tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
apparmor: pass cred through to audit info.
The cred is needed to properly audit some messages, and will be needed
in the future for uid conditional mediation. So pass it through to
where the apparmor_audit_data struct gets defined.
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
+388
-211
+7
-4
security/apparmor/apparmorfs.c
+7
-4
security/apparmor/apparmorfs.c
···
423
423
/* high level check about policy management - fine grained in
424
424
* below after unpack
425
425
*/
426
-
error = aa_may_manage_policy(label, ns, mask);
426
+
error = aa_may_manage_policy(current_cred(), label, ns, mask);
427
427
if (error)
428
428
goto end_section;
429
429
···
486
486
/* high level check about policy management - fine grained in
487
487
* below after unpack
488
488
*/
489
-
error = aa_may_manage_policy(label, ns, AA_MAY_REMOVE_POLICY);
489
+
error = aa_may_manage_policy(current_cred(), label, ns,
490
+
AA_MAY_REMOVE_POLICY);
490
491
if (error)
491
492
goto out;
492
493
···
1801
1800
int error;
1802
1801
1803
1802
label = begin_current_label_crit_section();
1804
-
error = aa_may_manage_policy(label, NULL, AA_MAY_LOAD_POLICY);
1803
+
error = aa_may_manage_policy(current_cred(), label, NULL,
1804
+
AA_MAY_LOAD_POLICY);
1805
1805
end_current_label_crit_section(label);
1806
1806
if (error)
1807
1807
return error;
···
1851
1849
int error;
1852
1850
1853
1851
label = begin_current_label_crit_section();
1854
-
error = aa_may_manage_policy(label, NULL, AA_MAY_LOAD_POLICY);
1852
+
error = aa_may_manage_policy(current_cred(), label, NULL,
1853
+
AA_MAY_LOAD_POLICY);
1855
1854
end_current_label_crit_section(label);
1856
1855
if (error)
1857
1856
return error;
+4
-1
security/apparmor/capability.c
+4
-1
security/apparmor/capability.c
···
140
140
141
141
/**
142
142
* aa_capable - test permission to use capability
143
+
* @subj_cread: cred we are testing capability against
143
144
* @label: label being tested for capability (NOT NULL)
144
145
* @cap: capability to be tested
145
146
* @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated
···
149
148
*
150
149
* Returns: 0 on success, or else an error code.
151
150
*/
152
-
int aa_capable(struct aa_label *label, int cap, unsigned int opts)
151
+
int aa_capable(const struct cred *subj_cred, struct aa_label *label,
152
+
int cap, unsigned int opts)
153
153
{
154
154
struct aa_profile *profile;
155
155
int error = 0;
156
156
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_CAP, AA_CLASS_CAP, OP_CAPABLE);
157
157
158
+
ad.subj_cred = subj_cred;
158
159
ad.common.u.cap = cap;
159
160
error = fn_for_each_confined(label, profile,
160
161
profile_capable(profile, cap, opts, &ad));
+64
-33
security/apparmor/domain.c
+64
-33
security/apparmor/domain.c
···
31
31
32
32
/**
33
33
* may_change_ptraced_domain - check if can change profile on ptraced task
34
+
* @cred: cred of task changing domain
34
35
* @to_label: profile to change to (NOT NULL)
35
36
* @info: message if there is an error
36
37
*
···
40
39
*
41
40
* Returns: %0 or error if change not allowed
42
41
*/
43
-
static int may_change_ptraced_domain(struct aa_label *to_label,
42
+
static int may_change_ptraced_domain(const struct cred *to_cred,
43
+
struct aa_label *to_label,
44
44
const char **info)
45
45
{
46
46
struct task_struct *tracer;
47
47
struct aa_label *tracerl = NULL;
48
+
const struct cred *tracer_cred = NULL;
49
+
48
50
int error = 0;
49
51
50
52
rcu_read_lock();
51
53
tracer = ptrace_parent(current);
52
-
if (tracer)
54
+
if (tracer) {
53
55
/* released below */
54
56
tracerl = aa_get_task_label(tracer);
55
-
57
+
tracer_cred = get_task_cred(tracer);
58
+
}
56
59
/* not ptraced */
57
60
if (!tracer || unconfined(tracerl))
58
61
goto out;
59
62
60
-
error = aa_may_ptrace(tracerl, to_label, PTRACE_MODE_ATTACH);
63
+
error = aa_may_ptrace(tracer_cred, tracerl, to_cred, to_label,
64
+
PTRACE_MODE_ATTACH);
61
65
62
66
out:
63
67
rcu_read_unlock();
64
68
aa_put_label(tracerl);
69
+
put_cred(tracer_cred);
65
70
66
71
if (error)
67
72
*info = "ptrace prevents transition";
···
628
621
return new;
629
622
}
630
623
631
-
static struct aa_label *profile_transition(struct aa_profile *profile,
624
+
static struct aa_label *profile_transition(const struct cred *subj_cred,
625
+
struct aa_profile *profile,
632
626
const struct linux_binprm *bprm,
633
627
char *buffer, struct path_cond *cond,
634
628
bool *secure_exec)
···
719
711
}
720
712
721
713
audit:
722
-
aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name, target, new,
714
+
aa_audit_file(subj_cred, profile, &perms, OP_EXEC, MAY_EXEC, name,
715
+
target, new,
723
716
cond->uid, info, error);
724
717
if (!new || nonewprivs) {
725
718
aa_put_label(new);
···
730
721
return new;
731
722
}
732
723
733
-
static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
724
+
static int profile_onexec(const struct cred *subj_cred,
725
+
struct aa_profile *profile, struct aa_label *onexec,
734
726
bool stack, const struct linux_binprm *bprm,
735
727
char *buffer, struct path_cond *cond,
736
728
bool *secure_exec)
···
799
789
}
800
790
801
791
audit:
802
-
return aa_audit_file(profile, &perms, OP_EXEC, AA_MAY_ONEXEC, xname,
792
+
return aa_audit_file(subj_cred, profile, &perms, OP_EXEC,
793
+
AA_MAY_ONEXEC, xname,
803
794
NULL, onexec, cond->uid, info, error);
804
795
}
805
796
806
797
/* ensure none ns domain transitions are correctly applied with onexec */
807
798
808
-
static struct aa_label *handle_onexec(struct aa_label *label,
799
+
static struct aa_label *handle_onexec(const struct cred *subj_cred,
800
+
struct aa_label *label,
809
801
struct aa_label *onexec, bool stack,
810
802
const struct linux_binprm *bprm,
811
803
char *buffer, struct path_cond *cond,
···
824
812
825
813
if (!stack) {
826
814
error = fn_for_each_in_ns(label, profile,
827
-
profile_onexec(profile, onexec, stack,
815
+
profile_onexec(subj_cred, profile, onexec, stack,
828
816
bprm, buffer, cond, unsafe));
829
817
if (error)
830
818
return ERR_PTR(error);
831
819
new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
832
820
aa_get_newest_label(onexec),
833
-
profile_transition(profile, bprm, buffer,
821
+
profile_transition(subj_cred, profile, bprm,
822
+
buffer,
834
823
cond, unsafe));
835
824
836
825
} else {
837
826
/* TODO: determine how much we want to loosen this */
838
827
error = fn_for_each_in_ns(label, profile,
839
-
profile_onexec(profile, onexec, stack, bprm,
828
+
profile_onexec(subj_cred, profile, onexec, stack, bprm,
840
829
buffer, cond, unsafe));
841
830
if (error)
842
831
return ERR_PTR(error);
843
832
new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
844
833
aa_label_merge(&profile->label, onexec,
845
834
GFP_KERNEL),
846
-
profile_transition(profile, bprm, buffer,
835
+
profile_transition(subj_cred, profile, bprm,
836
+
buffer,
847
837
cond, unsafe));
848
838
}
849
839
···
854
840
855
841
/* TODO: get rid of GLOBAL_ROOT_UID */
856
842
error = fn_for_each_in_ns(label, profile,
857
-
aa_audit_file(profile, &nullperms, OP_CHANGE_ONEXEC,
843
+
aa_audit_file(subj_cred, profile, &nullperms,
844
+
OP_CHANGE_ONEXEC,
858
845
AA_MAY_ONEXEC, bprm->filename, NULL,
859
846
onexec, GLOBAL_ROOT_UID,
860
847
"failed to build target label", -ENOMEM));
···
874
859
{
875
860
struct aa_task_ctx *ctx;
876
861
struct aa_label *label, *new = NULL;
862
+
const struct cred *subj_cred;
877
863
struct aa_profile *profile;
878
864
char *buffer = NULL;
879
865
const char *info = NULL;
···
887
871
file_inode(bprm->file)->i_mode
888
872
};
889
873
874
+
subj_cred = current_cred();
890
875
ctx = task_ctx(current);
891
876
AA_BUG(!cred_label(bprm->cred));
892
877
AA_BUG(!ctx);
···
914
897
915
898
/* Test for onexec first as onexec override other x transitions. */
916
899
if (ctx->onexec)
917
-
new = handle_onexec(label, ctx->onexec, ctx->token,
900
+
new = handle_onexec(subj_cred, label, ctx->onexec, ctx->token,
