apparmor: move ptrace mediation to more logical task.{h,c}

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

AppArmor split out task oriented controls to their own logical file
a while ago. Ptrace mediation is better grouped with task than
ipc, so move it.

Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 3 years ago eac93125 f567e7fa

+133 -128

5 changed files

expand all

security

apparmor

apparmorfs.c

include

ipc.h

task.h

ipc.c

task.c

security/apparmor/apparmorfs.c

··· 36 36 #include "include/policy_ns.h" 37 37 #include "include/resource.h" 38 38 #include "include/policy_unpack.h" 39 + #include "include/task.h" 39 40 40 41 /* 41 42 * The apparmor filesystem interface used for policy load and introspection

-18

security/apparmor/include/ipc.h

··· 13 13 14 14 #include <linux/sched.h> 15 15 16 - struct aa_profile; 17 - 18 - #define AA_PTRACE_TRACE MAY_WRITE 19 - #define AA_PTRACE_READ MAY_READ 20 - #define AA_MAY_BE_TRACED AA_MAY_APPEND 21 - #define AA_MAY_BE_READ AA_MAY_CREATE 22 - #define PTRACE_PERM_SHIFT 2 23 - 24 - #define AA_PTRACE_PERM_MASK (AA_PTRACE_READ | AA_PTRACE_TRACE | \ 25 - AA_MAY_BE_READ | AA_MAY_BE_TRACED) 26 - #define AA_SIGNAL_PERM_MASK (MAY_READ | MAY_WRITE) 27 - 28 - #define AA_SFS_SIG_MASK "hup int quit ill trap abrt bus fpe kill usr1 " \ 29 - "segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg " \ 30 - "xcpu xfsz vtalrm prof winch io pwr sys emt lost" 31 - 32 - int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee, 33 - u32 request); 34 16 int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig); 35 17 36 18 #endif /* __AA_IPC_H */

+18

security/apparmor/include/task.h

··· 77 77 ctx->token = 0; 78 78 } 79 79 80 + #define AA_PTRACE_TRACE MAY_WRITE 81 + #define AA_PTRACE_READ MAY_READ 82 + #define AA_MAY_BE_TRACED AA_MAY_APPEND 83 + #define AA_MAY_BE_READ AA_MAY_CREATE 84 + #define PTRACE_PERM_SHIFT 2 85 + 86 + #define AA_PTRACE_PERM_MASK (AA_PTRACE_READ | AA_PTRACE_TRACE | \ 87 + AA_MAY_BE_READ | AA_MAY_BE_TRACED) 88 + #define AA_SIGNAL_PERM_MASK (MAY_READ | MAY_WRITE) 89 + 90 + #define AA_SFS_SIG_MASK "hup int quit ill trap abrt bus fpe kill usr1 " \ 91 + "segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg " \ 92 + "xcpu xfsz vtalrm prof winch io pwr sys emt lost" 93 + 94 + int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee, 95 + u32 request); 96 + 97 + 80 98 #endif /* __AA_TASK_H */

