apparmor: extend policydb permission set by making use of the xbits

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The policydb permission set has left the xbits unused. Make them available
for mediation.

Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 3 years ago f567e7fa c1ed5da1

+25 -5

4 changed files

expand all

security

apparmor

apparmorfs.c

include

file.h

lib.c

mount.c

security/apparmor/apparmorfs.c

··· 2334 2334 AA_SFS_FILE_BOOLEAN("v6", 1), 2335 2335 AA_SFS_FILE_BOOLEAN("v7", 1), 2336 2336 AA_SFS_FILE_BOOLEAN("v8", 1), 2337 + AA_SFS_FILE_BOOLEAN("v9", 1), 2337 2338 { } 2338 2339 }; 2339 2340

security/apparmor/include/file.h

··· 142 142 */ 143 143 #define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \ 144 144 ((ACCEPT_TABLE(dfa)[state]) & 0x80000000)) 145 + #define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f) 145 146 #define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f) 146 147 #define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f) 147 148 #define dfa_user_xindex(dfa, state) \ ··· 151 150 #define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \ 152 151 0x7f) | \ 153 152 ((ACCEPT_TABLE(dfa)[state]) & 0x80000000)) 153 + #define dfa_other_xbits(dfa, state) \ 154 + ((((ACCEPT_TABLE(dfa)[state]) >> 7) >> 14) & 0x7f) 154 155 #define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f) 155 156 #define dfa_other_quiet(dfa, state) \ 156 157 ((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f)

+21 -4

security/apparmor/lib.c

··· 322 322 ((x & 0x60) << 19); /* SETOPT/GETOPT */ 323 323 } 324 324 325 + static u32 map_xbits(u32 x) 326 + { 327 + return ((x & 0x1) << 7) | 328 + ((x & 0x7e) << 9); 329 + } 330 + 325 331 void aa_compute_perms(struct aa_dfa *dfa, unsigned int state, 326 332 struct aa_perms *perms) 327 333 { 334 + /* This mapping is convulated due to history. 335 + * v1-v4: only file perms 336 + * v5: added policydb which dropped in perm user conditional to 337 + * gain new perm bits, but had to map around the xbits because 338 + * the userspace compiler was still munging them. 339 + * v9: adds using the xbits in policydb because the compiler now 340 + * supports treating policydb permission bits different. 341 + * Unfortunately there is not way to force auditing on the 342 + * perms represented by the xbits 343 + */ 328 344 *perms = (struct aa_perms) { 329 - .allow = dfa_user_allow(dfa, state), 345 + .allow = dfa_user_allow(dfa, state) | 346 + map_xbits(dfa_user_xbits(dfa, state)), 330 347 .audit = dfa_user_audit(dfa, state), 331 - .quiet = dfa_user_quiet(dfa, state), 348 + .quiet = dfa_user_quiet(dfa, state) | 349 + map_xbits(dfa_other_xbits(dfa, state)), 332 350 }; 333 351 334 - /* for v5 perm mapping in the policydb, the other set is used 352 + /* for v5-v9 perm mapping in the policydb, the other set is used 335 353 * to extend the general perm set 336 354 */ 337 355 perms->allow |= map_other(dfa_other_allow(dfa, state)); 338 356 perms->audit |= map_other(dfa_other_audit(dfa, state)); 339 357 perms->quiet |= map_other(dfa_other_quiet(dfa, state)); 340 - // perms->xindex = dfa_user_xindex(dfa, state); 341 358 } 342 359 343 360 /**

-1

security/apparmor/mount.c

··· 217 217 .allow = dfa_user_allow(dfa, state), 218 218 .audit = dfa_user_audit(dfa, state), 219 219 .quiet = dfa_user_quiet(dfa, state), 220 - .xindex = dfa_user_xindex(dfa, state), 221 220 }; 222 221 223 222 return perms;