mirror of
https://github.com/torvalds/linux
synced 2024-07-21 18:51:47 +00:00
apparmor: combine common_audit_data and apparmor_audit_data
Everywhere where common_audit_data is used apparmor audit_data is also used. We can simplify the code and drop the use of the aad macro everywhere by combining the two structures. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
parent
79ddd4a7c5
commit
bd7bd201ca
|
|
@ -85,37 +85,36 @@ static const char *const aa_class_names[] = {
|
|||
/**
|
||||
* audit_pre() - core AppArmor function.
|
||||
* @ab: audit buffer to fill (NOT NULL)
|
||||
* @ca: audit structure containing data to audit (NOT NULL)
|
||||
* @va: audit structure containing data to audit (NOT NULL)
|
||||
*
|
||||
* Record common AppArmor audit data from @sa
|
||||
* Record common AppArmor audit data from @va
|
||||
*/
|
||||
static void audit_pre(struct audit_buffer *ab, void *ca)
|
||||
static void audit_pre(struct audit_buffer *ab, void *va)
|
||||
{
|
||||
struct common_audit_data *sa = ca;
|
||||
struct apparmor_audit_data *ad = aad_of_va(va);
|
||||
|
||||
if (aa_g_audit_header) {
|
||||
audit_log_format(ab, "apparmor=\"%s\"",
|
||||
aa_audit_type[aad(sa)->type]);
|
||||
aa_audit_type[ad->type]);
|
||||
}
|
||||
|
||||
if (aad(sa)->op) {
|
||||
audit_log_format(ab, " operation=\"%s\"", aad(sa)->op);
|
||||
}
|
||||
if (ad->op)
|
||||
audit_log_format(ab, " operation=\"%s\"", ad->op);
|
||||
|
||||
if (aad(sa)->class)
|
||||
if (ad->class)
|
||||
audit_log_format(ab, " class=\"%s\"",
|
||||
aad(sa)->class <= AA_CLASS_LAST ?
|
||||
aa_class_names[aad(sa)->class] :
|
||||
ad->class <= AA_CLASS_LAST ?
|
||||
aa_class_names[ad->class] :
|
||||
"unknown");
|
||||
|
||||
if (aad(sa)->info) {
|
||||
audit_log_format(ab, " info=\"%s\"", aad(sa)->info);
|
||||
if (aad(sa)->error)
|
||||
audit_log_format(ab, " error=%d", aad(sa)->error);
|
||||
if (ad->info) {
|
||||
audit_log_format(ab, " info=\"%s\"", ad->info);
|
||||
if (ad->error)
|
||||
audit_log_format(ab, " error=%d", ad->error);
|
||||
}
|
||||
|
||||
if (aad(sa)->label) {
|
||||
struct aa_label *label = aad(sa)->label;
|
||||
if (ad->label) {
|
||||
struct aa_label *label = ad->label;
|
||||
|
||||
if (label_isprofile(label)) {
|
||||
struct aa_profile *profile = labels_profile(label);
|
||||
|
|
@ -134,43 +133,44 @@ static void audit_pre(struct audit_buffer *ab, void *ca)
|
|||
}
|
||||
}
|
||||
|
||||
if (aad(sa)->name) {
|
||||
if (ad->name) {
|
||||
audit_log_format(ab, " name=");
|
||||
audit_log_untrustedstring(ab, aad(sa)->name);
|
||||
audit_log_untrustedstring(ab, ad->name);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* aa_audit_msg - Log a message to the audit subsystem
|
||||
* @type: audit type for the message
|
||||
* @sa: audit event structure (NOT NULL)
|
||||
* @ad: audit event structure (NOT NULL)
|
||||
* @cb: optional callback fn for type specific fields (MAYBE NULL)
|
||||
*/
|
||||
void aa_audit_msg(int type, struct common_audit_data *sa,