918
901
bprm, buffer, &cond, &unsafe);
919
902
else
920
903
new = fn_label_build(label, profile, GFP_KERNEL,
921
-
profile_transition(profile, bprm, buffer,
904
+
profile_transition(subj_cred, profile, bprm,
905
+
buffer,
922
906
&cond, &unsafe));
923
907
924
908
AA_BUG(!new);
···
954
936
955
937
if (bprm->unsafe & (LSM_UNSAFE_PTRACE)) {
956
938
/* TODO: test needs to be profile of label to new */
957
-
error = may_change_ptraced_domain(new, &info);
939
+
error = may_change_ptraced_domain(bprm->cred, new, &info);
958
940
if (error)
959
941
goto audit;
960
942
}
···
991
973
992
974
audit:
993
975
error = fn_for_each(label, profile,
994
-
aa_audit_file(profile, &nullperms, OP_EXEC, MAY_EXEC,
976
+
aa_audit_file(current_cred(), profile, &nullperms,
977
+
OP_EXEC, MAY_EXEC,
995
978
bprm->filename, NULL, new,
996
979
vfsuid_into_kuid(vfsuid), info, error));
997
980
aa_put_label(new);
···
1008
989
*
1009
990
* Returns: label for hat transition OR ERR_PTR. Does NOT return NULL
1010
991
*/
1011
-
static struct aa_label *build_change_hat(struct aa_profile *profile,
992
+
static struct aa_label *build_change_hat(const struct cred *subj_cred,
993
+
struct aa_profile *profile,
1012
994
const char *name, bool sibling)
1013
995
{
1014
996
struct aa_profile *root, *hat = NULL;
···
1041
1021
aa_put_profile(root);
1042
1022
1043
1023
audit:
1044
-
aa_audit_file(profile, &nullperms, OP_CHANGE_HAT, AA_MAY_CHANGEHAT,
1024
+
aa_audit_file(subj_cred, profile, &nullperms, OP_CHANGE_HAT,
1025
+
AA_MAY_CHANGEHAT,
1045
1026
name, hat ? hat->base.hname : NULL,
1046
1027
hat ? &hat->label : NULL, GLOBAL_ROOT_UID, info,
1047
1028
error);
···
1058
1037
*
1059
1038
* Returns: label for hat transition or ERR_PTR. Does not return NULL
1060
1039
*/
1061
-
static struct aa_label *change_hat(struct aa_label *label, const char *hats[],
1040
+
static struct aa_label *change_hat(const struct cred *subj_cred,
1041
+
struct aa_label *label, const char *hats[],
1062
1042
int count, int flags)
1063
1043
{
1064
1044
struct aa_profile *profile, *root, *hat = NULL;
···
1135
1113
*/
1136
1114
/* TODO: get rid of GLOBAL_ROOT_UID */
1137
1115
if (count > 1 || COMPLAIN_MODE(profile)) {
1138
-
aa_audit_file(profile, &nullperms, OP_CHANGE_HAT,
1116
+
aa_audit_file(subj_cred, profile, &nullperms,
1117
+
OP_CHANGE_HAT,
1139
1118
AA_MAY_CHANGEHAT, name, NULL, NULL,
1140
1119
GLOBAL_ROOT_UID, info, error);
1141
1120
}
···
1145
1122
1146
1123
build:
1147
1124
new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
1148
-
build_change_hat(profile, name, sibling),
1125
+
build_change_hat(subj_cred, profile, name,
1126
+
sibling),
1149
1127
aa_get_label(&profile->label));
1150
1128
if (!new) {
1151
1129
info = "label build failed";
···
1176
1152
*/
1177
1153
int aa_change_hat(const char *hats[], int count, u64 token, int flags)
1178
1154
{
1179
-
const struct cred *cred;
1155
+
const struct cred *subj_cred;
1180
1156
struct aa_task_ctx *ctx = task_ctx(current);
1181
1157
struct aa_label *label, *previous, *new = NULL, *target = NULL;
1182
1158
struct aa_profile *profile;
···
1185
1161
int error = 0;
1186
1162
1187
1163
/* released below */
1188
-
cred = get_current_cred();
1189
-
label = aa_get_newest_cred_label(cred);
1164
+
subj_cred = get_current_cred();
1165
+
label = aa_get_newest_cred_label(subj_cred);
1190
1166
previous = aa_get_newest_label(ctx->previous);
1191
1167
1192
1168
/*
···
1206
1182
}
1207
1183
1208
1184
if (count) {
1209
-
new = change_hat(label, hats, count, flags);
1185
+
new = change_hat(subj_cred, label, hats, count, flags);
1210
1186
AA_BUG(!new);
1211
1187
if (IS_ERR(new)) {
1212
1188
error = PTR_ERR(new);
···
1215
1191
goto out;
1216
1192
}
1217
1193
1218
-
error = may_change_ptraced_domain(new, &info);
1194
+
/* target cred is the same as current except new label */
1195
+
error = may_change_ptraced_domain(subj_cred, new, &info);
1219
1196
if (error)
1220
1197
goto fail;
1221
1198
···
1269
1244
aa_put_label(new);
1270
1245
aa_put_label(previous);
1271
1246
aa_put_label(label);
1272
-
put_cred(cred);
1247
+
put_cred(subj_cred);
1273
1248
1274
1249
return error;
1275
1250
···
1279
1254
1280
1255
fail:
1281
1256
fn_for_each_in_ns(label, profile,
1282
-
aa_audit_file(profile, &perms, OP_CHANGE_HAT,
1257
+
aa_audit_file(subj_cred, profile, &perms, OP_CHANGE_HAT,
1283
1258
AA_MAY_CHANGEHAT, NULL, NULL, target,
1284
1259
GLOBAL_ROOT_UID, info, error));
1285
1260
···
1288
1263
1289
1264
1290
1265
static int change_profile_perms_wrapper(const char *op, const char *name,
1266
+
const struct cred *subj_cred,
1291
1267
struct aa_profile *profile,
1292
1268
struct aa_label *target, bool stack,
1293
1269
u32 request, struct aa_perms *perms)
···
1303
1277
rules->file.start[AA_CLASS_FILE],
1304
1278
perms);
1305
1279
if (error)
1306
-
error = aa_audit_file(profile, perms, op, request, name,
1280
+
error = aa_audit_file(subj_cred, profile, perms, op, request,
1281
+
name,
1307
1282
NULL, target, GLOBAL_ROOT_UID, info,
1308
1283
error);
1309
1284
···
1333
1306
const char *auditname = fqname; /* retain leading & if stack */
1334
1307
bool stack = flags & AA_CHANGE_STACK;
1335
1308
struct aa_task_ctx *ctx = task_ctx(current);
1309
+
const struct cred *subj_cred = get_current_cred();
1336
1310
int error = 0;
1337
1311
char *op;
1338
1312
u32 request;
···
1411
1383
*/
1412
1384
error = fn_for_each_in_ns(label, profile,
1413
1385
change_profile_perms_wrapper(op, auditname,
1386
+
subj_cred,
1414
1387
profile, target, stack,
1415
1388
request, &perms));
1416
1389
if (error)
···
1422
1393
1423
1394
check:
1424
1395
/* check if tracing task is allowed to trace target domain */
1425
-
error = may_change_ptraced_domain(target, &info);
1396
+
error = may_change_ptraced_domain(subj_cred, target, &info);
1426
1397
if (error && !fn_for_each_in_ns(label, profile,
1427
1398
COMPLAIN_MODE(profile)))
1428
1399
goto audit;
···
1482
1453
1483
1454
audit:
1484
1455
error = fn_for_each_in_ns(label, profile,
1485
-
aa_audit_file(profile, &perms, op, request, auditname,
1456
+
aa_audit_file(subj_cred,
1457
+
profile, &perms, op, request, auditname,
1486
1458
NULL, new ? new : target,
1487
1459
GLOBAL_ROOT_UID, info, error));
1488
1460
···
1491
1461
aa_put_label(new);
1492
1462
aa_put_label(target);
1493
1463
aa_put_label(label);
1464
+
put_cred(subj_cred);
1494
1465
1495
1466
return error;
1496
1467
}
+88
-43
security/apparmor/file.c
+88
-43
security/apparmor/file.c
···
45
45
{
46
46
struct common_audit_data *sa = va;
47
47
struct apparmor_audit_data *ad = aad(sa);
48
-
kuid_t fsuid = current_fsuid();
48
+
kuid_t fsuid = ad->subj_cred ? ad->subj_cred->fsuid : current_fsuid();
49
49
char str[10];
50
50
51
51
if (ad->request & AA_AUDIT_FILE_MASK) {
···
77
77
78
78
/**
79
79
* aa_audit_file - handle the auditing of file operations
80
+
* @subj_cred: cred of the subject
80
81
* @profile: the profile being enforced (NOT NULL)
81
82
* @perms: the permissions computed for the request (NOT NULL)
82
83
* @op: operation being mediated
···
91
90
*
92
91
* Returns: %0 or error on failure
93
92
*/
94
-
int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
93
+
int aa_audit_file(const struct cred *subj_cred,
94
+
struct aa_profile *profile, struct aa_perms *perms,
95
95
const char *op, u32 request, const char *name,
96
96
const char *target, struct aa_label *tlabel,
97
97
kuid_t ouid, const char *info, int error)
···
100
98
int type = AUDIT_APPARMOR_AUTO;
101
99
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_TASK, AA_CLASS_FILE, op);
102
100
101
+
ad.subj_cred = subj_cred;
103
102
ad.request = request;
104
103
ad.name = name;
105
104
ad.fs.target = target;
···
144
141
return aa_audit(type, profile, &ad, file_audit_cb);
145
142
}
146
143
147
-
static int path_name(const char *op, struct aa_label *label,
144
+
/**
145
+
* is_deleted - test if a file has been completely unlinked
146
+
* @dentry: dentry of file to test for deletion (NOT NULL)