-110

security/apparmor/ipc.c

··· 9 9 */ 10 10 11 11 #include <linux/gfp.h> 12 - #include <linux/ptrace.h> 13 12 14 13 #include "include/audit.h" 15 14 #include "include/capability.h" ··· 16 17 #include "include/policy.h" 17 18 #include "include/ipc.h" 18 19 #include "include/sig_names.h" 19 - 20 - /** 21 - * audit_ptrace_mask - convert mask to permission string 22 - * @mask: permission mask to convert 23 - * 24 - * Returns: pointer to static string 25 - */ 26 - static const char *audit_ptrace_mask(u32 mask) 27 - { 28 - switch (mask) { 29 - case MAY_READ: 30 - return "read"; 31 - case MAY_WRITE: 32 - return "trace"; 33 - case AA_MAY_BE_READ: 34 - return "readby"; 35 - case AA_MAY_BE_TRACED: 36 - return "tracedby"; 37 - } 38 - return ""; 39 - } 40 - 41 - /* call back to audit ptrace fields */ 42 - static void audit_ptrace_cb(struct audit_buffer *ab, void *va) 43 - { 44 - struct common_audit_data *sa = va; 45 - 46 - if (aad(sa)->request & AA_PTRACE_PERM_MASK) { 47 - audit_log_format(ab, " requested_mask=\"%s\"", 48 - audit_ptrace_mask(aad(sa)->request)); 49 - 50 - if (aad(sa)->denied & AA_PTRACE_PERM_MASK) { 51 - audit_log_format(ab, " denied_mask=\"%s\"", 52 - audit_ptrace_mask(aad(sa)->denied)); 53 - } 54 - } 55 - audit_log_format(ab, " peer="); 56 - aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, 57 - FLAGS_NONE, GFP_ATOMIC); 58 - } 59 - 60 - /* assumes check for PROFILE_MEDIATES is already done */ 61 - /* TODO: conditionals */ 62 - static int profile_ptrace_perm(struct aa_profile *profile, 63 - struct aa_label *peer, u32 request, 64 - struct common_audit_data *sa) 65 - { 66 - struct aa_perms perms = { }; 67 - 68 - aad(sa)->peer = peer; 69 - aa_profile_match_label(profile, peer, AA_CLASS_PTRACE, request, 70 - &perms); 71 - aa_apply_modes_to_perms(profile, &perms); 72 - return aa_check_perms(profile, &perms, request, sa, audit_ptrace_cb); 73 - } 74 - 75 - static int profile_tracee_perm(struct aa_profile *tracee, 76 - struct aa_label *tracer, u32 request, 77 - struct common_audit_data *sa) 78 - { 79 - if (profile_unconfined(tracee) || unconfined(tracer) || 80 - !PROFILE_MEDIATES(tracee, AA_CLASS_PTRACE)) 81 - return 0; 82 - 83 - return profile_ptrace_perm(tracee, tracer, request, sa); 84 - } 85 - 86 - static int profile_tracer_perm(struct aa_profile *tracer, 87 - struct aa_label *tracee, u32 request, 88 - struct common_audit_data *sa) 89 - { 90 - if (profile_unconfined(tracer)) 91 - return 0; 92 - 93 - if (PROFILE_MEDIATES(tracer, AA_CLASS_PTRACE)) 94 - return profile_ptrace_perm(tracer, tracee, request, sa); 95 - 96 - /* profile uses the old style capability check for ptrace */ 97 - if (&tracer->label == tracee) 98 - return 0; 99 - 100 - aad(sa)->label = &tracer->label; 101 - aad(sa)->peer = tracee; 102 - aad(sa)->request = 0; 103 - aad(sa)->error = aa_capable(&tracer->label, CAP_SYS_PTRACE, 104 - CAP_OPT_NONE); 105 - 106 - return aa_audit(AUDIT_APPARMOR_AUTO, tracer, sa, audit_ptrace_cb); 107 - } 108 - 109 - /** 110 - * aa_may_ptrace - test if tracer task can trace the tracee 111 - * @tracer: label of the task doing the tracing (NOT NULL) 112 - * @tracee: task label to be traced 113 - * @request: permission request 114 - * 115 - * Returns: %0 else error code if permission denied or error 116 - */ 117 - int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee, 118 - u32 request) 119 - { 120 - struct aa_profile *profile; 121 - u32 xrequest = request << PTRACE_PERM_SHIFT; 122 - DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_PTRACE); 123 - 124 - return xcheck_labels(tracer, tracee, profile, 125 - profile_tracer_perm(profile, tracee, request, &sa), 126 - profile_tracee_perm(profile, tracer, xrequest, &sa)); 127 - } 128 20 129 21 130 22 static inline int map_signal_num(int sig)