|
||||
void aa_audit_msg(int type, struct apparmor_audit_data *ad,
|
||||
void (*cb) (struct audit_buffer *, void *))
|
||||
{
|
||||
aad(sa)->type = type;
|
||||
common_lsm_audit(sa, audit_pre, cb);
|
||||
ad->type = type;
|
||||
common_lsm_audit(&ad->common, audit_pre, cb);
|
||||
}
|
||||
|
||||
/**
|
||||
* aa_audit - Log a profile based audit event to the audit subsystem
|
||||
* @type: audit type for the message
|
||||
* @profile: profile to check against (NOT NULL)
|
||||
* @sa: audit event (NOT NULL)
|
||||
* @ad: audit event (NOT NULL)
|
||||
* @cb: optional callback fn for type specific fields (MAYBE NULL)
|
||||
*
|
||||
* Handle default message switching based off of audit mode flags
|
||||
*
|
||||
* Returns: error on failure
|
||||
*/
|
||||
int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
|
||||
int aa_audit(int type, struct aa_profile *profile,
|
||||
struct apparmor_audit_data *ad,
|
||||
void (*cb) (struct audit_buffer *, void *))
|
||||
{
|
||||
AA_BUG(!profile);
|
||||
|
||||
if (type == AUDIT_APPARMOR_AUTO) {
|
||||
if (likely(!aad(sa)->error)) {
|
||||
if (likely(!ad->error)) {
|
||||
if (AUDIT_MODE(profile) != AUDIT_ALL)
|
||||
return 0;
|
||||
type = AUDIT_APPARMOR_AUDIT;
|
||||
|
|
@ -182,24 +182,24 @@ int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
|
|||
if (AUDIT_MODE(profile) == AUDIT_QUIET ||
|
||||
(type == AUDIT_APPARMOR_DENIED &&
|
||||
AUDIT_MODE(profile) == AUDIT_QUIET_DENIED))
|
||||
return aad(sa)->error;
|
||||
return ad->error;
|
||||
|
||||
if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
|
||||
type = AUDIT_APPARMOR_KILL;
|
||||
|
||||
aad(sa)->label = &profile->label;
|
||||
ad->label = &profile->label;
|
||||
|
||||
aa_audit_msg(type, sa, cb);
|
||||
aa_audit_msg(type, ad, cb);
|
||||
|
||||
if (aad(sa)->type == AUDIT_APPARMOR_KILL)
|
||||
if (ad->type == AUDIT_APPARMOR_KILL)
|
||||
(void)send_sig_info(SIGKILL, NULL,
|
||||
sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ?
|
||||
sa->u.tsk : current);
|
||||
ad->common.type == LSM_AUDIT_DATA_TASK &&
|
||||
ad->common.u.tsk ? ad->common.u.tsk : current);
|
||||
|
||||
if (aad(sa)->type == AUDIT_APPARMOR_ALLOWED)
|
||||
return complain_error(aad(sa)->error);
|
||||
if (ad->type == AUDIT_APPARMOR_ALLOWED)
|
||||
return complain_error(ad->error);
|
||||
|
||||
return aad(sa)->error;
|
||||
return ad->error;
|
||||
}
|
||||
|
||||
struct aa_audit_rule {
|
||||
|
|
|
|||
|
|
@ -51,7 +51,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
|
|||
|
||||
/**
|
||||
* audit_caps - audit a capability
|
||||
* @sa: audit data
|
||||
* @as: audit data
|
||||
* @profile: profile being tested for confinement (NOT NULL)
|
||||
* @cap: capability tested
|
||||
* @error: error code returned by test
|
||||
|
|
@ -59,9 +59,9 @@ static void audit_cb(struct audit_buffer *ab, void *va)
|
|||
* Do auditing of capability and handle, audit/complain/kill modes switching
|
||||
* and duplicate message elimination.