147
+
*
148
+
* Returns: true if deleted else false
149
+
*/
150
+
static inline bool is_deleted(struct dentry *dentry)
151
+
{
152
+
if (d_unlinked(dentry) && d_backing_inode(dentry)->i_nlink == 0)
153
+
return true;
154
+
return false;
155
+
}
156
+
157
+
static int path_name(const char *op, const struct cred *subj_cred,
158
+
struct aa_label *label,
148
159
const struct path *path, int flags, char *buffer,
149
160
const char **name, struct path_cond *cond, u32 request)
150
161
{
···
170
153
labels_profile(label)->disconnected);
171
154
if (error) {
172
155
fn_for_each_confined(label, profile,
173
-
aa_audit_file(profile, &nullperms, op, request, *name,
156
+
aa_audit_file(subj_cred,
157
+
profile, &nullperms, op, request, *name,
174
158
NULL, NULL, cond->uid, info, error));
175
159
return error;
176
160
}
···
225
207
return state;
226
208
}
227
209
228
-
static int __aa_path_perm(const char *op, struct aa_profile *profile,
229
-
const char *name, u32 request,
230
-
struct path_cond *cond, int flags,
210
+
static int __aa_path_perm(const char *op, const struct cred *subj_cred,
211
+
struct aa_profile *profile, const char *name,
212
+
u32 request, struct path_cond *cond, int flags,
231
213
struct aa_perms *perms)
232
214
{
233
215
struct aa_ruleset *rules = list_first_entry(&profile->rules,
···
240
222
name, cond, perms);
241
223
if (request & ~perms->allow)
242
224
e = -EACCES;
243
-
return aa_audit_file(profile, perms, op, request, name, NULL, NULL,
225
+
return aa_audit_file(subj_cred,
226
+
profile, perms, op, request, name, NULL, NULL,
244
227
cond->uid, NULL, e);
245
228
}
246
229
247
230
248
-
static int profile_path_perm(const char *op, struct aa_profile *profile,
231
+
static int profile_path_perm(const char *op, const struct cred *subj_cred,
232
+
struct aa_profile *profile,
249
233
const struct path *path, char *buffer, u32 request,
250
234
struct path_cond *cond, int flags,
251
235
struct aa_perms *perms)
···
258
238
if (profile_unconfined(profile))
259
239
return 0;
260
240
261
-
error = path_name(op, &profile->label, path,
241
+
error = path_name(op, subj_cred, &profile->label, path,
262
242
flags | profile->path_flags, buffer, &name, cond,
263
243
request);
264
244
if (error)
265
245
return error;
266
-
return __aa_path_perm(op, profile, name, request, cond, flags,
267
-
perms);
246
+
return __aa_path_perm(op, subj_cred, profile, name, request, cond,
247
+
flags, perms);
268
248
}
269
249
270
250
/**
271
251
* aa_path_perm - do permissions check & audit for @path
272
252
* @op: operation being checked
253
+
* @subj_cred: subject cred
273
254
* @label: profile being enforced (NOT NULL)
274
255
* @path: path to check permissions of (NOT NULL)
275
256
* @flags: any additional path flags beyond what the profile specifies
···
279
258
*
280
259
* Returns: %0 else error if access denied or other error
281
260
*/
282
-
int aa_path_perm(const char *op, struct aa_label *label,
261
+
int aa_path_perm(const char *op, const struct cred *subj_cred,
262
+
struct aa_label *label,
283
263
const struct path *path, int flags, u32 request,
284
264
struct path_cond *cond)
285
265
{
···
295
273
if (!buffer)
296
274
return -ENOMEM;
297
275
error = fn_for_each_confined(label, profile,
298
-
profile_path_perm(op, profile, path, buffer, request,
299
-
cond, flags, &perms));
276
+
profile_path_perm(op, subj_cred, profile, path, buffer,
277
+
request, cond, flags, &perms));
300
278
301
279
aa_put_buffer(buffer);
302
280
···
323
301
return true;
324
302
}
325
303
326
-
static int profile_path_link(struct aa_profile *profile,
304
+
static int profile_path_link(const struct cred *subj_cred,
305
+
struct aa_profile *profile,
327
306
const struct path *link, char *buffer,
328
307
const struct path *target, char *buffer2,
329
308
struct path_cond *cond)
···
338
315
aa_state_t state;
339
316
int error;
340
317
341
-
error = path_name(OP_LINK, &profile->label, link, profile->path_flags,
318
+
error = path_name(OP_LINK, subj_cred, &profile->label, link,
319
+
profile->path_flags,
342
320
buffer, &lname, cond, AA_MAY_LINK);
343
321
if (error)
344
322
goto audit;
345
323
346
324
/* buffer2 freed below, tname is pointer in buffer2 */
347
-
error = path_name(OP_LINK, &profile->label, target, profile->path_flags,
325
+
error = path_name(OP_LINK, subj_cred, &profile->label, target,
326
+
profile->path_flags,
348
327
buffer2, &tname, cond, AA_MAY_LINK);
349
328
if (error)
350
329
goto audit;
···
406
381
error = 0;
407
382
408
383
audit:
409
-
return aa_audit_file(profile, &lperms, OP_LINK, request, lname, tname,
384
+
return aa_audit_file(subj_cred,
385
+
profile, &lperms, OP_LINK, request, lname, tname,
410
386
NULL, cond->uid, info, error);
411
387
}
412
388
413
389
/**
414
390
* aa_path_link - Handle hard link permission check
391
+
* @subj_cred: subject cred
415
392
* @label: the label being enforced (NOT NULL)
416
393
* @old_dentry: the target dentry (NOT NULL)
417
394
* @new_dir: directory the new link will be created in (NOT NULL)
···
430
403
*
431
404
* Returns: %0 if allowed else error
432
405
*/
433
-
int aa_path_link(struct aa_label *label, struct dentry *old_dentry,
406
+
int aa_path_link(const struct cred *subj_cred,
407
+
struct aa_label *label, struct dentry *old_dentry,
434
408
const struct path *new_dir, struct dentry *new_dentry)
435
409
{
436
410
struct path link = { .mnt = new_dir->mnt, .dentry = new_dentry };
···
452
424
goto out;
453
425
454
426
error = fn_for_each_confined(label, profile,
455
-
profile_path_link(profile, &link, buffer, &target,
456
-
buffer2, &cond));
427
+
profile_path_link(subj_cred, profile, &link, buffer,
428
+
&target, buffer2, &cond));
457
429
out:
458
430
aa_put_buffer(buffer);
459
431
aa_put_buffer(buffer2);
···
481
453
spin_unlock(&fctx->lock);
482
454
}
483
455
484
-
static int __file_path_perm(const char *op, struct aa_label *label,
456
+
static int __file_path_perm(const char *op, const struct cred *subj_cred,
457
+
struct aa_label *label,
485
458
struct aa_label *flabel, struct file *file,
486
459
u32 request, u32 denied, bool in_atomic)
487
460
{
···
509
480
510
481
/* check every profile in task label not in current cache */
511
482
error = fn_for_each_not_in_set(flabel, label, profile,
512
-
profile_path_perm(op, profile, &file->f_path, buffer,
483
+
profile_path_perm(op, subj_cred, profile,
484
+
&file->f_path, buffer,
513
485
request, &cond, flags, &perms));
514
486
if (denied && !error) {
515
487
/*
···
523
493
*/
524
494
if (label == flabel)
525
495
error = fn_for_each(label, profile,
526
-
profile_path_perm(op, profile, &file->f_path,
496
+
profile_path_perm(op, subj_cred,
497
+
profile, &file->f_path,
527
498
buffer, request, &cond, flags,
528
499
&perms));
529
500
else
530
501
error = fn_for_each_not_in_set(label, flabel, profile,
531
-
profile_path_perm(op, profile, &file->f_path,
502
+
profile_path_perm(op, subj_cred,
503
+
profile, &file->f_path,
532
504
buffer, request, &cond, flags,
533
505
&perms));
534
506
}
···
542
510
return error;
543
511
}
544
512
545
-
static int __file_sock_perm(const char *op, struct aa_label *label,
513
+
static int __file_sock_perm(const char *op, const struct cred *subj_cred,
514
+
struct aa_label *label,
546
515
struct aa_label *flabel, struct file *file,
547
516
u32 request, u32 denied)
548
517
{
···
557
524
return 0;
558
525
559
526
/* TODO: improve to skip profiles cached in flabel */
560
-
error = aa_sock_file_perm(label, op, request, sock);
527
+
error = aa_sock_file_perm(subj_cred, label, op, request, sock);
561
528
if (denied) {
562
529
/* TODO: improve to skip profiles checked above */
563
530
/* check every profile in file label to is cached */
564
-
last_error(error, aa_sock_file_perm(flabel, op, request, sock));
531
+
last_error(error, aa_sock_file_perm(subj_cred, flabel, op,
532
+
request, sock));
565
533
}
566
534
if (!error)
567
535
update_file_ctx(file_ctx(file), label, request);