+114

security/apparmor/task.c

··· 12 12 * should return to the previous cred if it has not been modified. 13 13 */ 14 14 15 + #include <linux/gfp.h> 16 + #include <linux/ptrace.h> 17 + 18 + #include "include/audit.h" 15 19 #include "include/cred.h" 20 + #include "include/policy.h" 16 21 #include "include/task.h" 17 22 18 23 /** ··· 181 176 commit_creds(new); 182 177 183 178 return 0; 179 + } 180 + 181 + /** 182 + * audit_ptrace_mask - convert mask to permission string 183 + * @mask: permission mask to convert 184 + * 185 + * Returns: pointer to static string 186 + */ 187 + static const char *audit_ptrace_mask(u32 mask) 188 + { 189 + switch (mask) { 190 + case MAY_READ: 191 + return "read"; 192 + case MAY_WRITE: 193 + return "trace"; 194 + case AA_MAY_BE_READ: 195 + return "readby"; 196 + case AA_MAY_BE_TRACED: 197 + return "tracedby"; 198 + } 199 + return ""; 200 + } 201 + 202 + /* call back to audit ptrace fields */ 203 + static void audit_ptrace_cb(struct audit_buffer *ab, void *va) 204 + { 205 + struct common_audit_data *sa = va; 206 + 207 + if (aad(sa)->request & AA_PTRACE_PERM_MASK) { 208 + audit_log_format(ab, " requested_mask=\"%s\"", 209 + audit_ptrace_mask(aad(sa)->request)); 210 + 211 + if (aad(sa)->denied & AA_PTRACE_PERM_MASK) { 212 + audit_log_format(ab, " denied_mask=\"%s\"", 213 + audit_ptrace_mask(aad(sa)->denied)); 214 + } 215 + } 216 + audit_log_format(ab, " peer="); 217 + aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, 218 + FLAGS_NONE, GFP_ATOMIC); 219 + } 220 + 221 + /* assumes check for PROFILE_MEDIATES is already done */ 222 + /* TODO: conditionals */ 223 + static int profile_ptrace_perm(struct aa_profile *profile, 224 + struct aa_label *peer, u32 request, 225 + struct common_audit_data *sa) 226 + { 227 + struct aa_perms perms = { }; 228 + 229 + aad(sa)->peer = peer; 230 + aa_profile_match_label(profile, peer, AA_CLASS_PTRACE, request, 231 + &perms); 232 + aa_apply_modes_to_perms(profile, &perms); 233 + return aa_check_perms(profile, &perms, request, sa, audit_ptrace_cb); 234 + } 235 + 236 + static int profile_tracee_perm(struct aa_profile *tracee, 237 + struct aa_label *tracer, u32 request, 238 + struct common_audit_data *sa) 239 + { 240 + if (profile_unconfined(tracee) || unconfined(tracer) || 241 + !PROFILE_MEDIATES(tracee, AA_CLASS_PTRACE)) 242 + return 0; 243 + 244 + return profile_ptrace_perm(tracee, tracer, request, sa); 245 + } 246 + 247 + static int profile_tracer_perm(struct aa_profile *tracer, 248 + struct aa_label *tracee, u32 request, 249 + struct common_audit_data *sa) 250 + { 251 + if (profile_unconfined(tracer)) 252 + return 0; 253 + 254 + if (PROFILE_MEDIATES(tracer, AA_CLASS_PTRACE)) 255 + return profile_ptrace_perm(tracer, tracee, request, sa); 256 + 257 + /* profile uses the old style capability check for ptrace */ 258 + if (&tracer->label == tracee) 259 + return 0; 260 + 261 + aad(sa)->label = &tracer->label; 262 + aad(sa)->peer = tracee; 263 + aad(sa)->request = 0; 264 + aad(sa)->error = aa_capable(&tracer->label, CAP_SYS_PTRACE, 265 + CAP_OPT_NONE); 266 + 267 + return aa_audit(AUDIT_APPARMOR_AUTO, tracer, sa, audit_ptrace_cb); 268 + } 269 + 270 + /** 271 + * aa_may_ptrace - test if tracer task can trace the tracee 272 + * @tracer: label of the task doing the tracing (NOT NULL) 273 + * @tracee: task label to be traced 274 + * @request: permission request 275 + * 276 + * Returns: %0 else error code if permission denied or error 277 + */ 278 + int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee, 279 + u32 request) 280 + { 281 + struct aa_profile *profile; 282 + u32 xrequest = request << PTRACE_PERM_SHIFT; 283 + DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_PTRACE); 284 + 285 + return xcheck_labels(tracer, tracee, profile, 286 + profile_tracer_perm(profile, tracee, request, &sa), 287 + profile_tracee_perm(profile, tracer, xrequest, &sa)); 184 288 }