|
||||
*
|
||||
* Returns: 0 or sa->error on success, error code on failure
|
||||
* Returns: 0 or ad->error on success, error code on failure
|
||||
*/
|
||||
static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile,
|
||||
static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile,
|
||||
int cap, int error)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
|
|
@ -69,7 +69,7 @@ static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile,
|
|||
struct audit_cache *ent;
|
||||
int type = AUDIT_APPARMOR_AUTO;
|
||||
|
||||
aad(sa)->error = error;
|
||||
ad->error = error;
|
||||
|
||||
if (likely(!error)) {
|
||||
/* test if auditing is being forced */
|
||||
|
|
@ -101,7 +101,7 @@ static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile,
|
|||
}
|
||||
put_cpu_var(audit_cache);
|
||||
|
||||
return aa_audit(type, profile, sa, audit_cb);
|
||||
return aa_audit(type, profile, ad, audit_cb);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -109,12 +109,12 @@ static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile,
|
|||
* @profile: profile being enforced (NOT NULL, NOT unconfined)
|
||||
* @cap: capability to test if allowed
|
||||
* @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated
|
||||
* @sa: audit data (MAY BE NULL indicating no auditing)
|
||||
* @ad: audit data (MAY BE NULL indicating no auditing)
|
||||
*
|
||||
* Returns: 0 if allowed else -EPERM
|
||||
*/
|
||||
static int profile_capable(struct aa_profile *profile, int cap,
|
||||
unsigned int opts, struct common_audit_data *sa)
|
||||
unsigned int opts, struct apparmor_audit_data *ad)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
|
|
@ -132,10 +132,10 @@ static int profile_capable(struct aa_profile *profile, int cap,
|
|||
/* audit the cap request in complain mode but note that it
|
||||
* should be optional.
|
||||
*/
|
||||
aad(sa)->info = "optional: no audit";
|
||||
ad->info = "optional: no audit";
|
||||
}
|
||||
|
||||
return audit_caps(sa, profile, cap, error);
|
||||
return audit_caps(ad, profile, cap, error);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -152,11 +152,11 @@ int aa_capable(struct aa_label *label, int cap, unsigned int opts)
|
|||
{
|
||||
struct aa_profile *profile;
|
||||
int error = 0;
|
||||
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, AA_CLASS_CAP, OP_CAPABLE);
|
||||
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_CAP, AA_CLASS_CAP, OP_CAPABLE);
|
||||
|
||||
sa.u.cap = cap;
|
||||
ad.common.u.cap = cap;
|
||||
error = fn_for_each_confined(label, profile,
|
||||
profile_capable(profile, cap, opts, &sa));
|
||||
profile_capable(profile, cap, opts, &ad));
|
||||
|
||||
return error;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -44,33 +44,34 @@ static u32 map_mask_to_chr_mask(u32 mask)
|
|||
static void file_audit_cb(struct audit_buffer *ab, void *va)
|
||||
{
|
||||
struct common_audit_data *sa = va;
|
||||
struct apparmor_audit_data *ad = aad(sa);
|
||||
kuid_t fsuid = current_fsuid();
|
||||
char str[10];
|
||||
|
||||
if (aad(sa)->request & AA_AUDIT_FILE_MASK) {
|
||||
if (ad->request & AA_AUDIT_FILE_MASK) {
|
||||
aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
|
||||
map_mask_to_chr_mask(aad(sa)->request));
|
||||
map_mask_to_chr_mask(ad->request));
|
||||
audit_log_format(ab, " requested_mask=\"%s\"", str);
|
||||
}
|
||||
if (aad(sa)->denied & AA_AUDIT_FILE_MASK) {
|
||||
if (ad->denied & AA_AUDIT_FILE_MASK) {