···
573
539
/**
574
540
* aa_file_perm - do permission revalidation check & audit for @file
575
541
* @op: operation being checked
542
+
* @subj_cred: subject cred
576
543
* @label: label being enforced (NOT NULL)
577
544
* @file: file to revalidate access permissions on (NOT NULL)
578
545
* @request: requested permissions
···
581
546
*
582
547
* Returns: %0 if access allowed else error
583
548
*/
584
-
int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
549
+
int aa_file_perm(const char *op, const struct cred *subj_cred,
550
+
struct aa_label *label, struct file *file,
585
551
u32 request, bool in_atomic)
586
552
{
587
553
struct aa_file_ctx *fctx;
···
618
582
/* TODO: label cross check */
619
583
620
584
if (file->f_path.mnt && path_mediated_fs(file->f_path.dentry))
621
-
error = __file_path_perm(op, label, flabel, file, request,
622
-
denied, in_atomic);
585
+
error = __file_path_perm(op, subj_cred, label, flabel, file,
586
+
request, denied, in_atomic);
623
587
624
588
else if (S_ISSOCK(file_inode(file)->i_mode))
625
-
error = __file_sock_perm(op, label, flabel, file, request,
626
-
denied);
589
+
error = __file_sock_perm(op, subj_cred, label, flabel, file,
590
+
request, denied);
627
591
aa_put_label(flabel);
628
592
629
593
done:
630
594
return error;
631
595
}
632
596
633
-
static void revalidate_tty(struct aa_label *label)
597
+
static void revalidate_tty(const struct cred *subj_cred, struct aa_label *label)
634
598
{
635
599
struct tty_struct *tty;
636
600
int drop_tty = 0;
···
648
612
struct tty_file_private, list);
649
613
file = file_priv->file;
650
614
651
-
if (aa_file_perm(OP_INHERIT, label, file, MAY_READ | MAY_WRITE,
652
-
IN_ATOMIC))
615
+
if (aa_file_perm(OP_INHERIT, subj_cred, label, file,
616
+
MAY_READ | MAY_WRITE, IN_ATOMIC))
653
617
drop_tty = 1;
654
618
}
655
619
spin_unlock(&tty->files_lock);
···
659
623
no_tty();
660
624
}
661
625
626
+
struct cred_label {
627
+
const struct cred *cred;
628
+
struct aa_label *label;
629
+
};
630
+
662
631
static int match_file(const void *p, struct file *file, unsigned int fd)
663
632
{
664
-
struct aa_label *label = (struct aa_label *)p;
633
+
struct cred_label *cl = (struct cred_label *)p;
665
634
666
-
if (aa_file_perm(OP_INHERIT, label, file, aa_map_file_to_perms(file),
667
-
IN_ATOMIC))
635
+
if (aa_file_perm(OP_INHERIT, cl->cred, cl->label, file,
636
+
aa_map_file_to_perms(file), IN_ATOMIC))
668
637
return fd + 1;
669
638
return 0;
670
639
}
···
679
638
void aa_inherit_files(const struct cred *cred, struct files_struct *files)
680
639
{
681
640
struct aa_label *label = aa_get_newest_cred_label(cred);
641
+
struct cred_label cl = {
642
+
.cred = cred,
643
+
.label = label,
644
+
};
682
645
struct file *devnull = NULL;
683
646
unsigned int n;
684
647
685
-
revalidate_tty(label);
648
+
revalidate_tty(cred, label);
686
649
687
650
/* Revalidate access to inherited open files. */
688
-
n = iterate_fd(files, 0, match_file, label);
651
+
n = iterate_fd(files, 0, match_file, &cl);
689
652
if (!n) /* none found? */
690
653
goto out;
691
654
···
699
654
/* replace all the matching ones with this */
700
655
do {
701
656
replace_fd(n - 1, devnull, 0);
702
-
} while ((n = iterate_fd(files, n, match_file, label)) != 0);
657
+
} while ((n = iterate_fd(files, n, match_file, &cl)) != 0);
703
658
if (devnull)
704
659
fput(devnull);
705
660
out:
+1
security/apparmor/include/audit.h
+1
security/apparmor/include/audit.h
+2
-1
security/apparmor/include/capability.h
+2
-1
security/apparmor/include/capability.h
···
36
36
37
37
extern struct aa_sfs_entry aa_sfs_entry_caps[];
38
38
39
-
int aa_capable(struct aa_label *label, int cap, unsigned int opts);
39
+
int aa_capable(const struct cred *subj_cred, struct aa_label *label,
40
+
int cap, unsigned int opts);
40
41
41
42
static inline void aa_free_cap_rules(struct aa_caps *caps)
42
43
{
+10
-7
security/apparmor/include/file.h
+10
-7
security/apparmor/include/file.h
···
71
71
72
72
#define COMBINED_PERM_MASK(X) ((X).allow | (X).audit | (X).quiet | (X).kill)
73
73
74
-
int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
74
+
int aa_audit_file(const struct cred *cred,
75
+
struct aa_profile *profile, struct aa_perms *perms,
75
76
const char *op, u32 request, const char *name,
76
77
const char *target, struct aa_label *tlabel, kuid_t ouid,
77
78
const char *info, int error);
···
83
82
const char *name, struct path_cond *cond,
84
83
struct aa_perms *perms);
85
84
86
-
int aa_path_perm(const char *op, struct aa_label *label,
87
-
const struct path *path, int flags, u32 request,
88
-
struct path_cond *cond);
85
+
int aa_path_perm(const char *op, const struct cred *subj_cred,
86
+
struct aa_label *label, const struct path *path,
87
+
int flags, u32 request, struct path_cond *cond);
89
88
90
-
int aa_path_link(struct aa_label *label, struct dentry *old_dentry,
91
-
const struct path *new_dir, struct dentry *new_dentry);
89
+
int aa_path_link(const struct cred *subj_cred, struct aa_label *label,
90
+
struct dentry *old_dentry, const struct path *new_dir,
91
+
struct dentry *new_dentry);
92
92
93
-
int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
93
+
int aa_file_perm(const char *op, const struct cred *subj_cred,
94
+
struct aa_label *label, struct file *file,
94
95
u32 request, bool in_atomic);
95
96
96
97
void aa_inherit_files(const struct cred *cred, struct files_struct *files);
+3
-1
security/apparmor/include/ipc.h
+3
-1
security/apparmor/include/ipc.h
···
13
13
14
14
#include <linux/sched.h>
15
15
16
-
int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig);
16
+
int aa_may_signal(const struct cred *subj_cred, struct aa_label *sender,
17
+
const struct cred *target_cred, struct aa_label *target,
18
+
int sig);
17
19
18
20
#endif /* __AA_IPC_H */
+14
-7
security/apparmor/include/mount.h
+14
-7
security/apparmor/include/mount.h
···
25
25
26
26
#define AA_MS_IGNORE_MASK (MS_KERNMOUNT | MS_NOSEC | MS_ACTIVE | MS_BORN)
27
27
28
-
int aa_remount(struct aa_label *label, const struct path *path,
28
+
int aa_remount(const struct cred *subj_cred,
29
+
struct aa_label *label, const struct path *path,
29
30
unsigned long flags, void *data);
30
31
31
-
int aa_bind_mount(struct aa_label *label, const struct path *path,
32
+
int aa_bind_mount(const struct cred *subj_cred,
33
+
struct aa_label *label, const struct path *path,
32
34
const char *old_name, unsigned long flags);
33
35
34
36
35
-
int aa_mount_change_type(struct aa_label *label, const struct path *path,
37
+
int aa_mount_change_type(const struct cred *subj_cred,
38
+
struct aa_label *label, const struct path *path,
36
39
unsigned long flags);
37
40
38
-
int aa_move_mount(struct aa_label *label, const struct path *path,
41
+
int aa_move_mount(const struct cred *subj_cred,
42
+
struct aa_label *label, const struct path *path,
39
43
const char *old_name);
40
44
41
-
int aa_new_mount(struct aa_label *label, const char *dev_name,
45
+
int aa_new_mount(const struct cred *subj_cred,
46
+
struct aa_label *label, const char *dev_name,
42
47
const struct path *path, const char *type, unsigned long flags,
43
48
void *data);
44
49
45
-
int aa_umount(struct aa_label *label, struct vfsmount *mnt, int flags);
50
+
int aa_umount(const struct cred *subj_cred,
51
+
struct aa_label *label, struct vfsmount *mnt, int flags);
46
52
47
-
int aa_pivotroot(struct aa_label *label, const struct path *old_path,
53
+
int aa_pivotroot(const struct cred *subj_cred,
54
+
struct aa_label *label, const struct path *old_path,
48
55
const struct path *new_path);
49
56
50
57
#endif /* __AA_MOUNT_H */
+4
-2
security/apparmor/include/net.h
+4
-2
security/apparmor/include/net.h
···
97
97
int aa_profile_af_perm(struct aa_profile *profile,
98
98
struct apparmor_audit_data *ad,
99
99
u32 request, u16 family, int type);
100
-
int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
100
+
int aa_af_perm(const struct cred *subj_cred, struct aa_label *label,
