tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
apparmor: remove sid from profiles
The sid is not going to be a direct property of a profile anymore, instead
it will be directly related to the label, and the profile will pickup
a label back reference.
For null-profiles replace the use of sid with a per namespace unique
id.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
+11
-21
+2
-2
security/apparmor/include/policy.h
+2
-2
security/apparmor/include/policy.h
···
105
105
* @acct: accounting for the namespace
106
106
* @unconfined: special unconfined profile for the namespace
107
107
* @sub_ns: list of namespaces under the current namespace.
108
+
* @uniq_null: uniq value used for null learning profiles
108
109
*
109
110
* An aa_namespace defines the set profiles that are searched to determine
110
111
* which profile to attach to a task. Profiles can not be shared between
···
128
127
struct aa_ns_acct acct;
129
128
struct aa_profile *unconfined;
130
129
struct list_head sub_ns;
130
+
atomic_t uniq_null;
131
131
};
132
132
133
133
/* struct aa_policydb - match engine for a policy
···
150
148
* @rename: optional profile name that this profile renamed
151
149
* @xmatch: optional extended matching for unconfined executables names
152
150
* @xmatch_len: xmatch prefix len, used to determine xmatch priority
153
-
* @sid: the unique security id number of this profile
154
151
* @audit: the auditing mode of the profile
155
152
* @mode: the enforcement mode of the profile
156
153
* @flags: flags controlling profile behavior
···
185
184
186
185
struct aa_dfa *xmatch;
187
186
int xmatch_len;
188
-
u32 sid;
189
187
enum audit_mode audit;
190
188
enum profile_mode mode;
191
189
u32 flags;
+3
-1
security/apparmor/include/sid.h
+3
-1
security/apparmor/include/sid.h
+6
-17
security/apparmor/policy.c
+6
-17
security/apparmor/policy.c
···
87
87
#include "include/policy.h"
88
88
#include "include/policy_unpack.h"
89
89
#include "include/resource.h"
90
-
#include "include/sid.h"
91
90
92
91
93
92
/* root profile namespace */
···
291
292
if (!ns->unconfined)
292
293
goto fail_unconfined;
293
294
294
-
ns->unconfined->sid = aa_alloc_sid();
295
295
ns->unconfined->flags = PFLAG_UNCONFINED | PFLAG_IX_ON_NAME_ERROR |
296
296
PFLAG_IMMUTABLE;
297
297
···
300
302
* replaces with refs to parent namespace unconfined
301
303
*/
302
304
ns->unconfined->ns = aa_get_namespace(ns);
305
+
306
+
atomic_set(&ns->uniq_null, 0);
303
307
304
308
return ns;
305
309
···
497
497
/* released when @new is freed */
498
498
new->parent = aa_get_profile(old->parent);
499
499
new->ns = aa_get_namespace(old->ns);
500
-
new->sid = old->sid;
501
500
__list_add_profile(&policy->profiles, new);
502
501
/* inherit children */
503
502
list_for_each_entry_safe(child, tmp, &old->base.profiles, base.list) {
···
664
665
* @hat: true if the null- learning profile is a hat
665
666
*
666
667
* Create a null- complain mode profile used in learning mode. The name of
667
-
* the profile is unique and follows the format of parent//null-sid.
668
+
* the profile is unique and follows the format of parent//null-<uniq>.
668
669
*
669
670
* null profiles are added to the profile list but the list does not
670
671
* hold a count on them so that they are automatically released when
···
676
677
{
677
678
struct aa_profile *profile = NULL;
678
679
char *name;
679
-
u32 sid = aa_alloc_sid();
680
+
int uniq = atomic_inc_return(&parent->ns->uniq_null);
680
681
681
682
/* freed below */
682
683
name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, GFP_KERNEL);
683
684
if (!name)
684
685
goto fail;
685
-
sprintf(name, "%s//null-%x", parent->base.hname, sid);
686
+
sprintf(name, "%s//null-%x", parent->base.hname, uniq);
686
687
687
688
profile = aa_alloc_profile(name);
688
689
kfree(name);
689
690
if (!profile)
690
691
goto fail;
691
692
692
-
profile->sid = sid;
693
693
profile->mode = APPARMOR_COMPLAIN;
694
694
profile->flags = PFLAG_NULL;
695
695
if (hat)
···
706
708
return profile;
707
709
708
710
fail:
709
-
aa_free_sid(sid);
710
711
return NULL;
711
712
}
712
713
···
746
749
aa_free_cap_rules(&profile->caps);
747
750
aa_free_rlimit_rules(&profile->rlimits);
748
751
749
-
aa_free_sid(profile->sid);
750
752
aa_put_dfa(profile->xmatch);
751
753
aa_put_dfa(profile->policy.dfa);
752
754
···
968
972
profile->parent = aa_get_profile((struct aa_profile *) policy);
969
973
__list_add_profile(&policy->profiles, profile);
970
974
/* released on free_profile */
971
-
profile->sid = aa_alloc_sid();
972
975
profile->ns = aa_get_namespace(ns);
973
976
}
974
977
···
1105
1110
if (!error) {
1106
1111
if (rename_profile)
1107
1112
__replace_profile(rename_profile, new_profile);
1108
-
if (old_profile) {
1109
-
/* when there are both rename and old profiles
1110
-
* inherit old profiles sid
1111
-
*/
1112
-
if (rename_profile)
1113
-
aa_free_sid(new_profile->sid);
1113
+
if (old_profile)
1114
1114
__replace_profile(old_profile, new_profile);
1115
-
}
1116
1115
if (!(old_profile || rename_profile))
1117
1116
__add_new_profile(ns, policy, new_profile);
1118
1117
}