|
||||
aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
|
||||
map_mask_to_chr_mask(aad(sa)->denied));
|
||||
map_mask_to_chr_mask(ad->denied));
|
||||
audit_log_format(ab, " denied_mask=\"%s\"", str);
|
||||
}
|
||||
if (aad(sa)->request & AA_AUDIT_FILE_MASK) {
|
||||
if (ad->request & AA_AUDIT_FILE_MASK) {
|
||||
audit_log_format(ab, " fsuid=%d",
|
||||
from_kuid(&init_user_ns, fsuid));
|
||||
audit_log_format(ab, " ouid=%d",
|
||||
from_kuid(&init_user_ns, aad(sa)->fs.ouid));
|
||||
from_kuid(&init_user_ns, ad->fs.ouid));
|
||||
}
|
||||
|
||||
if (aad(sa)->peer) {
|
||||
if (ad->peer) {
|
||||
audit_log_format(ab, " target=");
|
||||
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
|
||||
aa_label_xaudit(ab, labels_ns(ad->label), ad->peer,
|
||||
FLAG_VIEW_SUBNS, GFP_KERNEL);
|
||||
} else if (aad(sa)->fs.target) {
|
||||
} else if (ad->fs.target) {
|
||||
audit_log_format(ab, " target=");
|
||||
audit_log_untrustedstring(ab, aad(sa)->fs.target);
|
||||
audit_log_untrustedstring(ab, ad->fs.target);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -95,50 +96,49 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
|
|||
kuid_t ouid, const char *info, int error)
|
||||
{
|
||||
int type = AUDIT_APPARMOR_AUTO;
|
||||
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, AA_CLASS_FILE, op);
|
||||
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_TASK, AA_CLASS_FILE, op);
|
||||
|
||||
sa.u.tsk = NULL;
|
||||
aad(&sa)->request = request;
|
||||
aad(&sa)->name = name;
|
||||
aad(&sa)->fs.target = target;
|
||||
aad(&sa)->peer = tlabel;
|
||||
aad(&sa)->fs.ouid = ouid;
|
||||
aad(&sa)->info = info;
|
||||
aad(&sa)->error = error;
|
||||
sa.u.tsk = NULL;
|
||||
ad.request = request;
|
||||
ad.name = name;
|
||||
ad.fs.target = target;
|
||||
ad.peer = tlabel;
|
||||
ad.fs.ouid = ouid;
|
||||
ad.info = info;
|
||||
ad.error = error;
|
||||
ad.common.u.tsk = NULL;
|
||||
|
||||
if (likely(!aad(&sa)->error)) {
|
||||
if (likely(!ad.error)) {
|
||||
u32 mask = perms->audit;
|
||||
|
||||
if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
|
||||
mask = 0xffff;
|
||||
|
||||
/* mask off perms that are not being force audited */
|
||||
aad(&sa)->request &= mask;
|
||||
ad.request &= mask;
|
||||
|
||||
if (likely(!aad(&sa)->request))
|
||||
if (likely(!ad.request))
|
||||
return 0;
|
||||
type = AUDIT_APPARMOR_AUDIT;
|
||||
} else {
|
||||
/* only report permissions that were denied */
|
||||
aad(&sa)->request = aad(&sa)->request & ~perms->allow;
|
||||
AA_BUG(!aad(&sa)->request);
|
||||
ad.request = ad.request & ~perms->allow;
|
||||
AA_BUG(!ad.request);
|
||||
|
||||
if (aad(&sa)->request & perms->kill)
|
||||
if (ad.request & perms->kill)
|
||||
type = AUDIT_APPARMOR_KILL;
|
||||
|
||||
/* quiet known rejects, assumes quiet and kill do not overlap */
|
||||
if ((aad(&sa)->request & perms->quiet) &&
|
||||
if ((ad.request & perms->quiet) &&
|
||||
AUDIT_MODE(profile) != AUDIT_NOQUIET &&
|
||||
AUDIT_MODE(profile) != AUDIT_ALL)
|
||||
aad(&sa)->request &= ~perms->quiet;
|
||||
ad.request &= ~perms->quiet;
|
||||
|
||||
if (!aad(&sa)->request)
|
||||
return aad(&sa)->error;
|
||||
if (!ad.request)
|
||||
return ad.error;
|
||||
}
|
||||
|
||||
aad(&sa)->denied = aad(&sa)->request & ~perms->allow;
|
||||
return aa_audit(type, profile, &sa, file_audit_cb);
|
||||
ad.denied = ad.request & ~perms->allow;
|
||||
return aa_audit(type, profile, &ad, file_audit_cb);
|