101
+
const char *op, u32 request, u16 family,
101
102
int type, int protocol);
102
103
static inline int aa_profile_af_sk_perm(struct aa_profile *profile,
103
104
struct apparmor_audit_data *ad,
···
110
109
}
111
110
int aa_sk_perm(const char *op, u32 request, struct sock *sk);
112
111
113
-
int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
112
+
int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label,
113
+
const char *op, u32 request,
114
114
struct socket *sock);
115
115
116
116
int apparmor_secmark_check(struct aa_label *label, char *op, u32 request,
+6
-3
security/apparmor/include/policy.h
+6
-3
security/apparmor/include/policy.h
···
361
361
return profile->audit;
362
362
}
363
363
364
-
bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns);
365
-
bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns);
366
-
int aa_may_manage_policy(struct aa_label *label, struct aa_ns *ns,
364
+
bool aa_policy_view_capable(const struct cred *subj_cred,
365
+
struct aa_label *label, struct aa_ns *ns);
366
+
bool aa_policy_admin_capable(const struct cred *subj_cred,
367
+
struct aa_label *label, struct aa_ns *ns);
368
+
int aa_may_manage_policy(const struct cred *subj_cred,
369
+
struct aa_label *label, struct aa_ns *ns,
367
370
u32 mask);
368
371
bool aa_current_policy_view_capable(struct aa_ns *ns);
369
372
bool aa_current_policy_admin_capable(struct aa_ns *ns);
+2
-1
security/apparmor/include/resource.h
+2
-1
security/apparmor/include/resource.h
···
33
33
extern struct aa_sfs_entry aa_sfs_entry_rlimit[];
34
34
35
35
int aa_map_resource(int resource);
36
-
int aa_task_setrlimit(struct aa_label *label, struct task_struct *task,
36
+
int aa_task_setrlimit(const struct cred *subj_cred, struct aa_label *label,
37
+
struct task_struct *task,
37
38
unsigned int resource, struct rlimit *new_rlim);
38
39
39
40
void __aa_transition_rlimits(struct aa_label *old, struct aa_label *new);
+2
-1
security/apparmor/include/task.h
+2
-1
security/apparmor/include/task.h
···
91
91
"segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg " \
92
92
"xcpu xfsz vtalrm prof winch io pwr sys emt lost"
93
93
94
-
int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
94
+
int aa_may_ptrace(const struct cred *tracer_cred, struct aa_label *tracer,
95
+
const struct cred *tracee_cred, struct aa_label *tracee,
95
96
u32 request);
96
97
97
98
+10
-4
security/apparmor/ipc.c
+10
-4
security/apparmor/ipc.c
···
75
75
FLAGS_NONE, GFP_ATOMIC);
76
76
}
77
77
78
-
static int profile_signal_perm(struct aa_profile *profile,
78
+
static int profile_signal_perm(const struct cred *cred,
79
+
struct aa_profile *profile,
79
80
struct aa_label *peer, u32 request,
80
81
struct apparmor_audit_data *ad)
81
82
{
···
89
88
!ANY_RULE_MEDIATES(&profile->rules, AA_CLASS_SIGNAL))
90
89
return 0;
91
90
91
+
ad->subj_cred = cred;
92
92
ad->peer = peer;
93
93
/* TODO: secondary cache check <profile, profile, perm> */
94
94
state = aa_dfa_next(rules->policy.dfa,
···
100
98
return aa_check_perms(profile, &perms, request, ad, audit_signal_cb);
101
99
}
102
100
103
-
int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig)
101
+
int aa_may_signal(const struct cred *subj_cred, struct aa_label *sender,
102
+
const struct cred *target_cred, struct aa_label *target,
103
+
int sig)
104
104
{
105
105
struct aa_profile *profile;
106
106
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_SIGNAL, OP_SIGNAL);
···
110
106
ad.signal = map_signal_num(sig);
111
107
ad.unmappedsig = sig;
112
108
return xcheck_labels(sender, target, profile,
113
-
profile_signal_perm(profile, target, MAY_WRITE, &ad),
114
-
profile_signal_perm(profile, sender, MAY_READ, &ad));
109
+
profile_signal_perm(subj_cred, profile, target,
110
+
MAY_WRITE, &ad),
111
+
profile_signal_perm(target_cred, profile, sender,
112
+
MAY_READ, &ad));
115
113
}
+52
-33
security/apparmor/lsm.c
+52
-33
security/apparmor/lsm.c
···
116
116
unsigned int mode)
117
117
{
118
118
struct aa_label *tracer, *tracee;
119
+
const struct cred *cred;
119
120
int error;
120
121
122
+
cred = get_task_cred(child);
123
+
tracee = cred_label(cred); /* ref count on cred */
121
124
tracer = __begin_current_label_crit_section();
122
-
tracee = aa_get_task_label(child);
123
-
error = aa_may_ptrace(tracer, tracee,
125
+
error = aa_may_ptrace(current_cred(), tracer, cred, tracee,
124
126
(mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
125
127
: AA_PTRACE_TRACE);
126
-
aa_put_label(tracee);
127
128
__end_current_label_crit_section(tracer);
129
+
put_cred(cred);
128
130
129
131
return error;
130
132
}
···
134
132
static int apparmor_ptrace_traceme(struct task_struct *parent)
135
133
{
136
134
struct aa_label *tracer, *tracee;
135
+
const struct cred *cred;
137
136
int error;
138
137
139
138
tracee = __begin_current_label_crit_section();
140
-
tracer = aa_get_task_label(parent);
141
-
error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
142
-
aa_put_label(tracer);
139
+
cred = get_task_cred(parent);
140
+
tracer = cred_label(cred); /* ref count on cred */
141
+
error = aa_may_ptrace(cred, tracer, current_cred(), tracee,
142
+
AA_PTRACE_TRACE);
143
+
put_cred(cred);
143
144
__end_current_label_crit_section(tracee);
144
145
145
146
return error;
···
193
188
194
189
label = aa_get_newest_cred_label(cred);
195
190
if (!unconfined(label))
196
-
error = aa_capable(label, cap, opts);
191
+
error = aa_capable(cred, label, cap, opts);
197
192
aa_put_label(label);
198
193
199
194
return error;
···
216
211
217
212
label = __begin_current_label_crit_section();
218
213
if (!unconfined(label))
219
-
error = aa_path_perm(op, label, path, 0, mask, cond);
214
+
error = aa_path_perm(op, current_cred(), label, path, 0, mask,
215
+
cond);
220
216
__end_current_label_crit_section(label);
221
217
222
218
return error;
···
363
357
364
358
label = begin_current_label_crit_section();
365
359
if (!unconfined(label))
366
-
error = aa_path_link(label, old_dentry, new_dir, new_dentry);
360
+
error = aa_path_link(current_cred(), label, old_dentry, new_dir,
361
+
new_dentry);
367
362
end_current_label_crit_section(label);
368
363
369
364
return error;
···
403
396
vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(old_dentry));
404
397
cond_exchange.uid = vfsuid_into_kuid(vfsuid);
405
398
406
-
error = aa_path_perm(OP_RENAME_SRC, label, &new_path, 0,
399
+
error = aa_path_perm(OP_RENAME_SRC, current_cred(),
400
+
label, &new_path, 0,
407
401
MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
408
402
AA_MAY_SETATTR | AA_MAY_DELETE,
409
403
&cond_exchange);
410
404
if (!error)
411
-
error = aa_path_perm(OP_RENAME_DEST, label, &old_path,
405
+
error = aa_path_perm(OP_RENAME_DEST, current_cred(),
406
+
label, &old_path,
412
407
0, MAY_WRITE | AA_MAY_SETATTR |
413
408
AA_MAY_CREATE, &cond_exchange);
414
409
}
415
410
416
411
if (!error)
417
-
error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0,
412
+
error = aa_path_perm(OP_RENAME_SRC, current_cred(),
413
+
label, &old_path, 0,
418
414
MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
419
415
AA_MAY_SETATTR | AA_MAY_DELETE,
420
416
&cond);
421
417
if (!error)
422
-
error = aa_path_perm(OP_RENAME_DEST, label, &new_path,
418
+
error = aa_path_perm(OP_RENAME_DEST, current_cred(),
419
+
label, &new_path,
423
420
0, MAY_WRITE | AA_MAY_SETATTR |
424
421
AA_MAY_CREATE, &cond);
425
422
···
478
467
vfsuid = i_uid_into_vfsuid(idmap, inode);
479
468
cond.uid = vfsuid_into_kuid(vfsuid);
480
469
481
-
error = aa_path_perm(OP_OPEN, label, &file->f_path, 0,
470
+
error = aa_path_perm(OP_OPEN, file->f_cred,
471
+
label, &file->f_path, 0,
482
472
aa_map_file_to_perms(file), &cond);
483
473
/* todo cache full allowed permissions set and state */
484
474
fctx->allow = aa_map_file_to_perms(file);
···
519
507
return -EACCES;
520
508
521
509
label = __begin_current_label_crit_section();
522
-
error = aa_file_perm(op, label, file, mask, in_atomic);
510
+
