287
flags |= profile->path_flags | (S_ISDIR(cond->mode) ? PATH_IS_DIR : 0);
288
-
error = aa_path_name(path, flags, &buffer, &name, &info);
288
+
error = aa_path_name(path, flags, &buffer, &name, &info,
289
+
profile->disconnected);
289
290
if (error) {
290
291
if (error == -ENOENT && is_deleted(path->dentry)) {
291
292
/* Access to open files that are deleted are
···
367
366
368
367
/* buffer freed below, lname is pointer in buffer */
369
368
error = aa_path_name(&link, profile->path_flags, &buffer, &lname,
370
-
&info);
369
+
&info, profile->disconnected);
371
370
if (error)
372
371
goto audit;
373
372
374
373
/* buffer2 freed below, tname is pointer in buffer2 */
375
374
error = aa_path_name(&target, profile->path_flags, &buffer2, &tname,
376
-
&info);
375
+
&info, profile->disconnected);
377
376
if (error)
378
377
goto audit;
379
378
+2
-1
security/apparmor/include/path.h
+2
-1
security/apparmor/include/path.h
+2
security/apparmor/include/policy.h
+2
security/apparmor/include/policy.h
···
128
128
* @mode: the enforcement mode of the profile
129
129
* @flags: flags controlling profile behavior
130
130
* @path_flags: flags controlling path generation behavior
131
+
* @disconnected: what to prepend if attach_disconnected is specified
131
132
* @size: the memory consumed by this profiles rules
132
133
* @policy: general match rules governing policy
133
134
* @file: The set of rules governing basic file access and domain transitions
···
170
169
long mode;
171
170
long flags;
172
171
u32 path_flags;
172
+
const char *disconnected;
173
173
int size;
174
174
175
175
struct aa_policydb policy;
+22
-12
security/apparmor/path.c
+22
-12
security/apparmor/path.c
···
50
50
* namespace root.
51
51
*/
52
52
static int disconnect(const struct path *path, char *buf, char **name,
53
-
int flags)
53
+
int flags, const char *disconnected)
54
54
{
55
55
int error = 0;
56
56
···
63
63
error = -EACCES;
64
64
if (**name == '/')
65
65
*name = *name + 1;
66
-
} else if (**name != '/')
67
-
/* CONNECT_PATH with missing root */
68
-
error = prepend(name, *name - buf, "/", 1);
66
+
} else {
67
+
if (**name != '/')
68
+
/* CONNECT_PATH with missing root */
69
+
error = prepend(name, *name - buf, "/", 1);
70
+
if (!error && disconnected)
71
+
error = prepend(name, *name - buf, disconnected,
72
+
strlen(disconnected));
73
+
}
69
74
70
75
return error;
71
76
}
···
82
77
* @buflen: length of @buf
83
78
* @name: Returns - pointer for start of path name with in @buf (NOT NULL)
84
79
* @flags: flags controlling path lookup
80
+
* @disconnected: string to prefix to disconnected paths
85
81
*
86
82
* Handle path name lookup.
87
83
*
···
91
85
* to a position in @buf
92
86
*/
93
87
static int d_namespace_path(const struct path *path, char *buf, int buflen,
94
-
char **name, int flags)
88
+
char **name, int flags, const char *disconnected)
95
89
{
96
90
char *res;
97
91
int error = 0;
···
112
106
*/
113
107
return prepend(name, *name - buf, "/proc", 5);
114
108
} else
115
-
return disconnect(path, buf, name, flags);
116
-
return 0;
109
+
return disconnect(path, buf, name, flags,
110
+
disconnected);
117
111
}
118
112
119
113
/* resolve paths relative to chroot?*/
···
159
153
}
160
154
161
155
if (!connected)
162
-
error = disconnect(path, buf, name, flags);
156
+
error = disconnect(path, buf, name, flags, disconnected);
163
157
164
158
out:
165
159
return error;
···
176
170
* Returns: %0 else error on failure
177
171
*/
178
172
static int get_name_to_buffer(const struct path *path, int flags, char *buffer,
179
-
int size, char **name, const char **info)
173
+
int size, char **name, const char **info,
174
+
const char *disconnected)
180
175
{
181
176
int adjust = (flags & PATH_IS_DIR) ? 1 : 0;
182
-
int error = d_namespace_path(path, buffer, size - adjust, name, flags);
177
+
int error = d_namespace_path(path, buffer, size - adjust, name, flags,
178
+
disconnected);
183
179
184
180
if (!error && (flags & PATH_IS_DIR) && (*name)[1] != '\0')
185
181
/*
···
211
203
* @buffer: buffer that aa_get_name() allocated (NOT NULL)
212
204
* @name: Returns - the generated path name if !error (NOT NULL)
213
205
* @info: Returns - information on why the path lookup failed (MAYBE NULL)
206
+
* @disconnected: string to prepend to disconnected paths
214
207
*
215
208
* @name is a pointer to the beginning of the pathname (which usually differs
216
209
* from the beginning of the buffer), or NULL. If there is an error @name
···
225
216
* Returns: %0 else error code if could retrieve name
226
217
*/
227
218
int aa_path_name(const struct path *path, int flags, char **buffer,
228
-
const char **name, const char **info)
219
+
const char **name, const char **info, const char *disconnected)
229
220
{
230
221
char *buf, *str = NULL;
231
222
int size = 256;
···
239
230
if (!buf)
240
231
return -ENOMEM;
241
232
242
-
error = get_name_to_buffer(path, flags, buf, size, &str, info);
233
+
error = get_name_to_buffer(path, flags, buf, size, &str, info,
234
+
disconnected);
243
235
if (error != -ENAMETOOLONG)
244
236
break;
245
237
+3
security/apparmor/policy_unpack.c
+3
security/apparmor/policy_unpack.c
···
569
569
profile->xmatch_len = tmp;
570
570
}
571
571
572
+
/* disconnected attachment string is optional */
573
+
(void) unpack_str(e, &profile->disconnected, "disconnected");
574
+
572
575
/* per profile debug flags (complain, audit) */
573
576
if (!unpack_nameX(e, AA_STRUCT, "flags"))
574
577
goto fail;