||||
}
|
||||
|
||||
static int path_name(const char *op, struct aa_label *label,
|
||||
|
|
|
|||
|
|
@ -152,33 +152,35 @@ struct apparmor_audit_data {
|
|||
unsigned long flags;
|
||||
} mnt;
|
||||
};
|
||||
|
||||
struct common_audit_data common;
|
||||
};
|
||||
|
||||
/* macros for dealing with apparmor_audit_data structure */
|
||||
#define aad(SA) ((SA)->apparmor_audit_data)
|
||||
#define aad(SA) (container_of(SA, struct apparmor_audit_data, common))
|
||||
#define aad_of_va(VA) aad((struct common_audit_data *)(VA))
|
||||
|
||||
#define DEFINE_AUDIT_DATA(NAME, T, C, X) \
|
||||
/* TODO: cleanup audit init so we don't need _aad = {0,} */ \
|
||||
struct apparmor_audit_data NAME ## _aad = { \
|
||||
struct apparmor_audit_data NAME = { \
|
||||
.class = (C), \
|
||||
.op = (X), \
|
||||
}; \
|
||||
struct common_audit_data NAME = \
|
||||
{ \
|
||||
.type = (T), \
|
||||
.u.tsk = NULL, \
|
||||
}; \
|
||||
NAME.apparmor_audit_data = &(NAME ## _aad)
|
||||
.common.type = (T), \
|
||||
.common.u.tsk = NULL, \
|
||||
.common.apparmor_audit_data = &NAME, \
|
||||
};
|
||||
|
||||
void aa_audit_msg(int type, struct common_audit_data *sa,
|
||||
void aa_audit_msg(int type, struct apparmor_audit_data *ad,
|
||||
void (*cb) (struct audit_buffer *, void *));
|
||||
int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
|
||||
int aa_audit(int type, struct aa_profile *profile,
|
||||
struct apparmor_audit_data *ad,
|
||||
void (*cb) (struct audit_buffer *, void *));
|
||||
|
||||
#define aa_audit_error(ERROR, SA, CB) \
|
||||
#define aa_audit_error(ERROR, AD, CB) \
|
||||
({ \
|
||||
aad((SA))->error = (ERROR); \
|
||||
aa_audit_msg(AUDIT_APPARMOR_ERROR, (SA), (CB)); \
|
||||
aad((SA))->error; \
|
||||
(AD)->error = (ERROR); \
|
||||
aa_audit_msg(AUDIT_APPARMOR_ERROR, (AD), (CB)); \
|
||||
(AD)->error; \
|
||||
})
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -65,9 +65,9 @@ static inline struct aa_sk_ctx *aa_sock(const struct sock *sk)
|
|||
LSM_AUDIT_DATA_NONE, \
|
||||
AA_CLASS_NET, \
|
||||
OP); \
|
||||
NAME.u.net = &(NAME ## _net); \
|
||||
aad(&NAME)->net.type = (T); \
|
||||
aad(&NAME)->net.protocol = (P)
|
||||
NAME.common.u.net = &(NAME ## _net); \
|
||||
NAME.net.type = (T); \
|
||||
NAME.net.protocol = (P)
|
||||
|
||||
#define DEFINE_AUDIT_SK(NAME, OP, SK) \
|
||||
DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \
|
||||
|
|
@ -94,16 +94,17 @@ struct aa_secmark {
|
|||
extern struct aa_sfs_entry aa_sfs_entry_network[];
|
||||
|
||||
void audit_net_cb(struct audit_buffer *ab, void *va);
|
||||
int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
|
||||
int aa_profile_af_perm(struct aa_profile *profile,
|
||||
struct apparmor_audit_data *ad,
|
||||
u32 request, u16 family, int type);
|
||||
int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
|
||||
int type, int protocol);
|
||||
static inline int aa_profile_af_sk_perm(struct aa_profile *profile,
|
||||
struct common_audit_data *sa,
|
||||
struct apparmor_audit_data *ad,
|
||||
u32 request,
|
||||
struct sock *sk)
|
||||
{
|
||||
return aa_profile_af_perm(profile, sa, request, sk->sk_family,
|
||||
return aa_profile_af_perm(profile, ad, request, sk->sk_family,
|
||||
sk->sk_type);
|
||||
}
|
||||
int aa_sk_perm(const char *op, u32 request, struct sock *sk);
|
||||
|
|
|
|||
|
|
@ -212,8 +212,8 @@ void aa_profile_match_label(struct aa_profile *profile,
|
|||
int type, u32 request, struct aa_perms *perms);