error = aa_file_perm(op, current_cred(), label, file, mask, in_atomic);
523
511
__end_current_label_crit_section(label);
524
512
525
513
return error;
···
597
585
label = __begin_current_label_crit_section();
598
586
if (!unconfined(label)) {
599
587
if (flags & MS_REMOUNT)
600
-
error = aa_remount(label, path, flags, data);
588
+
error = aa_remount(current_cred(), label, path, flags,
589
+
data);
601
590
else if (flags & MS_BIND)
602
-
error = aa_bind_mount(label, path, dev_name, flags);
591
+
error = aa_bind_mount(current_cred(), label, path,
592
+
dev_name, flags);
603
593
else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE |
604
594
MS_UNBINDABLE))
605
-
error = aa_mount_change_type(label, path, flags);
595
+
error = aa_mount_change_type(current_cred(), label,
596
+
path, flags);
606
597
else if (flags & MS_MOVE)
607
-
error = aa_move_mount(label, path, dev_name);
598
+
error = aa_move_mount(current_cred(), label, path,
599
+
dev_name);
608
600
else
609
-
error = aa_new_mount(label, dev_name, path, type,
610
-
flags, data);
601
+
error = aa_new_mount(current_cred(), label, dev_name,
602
+
path, type, flags, data);
611
603
}
612
604
__end_current_label_crit_section(label);
613
605
···
625
609
626
610
label = __begin_current_label_crit_section();
627
611
if (!unconfined(label))
628
-
error = aa_umount(label, mnt, flags);
612
+
error = aa_umount(current_cred(), label, mnt, flags);
629
613
__end_current_label_crit_section(label);
630
614
631
615
return error;
···
639
623
640
624
label = aa_get_current_label();
641
625
if (!unconfined(label))
642
-
error = aa_pivotroot(label, old_path, new_path);
626
+
error = aa_pivotroot(current_cred(), label, old_path, new_path);
643
627
aa_put_label(label);
644
628
645
629
return error;
···
801
785
int error = 0;
802
786
803
787
if (!unconfined(label))
804
-
error = aa_task_setrlimit(label, task, resource, new_rlim);
788
+
error = aa_task_setrlimit(current_cred(), label, task,
789
+
resource, new_rlim);
805
790
__end_current_label_crit_section(label);
806
791
807
792
return error;
···
811
794
static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo *info,
812
795
int sig, const struct cred *cred)
813
796
{
797
+
const struct cred *tc;
814
798
struct aa_label *cl, *tl;
815
799
int error;
816
800
801
+
tc = get_task_cred(target);
802
+
tl = aa_get_newest_cred_label(tc);
817
803
if (cred) {
818
804
/*
819
805
* Dealing with USB IO specific behavior
820
806
*/
821
807
cl = aa_get_newest_cred_label(cred);
822
-
tl = aa_get_task_label(target);
823
-
error = aa_may_signal(cl, tl, sig);
808
+
error = aa_may_signal(cred, cl, tc, tl, sig);
824
809
aa_put_label(cl);
825
-
aa_put_label(tl);
826
810
return error;
811
+
} else {
812
+
cl = __begin_current_label_crit_section();
813
+
error = aa_may_signal(current_cred(), cl, tc, tl, sig);
814
+
__end_current_label_crit_section(cl);
827
815
}
828
-
829
-
cl = __begin_current_label_crit_section();
830
-
tl = aa_get_task_label(target);
831
-
error = aa_may_signal(cl, tl, sig);
832
816
aa_put_label(tl);
833
-
__end_current_label_crit_section(cl);
817
+
put_cred(tc);
834
818
835
819
return error;
836
820
}
···
897
879
if (!(kern || unconfined(label)))
898
880
error = af_select(family,
899
881
create_perm(label, family, type, protocol),
900
-
aa_af_perm(label, OP_CREATE, AA_MAY_CREATE,
882
+
aa_af_perm(current_cred(), label,
883
+
OP_CREATE, AA_MAY_CREATE,
901
884
family, type, protocol));
902
885
end_current_label_crit_section(label);
903
886
+55
-30
security/apparmor/mount.c
+55
-30
security/apparmor/mount.c
···
113
113
114
114
/**
115
115
* audit_mount - handle the auditing of mount operations
116
+
* @subj_cred: cred of the subject
116
117
* @profile: the profile being enforced (NOT NULL)
117
118
* @op: operation being mediated (NOT NULL)
118
119
* @name: name of object being mediated (MAYBE NULL)
···
129
128
*
130
129
* Returns: %0 or error on failure
131
130
*/
132
-
static int audit_mount(struct aa_profile *profile, const char *op,
131
+
static int audit_mount(const struct cred *subj_cred,
132
+
struct aa_profile *profile, const char *op,
133
133
const char *name, const char *src_name,
134
134
const char *type, const char *trans,
135
135
unsigned long flags, const void *data, u32 request,
···
168
166
return error;
169
167
}
170
168
169
+
ad.subj_cred = subj_cred;
171
170
ad.name = name;
172
171
ad.mnt.src_name = src_name;
173
172
ad.mnt.type = type;
···
287
284
288
285
/**
289
286
* match_mnt_path_str - handle path matching for mount
287
+
* @subj_cred: cred of confined subject
290
288
* @profile: the confining profile
291
289
* @mntpath: for the mntpnt (NOT NULL)
292
290
* @buffer: buffer to be used to lookup mntpath
···
300
296
*
301
297
* Returns: 0 on success else error
302
298
*/
303
-
static int match_mnt_path_str(struct aa_profile *profile,
299
+
static int match_mnt_path_str(const struct cred *subj_cred,
300
+
struct aa_profile *profile,
304
301
const struct path *mntpath, char *buffer,
305
302
const char *devname, const char *type,
306
303
unsigned long flags, void *data, bool binary,
···
342
337
error = 0;
343
338
344
339
audit:
345
-
return audit_mount(profile, OP_MOUNT, mntpnt, devname, type, NULL,
340
+
return audit_mount(subj_cred, profile, OP_MOUNT, mntpnt, devname,
341
+
type, NULL,
346
342
flags, data, AA_MAY_MOUNT, &perms, info, error);
347
343
}
348
344
349
345
/**
350
346
* match_mnt - handle path matching for mount
347
+
* @subj_cred: cred of the subject
351
348
* @profile: the confining profile
352
349
* @path: for the mntpnt (NOT NULL)
353
350
* @buffer: buffer to be used to lookup mntpath
···
362
355
*
363
356
* Returns: 0 on success else error
364
357
*/
365
-
static int match_mnt(struct aa_profile *profile, const struct path *path,
358
+
static int match_mnt(const struct cred *subj_cred,
359
+
struct aa_profile *profile, const struct path *path,
366
360
char *buffer, const struct path *devpath, char *devbuffer,
367
361
const char *type, unsigned long flags, void *data,
368
362
bool binary)
···
387
379
devname = ERR_PTR(error);
388
380
}
389
381
390
-
return match_mnt_path_str(profile, path, buffer, devname, type, flags,
391
-
data, binary, info);
382
+
return match_mnt_path_str(subj_cred, profile, path, buffer, devname,
383
+
type, flags, data, binary, info);
392
384
}
393
385
394
-
int aa_remount(struct aa_label *label, const struct path *path,
386
+
int aa_remount(const struct cred *subj_cred,
387
+
struct aa_label *label, const struct path *path,
395
388
unsigned long flags, void *data)
396
389
{
397
390
struct aa_profile *profile;
···
409
400
if (!buffer)
410
401
return -ENOMEM;
411
402
error = fn_for_each_confined(label, profile,
412
-
match_mnt(profile, path, buffer, NULL, NULL, NULL,
403
+
match_mnt(subj_cred, profile, path, buffer, NULL,
404
+
NULL, NULL,
413
405
flags, data, binary));
414
406
aa_put_buffer(buffer);
415
407
416
408
return error;
417
409
}
418
410
419
-
int aa_bind_mount(struct aa_label *label, const struct path *path,
411
+
int aa_bind_mount(const struct cred *subj_cred,
412
+
struct aa_label *label, const struct path *path,
420
413
const char *dev_name, unsigned long flags)
421
414
{
422
415
struct aa_profile *profile;
···
445
434
goto out;
446
435
447
436
error = fn_for_each_confined(label, profile,
448
-
match_mnt(profile, path, buffer, &old_path, old_buffer,
449
-
NULL, flags, NULL, false));
437
+
match_mnt(subj_cred, profile, path, buffer, &old_path,
438
+
old_buffer, NULL, flags, NULL, false));
450
439
out:
451
440
aa_put_buffer(buffer);
452
441
aa_put_buffer(old_buffer);
···
455
444
return error;
456
445
}
457
446
458
-
int aa_mount_change_type(struct aa_label *label, const struct path *path,
447
+
int aa_mount_change_type(const struct cred *subj_cred,
448
+
struct aa_label *label, const struct path *path,
459
449
unsigned long flags)
460
450
{
461
451
struct aa_profile *profile;
···
474
462
if (!buffer)
475
463
return -ENOMEM;
476
464
