apparmor: extend permissions to support a label and tag string

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

add indexes for label and tag entries. Rename the domain table to the
str_table as its a shared string table with label and tags.

Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 3 years ago 90917d5b caa9f579

+32 -27

7 changed files

expand all

security

apparmor

domain.c

include

domain.h

lib.h

perms.h

policy.h

lib.c

policy_unpack.c

-18

security/apparmor/domain.c

··· 30 30 #include "include/policy_ns.h" 31 31 32 32 /** 33 - * aa_free_domain_entries - free entries in a domain table 34 - * @domain: the domain table to free (MAYBE NULL) 35 - */ 36 - void aa_free_domain_entries(struct aa_domain *domain) 37 - { 38 - int i; 39 - if (domain) { 40 - if (!domain->table) 41 - return; 42 - 43 - for (i = 0; i < domain->size; i++) 44 - kfree_sensitive(domain->table[i]); 45 - kfree_sensitive(domain->table); 46 - domain->table = NULL; 47 - } 48 - } 49 - 50 - /** 51 33 * may_change_ptraced_domain - check if can change profile on ptraced task 52 34 * @to_label: profile to change to (NOT NULL) 53 35 * @info: message if there is an error

-6

security/apparmor/include/domain.h

··· 16 16 #ifndef __AA_DOMAIN_H 17 17 #define __AA_DOMAIN_H 18 18 19 - struct aa_domain { 20 - int size; 21 - char **table; 22 - }; 23 - 24 19 #define AA_CHANGE_NOFLAGS 0 25 20 #define AA_CHANGE_TEST 1 26 21 #define AA_CHANGE_CHILD 2 ··· 27 32 28 33 int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm); 29 34 30 - void aa_free_domain_entries(struct aa_domain *domain); 31 35 int aa_change_hat(const char *hats[], int count, u64 token, int flags); 32 36 int aa_change_profile(const char *fqname, int flags); 33 37

security/apparmor/include/lib.h

··· 99 99 return !(dentry->d_sb->s_flags & SB_NOUSER); 100 100 } 101 101 102 + struct aa_str_table { 103 + int size; 104 + char **table; 105 + }; 106 + 107 + void aa_free_str_table(struct aa_str_table *table); 102 108 103 109 struct counted_str { 104 110 struct kref count;

security/apparmor/include/perms.h

··· 79 79 u32 hide; /* set only when ~allow | deny */ 80 80 81 81 u32 xindex; 82 + u32 tag; /* tag string index, if present */ 83 + u32 label; /* label string index, if present */ 82 84 }; 83 85 84 86 #define ALL_PERMS_MASK 0xffffffff

+4 -2

security/apparmor/include/policy.h

··· 72 72 73 73 /* struct aa_policydb - match engine for a policy 74 74 * dfa: dfa pattern match 75 + * perms: table of permissions 76 + * strs: table of strings, index by x 75 77 * start: set of start states for the different classes of data 76 78 */ 77 79 struct aa_policydb { 78 80 struct aa_dfa *dfa; 79 81 struct aa_perms *perms; 80 - struct aa_domain trans; 82 + struct aa_str_table trans; 81 83 aa_state_t start[AA_CLASS_LAST + 1]; 82 84 }; 83 85 ··· 88 86 aa_put_dfa(policy->dfa); 89 87 if (policy->perms) 90 88 kvfree(policy->perms); 91 - aa_free_domain_entries(&policy->trans); 89 + aa_free_str_table(&policy->trans); 92 90 93 91 } 94 92

+19

security/apparmor/lib.c

··· 26 26 .hide = ALL_PERMS_MASK }; 27 27 28 28 /** 29 + * aa_free_str_table - free entries str table 30 + * @str: the string table to free (MAYBE NULL) 31 + */ 32 + void aa_free_str_table(struct aa_str_table *t) 33 + { 34 + int i; 35 + 36 + if (t) { 37 + if (!t->table) 38 + return; 39 + 40 + for (i = 0; i < t->size; i++) 41 + kfree_sensitive(t->table[i]); 42 + kfree_sensitive(t->table); 43 + t->table = NULL; 44 + } 45 + } 46 + 47 + /** 29 48 * aa_split_fqname - split a fqname into a profile and namespace name 30 49 * @fqname: a full qualified name in namespace profile format (NOT NULL) 31 50 * @ns_name: pointer to portion of the string containing the ns name (NOT NULL)

+1 -1

security/apparmor/policy_unpack.c

··· 534 534 return true; 535 535 536 536 fail: 537 - aa_free_domain_entries(&profile->file.trans); 537 + aa_free_str_table(&profile->file.trans); 538 538 e->pos = saved_pos; 539 539 return false; 540 540 }