|
||||
int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
|
||||
u32 request, int type, u32 *deny,
|
||||
struct common_audit_data *sa);
|
||||
struct apparmor_audit_data *ad);
|
||||
int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
|
||||
u32 request, struct common_audit_data *sa,
|
||||
u32 request, struct apparmor_audit_data *ad,
|
||||
void (*cb)(struct audit_buffer *, void *));
|
||||
#endif /* __AA_PERM_H */
|
||||
|
|
|
|||
|
|
@ -52,31 +52,32 @@ static const char *audit_signal_mask(u32 mask)
|
|||
static void audit_signal_cb(struct audit_buffer *ab, void *va)
|
||||
{
|
||||
struct common_audit_data *sa = va;
|
||||
struct apparmor_audit_data *ad = aad(sa);
|
||||
|
||||
if (aad(sa)->request & AA_SIGNAL_PERM_MASK) {
|
||||
if (ad->request & AA_SIGNAL_PERM_MASK) {
|
||||
audit_log_format(ab, " requested_mask=\"%s\"",
|
||||
audit_signal_mask(aad(sa)->request));
|
||||
if (aad(sa)->denied & AA_SIGNAL_PERM_MASK) {
|
||||
audit_signal_mask(ad->request));
|
||||
if (ad->denied & AA_SIGNAL_PERM_MASK) {
|
||||
audit_log_format(ab, " denied_mask=\"%s\"",
|
||||
audit_signal_mask(aad(sa)->denied));
|
||||
audit_signal_mask(ad->denied));
|
||||
}
|
||||
}
|
||||
if (aad(sa)->signal == SIGUNKNOWN)
|
||||
if (ad->signal == SIGUNKNOWN)
|
||||
audit_log_format(ab, "signal=unknown(%d)",
|
||||
aad(sa)->unmappedsig);
|
||||
else if (aad(sa)->signal < MAXMAPPED_SIGNAME)
|
||||
audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]);
|
||||
ad->unmappedsig);
|
||||
else if (ad->signal < MAXMAPPED_SIGNAME)
|
||||
audit_log_format(ab, " signal=%s", sig_names[ad->signal]);
|
||||
else
|
||||
audit_log_format(ab, " signal=rtmin+%d",
|
||||
aad(sa)->signal - SIGRT_BASE);
|
||||
ad->signal - SIGRT_BASE);
|
||||
audit_log_format(ab, " peer=");
|
||||
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
|
||||
aa_label_xaudit(ab, labels_ns(ad->label), ad->peer,
|
||||
FLAGS_NONE, GFP_ATOMIC);
|
||||
}
|
||||
|
||||
static int profile_signal_perm(struct aa_profile *profile,
|
||||
struct aa_label *peer, u32 request,
|
||||
struct common_audit_data *sa)
|
||||
struct apparmor_audit_data *ad)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
|
|
@ -87,24 +88,24 @@ static int profile_signal_perm(struct aa_profile *profile,
|
|||
!ANY_RULE_MEDIATES(&profile->rules, AA_CLASS_SIGNAL))
|
||||
return 0;
|
||||
|
||||
aad(sa)->peer = peer;
|
||||
ad->peer = peer;
|
||||
/* TODO: secondary cache check <profile, profile, perm> */
|
||||
state = aa_dfa_next(rules->policy.dfa,
|
||||
rules->policy.start[AA_CLASS_SIGNAL],
|
||||
aad(sa)->signal);
|
||||
ad->signal);
|
||||
aa_label_match(profile, rules, peer, state, false, request, &perms);
|
||||
aa_apply_modes_to_perms(profile, &perms);
|
||||
return aa_check_perms(profile, &perms, request, sa, audit_signal_cb);
|
||||
return aa_check_perms(profile, &perms, request, ad, audit_signal_cb);
|
||||
}
|
||||
|
||||
int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig)
|
||||
{
|
||||
struct aa_profile *profile;
|
||||
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_SIGNAL, OP_SIGNAL);
|
||||
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_SIGNAL, OP_SIGNAL);
|
||||
|
||||
aad(&sa)->signal = map_signal_num(sig);
|
||||
aad(&sa)->unmappedsig = sig;
|
||||
ad.signal = map_signal_num(sig);
|
||||
ad.unmappedsig = sig;
|
||||
return xcheck_labels(sender, target, profile,
|
||||
profile_signal_perm(profile, target, MAY_WRITE, &sa),