error = fn_for_each_confined(label, profile,
477
-
match_mnt(profile, path, buffer, NULL, NULL, NULL,
465
+
match_mnt(subj_cred, profile, path, buffer, NULL,
466
+
NULL, NULL,
478
467
flags, NULL, false));
479
468
aa_put_buffer(buffer);
480
469
481
470
return error;
482
471
}
483
472
484
-
int aa_move_mount(struct aa_label *label, const struct path *path,
473
+
int aa_move_mount(const struct cred *subj_cred,
474
+
struct aa_label *label, const struct path *path,
485
475
const char *orig_name)
486
476
{
487
477
struct aa_profile *profile;
···
507
493
if (!buffer || !old_buffer)
508
494
goto out;
509
495
error = fn_for_each_confined(label, profile,
510
-
match_mnt(profile, path, buffer, &old_path, old_buffer,
496
+
match_mnt(subj_cred, profile, path, buffer, &old_path,
497
+
old_buffer,
511
498
NULL, MS_MOVE, NULL, false));
512
499
out:
513
500
aa_put_buffer(buffer);
···
518
503
return error;
519
504
}
520
505
521
-
int aa_new_mount(struct aa_label *label, const char *dev_name,
522
-
const struct path *path, const char *type, unsigned long flags,
523
-
void *data)
506
+
int aa_new_mount(const struct cred *subj_cred, struct aa_label *label,
507
+
const char *dev_name, const struct path *path,
508
+
const char *type, unsigned long flags, void *data)
524
509
{
525
510
struct aa_profile *profile;
526
511
char *buffer = NULL, *dev_buffer = NULL;
···
565
550
goto out;
566
551
}
567
552
error = fn_for_each_confined(label, profile,
568
-
match_mnt(profile, path, buffer, dev_path, dev_buffer,
553
+
match_mnt(subj_cred, profile, path, buffer,
554
+
dev_path, dev_buffer,
569
555
type, flags, data, binary));
570
556
} else {
571
557
error = fn_for_each_confined(label, profile,
572
-
match_mnt_path_str(profile, path, buffer, dev_name,
573
-
type, flags, data, binary, NULL));
558
+
match_mnt_path_str(subj_cred, profile, path,
559
+
buffer, dev_name,
560
+
type, flags, data, binary, NULL));
574
561
}
575
562
576
563
out:
···
584
567
return error;
585
568
}
586
569
587
-
static int profile_umount(struct aa_profile *profile, const struct path *path,
570
+
static int profile_umount(const struct cred *subj_cred,
571
+
struct aa_profile *profile, const struct path *path,
588
572
char *buffer)
589
573
{
590
574
struct aa_ruleset *rules = list_first_entry(&profile->rules,
···
614
596
error = -EACCES;
615
597
616
598
audit:
617
-
return audit_mount(profile, OP_UMOUNT, name, NULL, NULL, NULL, 0, NULL,
599
+
return audit_mount(subj_cred, profile, OP_UMOUNT, name, NULL, NULL,
600
+
NULL, 0, NULL,
618
601
AA_MAY_UMOUNT, &perms, info, error);
619
602
}
620
603
621
-
int aa_umount(struct aa_label *label, struct vfsmount *mnt, int flags)
604
+
int aa_umount(const struct cred *subj_cred, struct aa_label *label,
605
+
struct vfsmount *mnt, int flags)
622
606
{
623
607
struct aa_profile *profile;
624
608
char *buffer = NULL;
···
635
615
return -ENOMEM;
636
616
637
617
error = fn_for_each_confined(label, profile,
638
-
profile_umount(profile, &path, buffer));
618
+
profile_umount(subj_cred, profile, &path, buffer));
639
619
aa_put_buffer(buffer);
640
620
641
621
return error;
···
645
625
*
646
626
* Returns: label for transition or ERR_PTR. Does not return NULL
647
627
*/
648
-
static struct aa_label *build_pivotroot(struct aa_profile *profile,
628
+
static struct aa_label *build_pivotroot(const struct cred *subj_cred,
629
+
struct aa_profile *profile,
649
630
const struct path *new_path,
650
631
char *new_buffer,
651
632
const struct path *old_path,
···
691
670
error = 0;
692
671
693
672
audit:
694
-
error = audit_mount(profile, OP_PIVOTROOT, new_name, old_name,
673
+
error = audit_mount(subj_cred, profile, OP_PIVOTROOT, new_name,
674
+
old_name,
695
675
NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT,
696
676
&perms, info, error);
697
677
if (error)
···
701
679
return aa_get_newest_label(&profile->label);
702
680
}
703
681
704
-
int aa_pivotroot(struct aa_label *label, const struct path *old_path,
682
+
int aa_pivotroot(const struct cred *subj_cred, struct aa_label *label,
683
+
const struct path *old_path,
705
684
const struct path *new_path)
706
685
{
707
686
struct aa_profile *profile;
···
720
697
if (!old_buffer || !new_buffer)
721
698
goto out;
722
699
target = fn_label_build(label, profile, GFP_KERNEL,
723
-
build_pivotroot(profile, new_path, new_buffer,
700
+
build_pivotroot(subj_cred, profile, new_path,
701
+
new_buffer,
724
702
old_path, old_buffer));
725
703
if (!target) {
726
704
info = "label build failed";
···
747
723
fail:
748
724
/* TODO: add back in auditing of new_name and old_name */
749
725
error = fn_for_each(label, profile,
750
-
audit_mount(profile, OP_PIVOTROOT, NULL /*new_name */,
726
+
audit_mount(subj_cred, profile, OP_PIVOTROOT,
727
+
NULL /*new_name */,
751
728
NULL /* old_name */,
752
729
NULL, NULL,
753
730
0, NULL, AA_MAY_PIVOTROOT, &nullperms, info,
+10
-7
security/apparmor/net.c
+10
-7
security/apparmor/net.c
···
135
135
return aa_check_perms(profile, &perms, request, ad, audit_net_cb);
136
136
}
137
137
138
-
int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
139
-
int type, int protocol)
138
+
int aa_af_perm(const struct cred *subj_cred, struct aa_label *label,
139
+
const char *op, u32 request, u16 family, int type, int protocol)
140
140
{
141
141
struct aa_profile *profile;
142
142
DEFINE_AUDIT_NET(ad, op, NULL, family, type, protocol);
···
146
146
type));
147
147
}
148
148
149
-
static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
149
+
static int aa_label_sk_perm(const struct cred *subj_cred,
150
+
struct aa_label *label,
151
+
const char *op, u32 request,
150
152
struct sock *sk)
151
153
{
152
154
struct aa_sk_ctx *ctx = SK_CTX(sk);
···
161
159
struct aa_profile *profile;
162
160
DEFINE_AUDIT_SK(ad, op, sk);
163
161
162
+
ad.subj_cred = subj_cred;
164
163
error = fn_for_each_confined(label, profile,
165
164
aa_profile_af_sk_perm(profile, &ad, request, sk));
166
165
}
···
179
176
180
177
/* TODO: switch to begin_current_label ???? */
181
178
label = begin_current_label_crit_section();
182
-
error = aa_label_sk_perm(label, op, request, sk);
179
+
error = aa_label_sk_perm(current_cred(), label, op, request, sk);
183
180
end_current_label_crit_section(label);
184
181
185
182
return error;
186
183
}
187
184
188
185
189
-
int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
190
-
struct socket *sock)
186
+
int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label,
187
+
const char *op, u32 request, struct socket *sock)
191
188
{
192
189
AA_BUG(!label);
193
190
AA_BUG(!sock);
194
191
AA_BUG(!sock->sk);
195
192
196
-
return aa_label_sk_perm(label, op, request, sock->sk);
193
+
return aa_label_sk_perm(subj_cred, label, op, request, sock->sk);
197
194
}
198
195
199
196
#ifdef CONFIG_NETWORK_SECMARK
+20
-13
security/apparmor/policy.c
+20
-13
security/apparmor/policy.c
···
762
762
/* don't call out to other LSMs in the stack for apparmor policy admin
763
763
* permissions
764
764
*/
765
-
static int policy_ns_capable(struct aa_label *label,
765
+
static int policy_ns_capable(const struct cred *subj_cred,
766
+
struct aa_label *label,
766
767
struct user_namespace *userns, int cap)
767
768
{
768
769
int err;
769
770
770
771
/* check for MAC_ADMIN cap in cred */
771
-
err = cap_capable(current_cred(), userns, cap, CAP_OPT_NONE);
772
+
err = cap_capable(subj_cred, userns, cap, CAP_OPT_NONE);
772
773
if (!err)
773
-
err = aa_capable(label, cap, CAP_OPT_NONE);
774
+
err = aa_capable(subj_cred, label, cap, CAP_OPT_NONE);
774
775
775
776
return err;
776
777
}
777
778
778
779
/**
779
780
* aa_policy_view_capable - check if viewing policy in at @ns is allowed
781
+
* @subj_cred: cred of subject
780
782
* @label: label that is trying to view policy in ns
781
783
* @ns: namespace being viewed by @label (may be NULL if @label's ns)
782
784
*
···
787
785
* If @ns is NULL then the namespace being viewed is assumed to be the
788
786
* tasks current namespace.