|
||||
profile_signal_perm(profile, sender, MAY_READ, &sa));
|
||||
profile_signal_perm(profile, target, MAY_WRITE, &ad),
|
||||
profile_signal_perm(profile, sender, MAY_READ, &ad));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -144,10 +144,10 @@ const char *aa_splitn_fqname(const char *fqname, size_t n, const char **ns_name,
|
|||
void aa_info_message(const char *str)
|
||||
{
|
||||
if (audit_enabled) {
|
||||
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
|
||||
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
|
||||
|
||||
aad(&sa)->info = str;
|
||||
aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL);
|
||||
ad.info = str;
|
||||
aa_audit_msg(AUDIT_APPARMOR_STATUS, &ad, NULL);
|
||||
}
|
||||
printk(KERN_INFO "AppArmor: %s\n", str);
|
||||
}
|
||||
|
|
@ -282,21 +282,22 @@ void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
|
|||
static void aa_audit_perms_cb(struct audit_buffer *ab, void *va)
|
||||
{
|
||||
struct common_audit_data *sa = va;
|
||||
struct apparmor_audit_data *ad = aad(sa);
|
||||
|
||||
if (aad(sa)->request) {
|
||||
if (ad->request) {
|
||||
audit_log_format(ab, " requested_mask=");
|
||||
aa_audit_perm_mask(ab, aad(sa)->request, aa_file_perm_chrs,
|
||||
aa_audit_perm_mask(ab, ad->request, aa_file_perm_chrs,
|
||||
PERMS_CHRS_MASK, aa_file_perm_names,
|
||||
PERMS_NAMES_MASK);
|
||||
}
|
||||
if (aad(sa)->denied) {
|
||||
if (ad->denied) {
|
||||
audit_log_format(ab, "denied_mask=");
|
||||
aa_audit_perm_mask(ab, aad(sa)->denied, aa_file_perm_chrs,
|
||||
aa_audit_perm_mask(ab, ad->denied, aa_file_perm_chrs,
|
||||
PERMS_CHRS_MASK, aa_file_perm_names,
|
||||
PERMS_NAMES_MASK);
|
||||
}
|
||||
audit_log_format(ab, " peer=");
|
||||
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
|
||||
aa_label_xaudit(ab, labels_ns(ad->label), ad->peer,
|
||||
FLAGS_NONE, GFP_ATOMIC);
|
||||
}
|
||||
|
||||
|
|
@ -350,21 +351,21 @@ void aa_profile_match_label(struct aa_profile *profile,
|
|||
/* currently unused */
|
||||
int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
|
||||
u32 request, int type, u32 *deny,
|
||||
struct common_audit_data *sa)
|
||||
struct apparmor_audit_data *ad)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_perms perms;
|
||||
|
||||
aad(sa)->label = &profile->label;
|
||||
aad(sa)->peer = &target->label;
|
||||
aad(sa)->request = request;
|
||||
ad->label = &profile->label;
|
||||
ad->peer = &target->label;
|
||||
ad->request = request;
|
||||
|
||||
aa_profile_match_label(profile, rules, &target->label, type, request,
|
||||
&perms);
|
||||
aa_apply_modes_to_perms(profile, &perms);
|
||||
*deny |= request & perms.deny;
|
||||
return aa_check_perms(profile, &perms, request, sa, aa_audit_perms_cb);
|
||||
return aa_check_perms(profile, &perms, request, ad, aa_audit_perms_cb);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -372,7 +373,7 @@ int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
|
|||
* @profile: profile being checked
|
||||
* @perms: perms computed for the request
|
||||
* @request: requested perms
|
||||
* @sa: initialized audit structure (MAY BE NULL if not auditing)
|
||||
* @ad: initialized audit structure (MAY BE NULL if not auditing)
|
||||
* @cb: callback fn for type specific fields (MAY BE NULL)
|
||||
*
|
||||
* Returns: 0 if permission else error code
|
||||
|
|
@ -385,7 +386,7 @@ int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
|
|||
* with a positive value.