789
787
*/
790
-
bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns)
788
+
bool aa_policy_view_capable(const struct cred *subj_cred,
789
+
struct aa_label *label, struct aa_ns *ns)
791
790
{
792
-
struct user_namespace *user_ns = current_user_ns();
791
+
struct user_namespace *user_ns = subj_cred->user_ns;
793
792
struct aa_ns *view_ns = labels_view(label);
794
793
bool root_in_user_ns = uid_eq(current_euid(), make_kuid(user_ns, 0)) ||
795
794
in_egroup_p(make_kgid(user_ns, 0));
···
807
804
return response;
808
805
}
809
806
810
-
bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns)
807
+
bool aa_policy_admin_capable(const struct cred *subj_cred,
808
+
struct aa_label *label, struct aa_ns *ns)
811
809
{
812
-
struct user_namespace *user_ns = current_user_ns();
813
-
bool capable = policy_ns_capable(label, user_ns, CAP_MAC_ADMIN) == 0;
810
+
struct user_namespace *user_ns = subj_cred->user_ns;
811
+
bool capable = policy_ns_capable(subj_cred, label, user_ns,
812
+
CAP_MAC_ADMIN) == 0;
814
813
815
814
AA_DEBUG("cap_mac_admin? %d\n", capable);
816
815
AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);
817
816
818
-
return aa_policy_view_capable(label, ns) && capable &&
817
+
return aa_policy_view_capable(subj_cred, label, ns) && capable &&
819
818
!aa_g_lock_policy;
820
819
}
821
820
···
827
822
bool res;
828
823
829
824
label = __begin_current_label_crit_section();
830
-
res = aa_policy_view_capable(label, ns);
825
+
res = aa_policy_view_capable(current_cred(), label, ns);
831
826
__end_current_label_crit_section(label);
832
827
833
828
return res;
···
839
834
bool res;
840
835
841
836
label = __begin_current_label_crit_section();
842
-
res = aa_policy_admin_capable(label, ns);
837
+
res = aa_policy_admin_capable(current_cred(), label, ns);
843
838
__end_current_label_crit_section(label);
844
839
845
840
return res;
···
847
842
848
843
/**
849
844
* aa_may_manage_policy - can the current task manage policy
845
+
* @subj_cred; subjects cred
850
846
* @label: label to check if it can manage policy
851
847
* @ns: namespace being managed by @label (may be NULL if @label's ns)
852
848
* @mask: contains the policy manipulation operation being done
853
849
*
854
850
* Returns: 0 if the task is allowed to manipulate policy else error
855
851
*/
856
-
int aa_may_manage_policy(struct aa_label *label, struct aa_ns *ns, u32 mask)
852
+
int aa_may_manage_policy(const struct cred *subj_cred, struct aa_label *label,
853
+
struct aa_ns *ns, u32 mask)
857
854
{
858
855
const char *op;
859
856
···
871
864
return audit_policy(label, op, NULL, NULL, "policy_locked",
872
865
-EACCES);
873
866
874
-
if (!aa_policy_admin_capable(label, ns))
867
+
if (!aa_policy_admin_capable(subj_cred, label, ns))
875
868
return audit_policy(label, op, NULL, NULL, "not policy admin",
876
869
-EACCES);
877
870
+15
-8
security/apparmor/resource.c
+15
-8
security/apparmor/resource.c
···
43
43
44
44
/**
45
45
* audit_resource - audit setting resource limit
46
+
* @subj_cred: cred setting the resource
46
47
* @profile: profile being enforced (NOT NULL)
47
48
* @resource: rlimit being auditing
48
49
* @value: value being set
···
53
52
*
54
53
* Returns: 0 or ad->error else other error code on failure
55
54
*/
56
-
static int audit_resource(struct aa_profile *profile, unsigned int resource,
55
+
static int audit_resource(const struct cred *subj_cred,
56
+
struct aa_profile *profile, unsigned int resource,
57
57
unsigned long value, struct aa_label *peer,
58
58
const char *info, int error)
59
59
{
60
60
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_RLIMITS,
61
61
OP_SETRLIMIT);
62
62
63
+
ad.subj_cred = subj_cred;
63
64
ad.rlim.rlim = resource;
64
65
ad.rlim.max = value;
65
66
ad.peer = peer;
···
85
82
return rlim_map[resource];
86
83
}
87
84
88
-
static int profile_setrlimit(struct aa_profile *profile, unsigned int resource,
85
+
static int profile_setrlimit(const struct cred *subj_cred,
86
+
struct aa_profile *profile, unsigned int resource,
89
87
struct rlimit *new_rlim)
90
88
{
91
89
struct aa_ruleset *rules = list_first_entry(&profile->rules,
···
96
92
if (rules->rlimits.mask & (1 << resource) && new_rlim->rlim_max >
97
93
rules->rlimits.limits[resource].rlim_max)
98
94
e = -EACCES;
99
-
return audit_resource(profile, resource, new_rlim->rlim_max, NULL, NULL,
100
-
e);
95
+
return audit_resource(subj_cred, profile, resource, new_rlim->rlim_max,
96
+
NULL, NULL, e);
101
97
}
102
98
103
99
/**
104
100
* aa_task_setrlimit - test permission to set an rlimit
101
+
* @subj_cred: cred setting the limit
105
102
* @label: label confining the task (NOT NULL)
106
103
* @task: task the resource is being set on
107
104
* @resource: the resource being set
···
112
107
*
113
108
* Returns: 0 or error code if setting resource failed
114
109
*/
115
-
int aa_task_setrlimit(struct aa_label *label, struct task_struct *task,
110
+
int aa_task_setrlimit(const struct cred *subj_cred, struct aa_label *label,
111
+
struct task_struct *task,
116
112
unsigned int resource, struct rlimit *new_rlim)
117
113
{
118
114
struct aa_profile *profile;
···
132
126
*/
133
127
134
128
if (label != peer &&
135
-
aa_capable(label, CAP_SYS_RESOURCE, CAP_OPT_NOAUDIT) != 0)
129
+
aa_capable(subj_cred, label, CAP_SYS_RESOURCE, CAP_OPT_NOAUDIT) != 0)
136
130
error = fn_for_each(label, profile,
137
-
audit_resource(profile, resource,
131
+
audit_resource(subj_cred, profile, resource,
138
132
new_rlim->rlim_max, peer,
139
133
"cap_sys_resource", -EACCES));
140
134
else
141
135
error = fn_for_each_confined(label, profile,
142
-
profile_setrlimit(profile, resource, new_rlim));
136
+
profile_setrlimit(subj_cred, profile, resource,
137
+
new_rlim));
143
138
aa_put_label(peer);
144
139
145
140
return error;
+19
-12
security/apparmor/task.c
+19
-12
security/apparmor/task.c
···
223
223
224
224
/* assumes check for RULE_MEDIATES is already done */
225
225
/* TODO: conditionals */
226
-
static int profile_ptrace_perm(struct aa_profile *profile,
227
-
struct aa_label *peer, u32 request,
228
-
struct apparmor_audit_data *ad)
226
+
static int profile_ptrace_perm(const struct cred *cred,
227
+
struct aa_profile *profile,
228
+
struct aa_label *peer, u32 request,
229
+
struct apparmor_audit_data *ad)
229
230
{
230
231
struct aa_ruleset *rules = list_first_entry(&profile->rules,
231
232
typeof(*rules), list);
232
233
struct aa_perms perms = { };
233
234
235
+
ad->subj_cred = cred;
234
236
ad->peer = peer;
235
237
aa_profile_match_label(profile, rules, peer, AA_CLASS_PTRACE, request,
236
238
&perms);
···
240
238
return aa_check_perms(profile, &perms, request, ad, audit_ptrace_cb);
241
239
}
242
240
243
-
static int profile_tracee_perm(struct aa_profile *tracee,
241
+
static int profile_tracee_perm(const struct cred *cred,
242
+
struct aa_profile *tracee,
244
243
struct aa_label *tracer, u32 request,
245
244
struct apparmor_audit_data *ad)
246
245
{
···
249
246
!ANY_RULE_MEDIATES(&tracee->rules, AA_CLASS_PTRACE))
250
247
return 0;
251
248
252
-
return profile_ptrace_perm(tracee, tracer, request, ad);
249
+
return profile_ptrace_perm(cred, tracee, tracer, request, ad);
253
250
}
254
251
255
-
static int profile_tracer_perm(struct aa_profile *tracer,
252
+
static int profile_tracer_perm(const struct cred *cred,
253
+
struct aa_profile *tracer,
256
254
struct aa_label *tracee, u32 request,
257
255
struct apparmor_audit_data *ad)
258
256
{
···
261
257
return 0;
262
258
263
259
if (ANY_RULE_MEDIATES(&tracer->rules, AA_CLASS_PTRACE))
264
-
return profile_ptrace_perm(tracer, tracee, request, ad);
260
+
return profile_ptrace_perm(cred, tracer, tracee, request, ad);
265
261
266
262
/* profile uses the old style capability check for ptrace */
267
263
if (&tracer->label == tracee)
···
270
266
ad->subj_label = &tracer->label;
271
267
ad->peer = tracee;
272
268
ad->request = 0;
273
-
ad->error = aa_capable(&tracer->label, CAP_SYS_PTRACE,
274
-
CAP_OPT_NONE);
269
+
ad->error = aa_capable(cred, &tracer->label, CAP_SYS_PTRACE,
270
+
CAP_OPT_NONE);
275
271
276
272
return aa_audit(AUDIT_APPARMOR_AUTO, tracer, ad, audit_ptrace_cb);
277
273
}
···
284
280
*
285
281
* Returns: %0 else error code if permission denied or error
286
282
*/
287
-
int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
283
+
int aa_may_ptrace(const struct cred *tracer_cred, struct aa_label *tracer,
284
+
const struct cred *tracee_cred, struct aa_label *tracee,
288
285
u32 request)
289
286
{
290
287
struct aa_profile *profile;
···
293
288
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_PTRACE, OP_PTRACE);
294
289
295
290
return xcheck_labels(tracer, tracee, profile,
296
-
profile_tracer_perm(profile, tracee, request, &sa),
297
-
profile_tracee_perm(profile, tracer, xrequest, &sa));
291
+
profile_tracer_perm(tracer_cred, profile, tracee,
292
+
request, &sa),
293
+
profile_tracee_perm(tracee_cred, profile, tracer,
294
+
xrequest, &sa));
298
295
}