|
||||
*/
|
||||
int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
|
||||
u32 request, struct common_audit_data *sa,
|
||||
u32 request, struct apparmor_audit_data *ad,
|
||||
void (*cb)(struct audit_buffer *, void *))
|
||||
{
|
||||
int type, error;
|
||||
|
|
@ -394,7 +395,7 @@ int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
|
|||
if (likely(!denied)) {
|
||||
/* mask off perms that are not being force audited */
|
||||
request &= perms->audit;
|
||||
if (!request || !sa)
|
||||
if (!request || !ad)
|
||||
return 0;
|
||||
|
||||
type = AUDIT_APPARMOR_AUDIT;
|
||||
|
|
@ -413,16 +414,16 @@ int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
|
|||
error = -ENOENT;
|
||||
|
||||
denied &= ~perms->quiet;
|
||||
if (!sa || !denied)
|
||||
if (!ad || !denied)
|
||||
return error;
|
||||
}
|
||||
|
||||
if (sa) {
|
||||
aad(sa)->label = &profile->label;
|
||||
aad(sa)->request = request;
|
||||
aad(sa)->denied = denied;
|
||||
aad(sa)->error = error;
|
||||
aa_audit_msg(type, sa, cb);
|
||||
if (ad) {
|
||||
ad->label = &profile->label;
|
||||
ad->request = request;
|
||||
ad->denied = denied;
|
||||
ad->error = error;
|
||||
aa_audit_msg(type, ad, cb);
|
||||
}
|
||||
|
||||
if (type == AUDIT_APPARMOR_ALLOWED)
|
||||
|
|
|
|||
|
|
@ -662,7 +662,7 @@ static int apparmor_setprocattr(const char *name, void *value,
|
|||
char *command, *largs = NULL, *args = value;
|
||||
size_t arg_size;
|
||||
int error;
|
||||
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE,
|
||||
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE,
|
||||
OP_SETPROCATTR);
|
||||
|
||||
if (size == 0)
|
||||
|
|
@ -722,11 +722,11 @@ static int apparmor_setprocattr(const char *name, void *value,
|
|||
return error;
|
||||
|
||||
fail:
|
||||
aad(&sa)->label = begin_current_label_crit_section();
|
||||
aad(&sa)->info = name;
|
||||
aad(&sa)->error = error = -EINVAL;
|
||||
aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
|
||||
end_current_label_crit_section(aad(&sa)->label);
|
||||
ad.label = begin_current_label_crit_section();
|
||||
ad.info = name;
|
||||
ad.error = error = -EINVAL;
|
||||
aa_audit_msg(AUDIT_APPARMOR_DENIED, &ad, NULL);
|
||||
end_current_label_crit_section(ad.label);
|
||||
goto out;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -86,27 +86,28 @@ static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
|
|||
static void audit_cb(struct audit_buffer *ab, void *va)
|
||||
{
|
||||
struct common_audit_data *sa = va;
|
||||
struct apparmor_audit_data *ad = aad(sa);
|
||||
|
||||
if (aad(sa)->mnt.type) {
|
||||
if (ad->mnt.type) {
|
||||
audit_log_format(ab, " fstype=");
|
||||
audit_log_untrustedstring(ab, aad(sa)->mnt.type);
|
||||
audit_log_untrustedstring(ab, ad->mnt.type);
|
||||
}
|
||||
if (aad(sa)->mnt.src_name) {
|
||||
if (ad->mnt.src_name) {
|
||||
audit_log_format(ab, " srcname=");
|
||||
audit_log_untrustedstring(ab, aad(sa)->mnt.src_name);
|
||||
audit_log_untrustedstring(ab, ad->mnt.src_name);
|
||||
}
|
||||
if (aad(sa)->mnt.trans) {
|
||||
if (ad->mnt.trans) {
|
||||
audit_log_format(ab, " trans=");
|
||||
audit_log_untrustedstring(ab, aad(sa)->mnt.trans);
|
||||
audit_log_untrustedstring(ab, ad->mnt.trans);
|
||||
}
|
||||
if (aad(sa)->mnt.flags) {
|
||||
if (ad->mnt.flags) {
|
||||
audit_log_format(ab, " flags=\"");
|
||||
audit_mnt_flags(ab, aad(sa)->mnt.flags);
|
||||
audit_mnt_flags(ab, ad->mnt.flags);
|
||||
audit_log_format(ab, "\"");
|
||||
}
|
||||
if (aad(sa)->mnt.data) {
|
||||
if (ad->mnt.data) {
|
||||
audit_log_format(ab, " options=");
|
||||
audit_log_untrustedstring(ab, aad(sa)->mnt.data);
|
||||
audit_log_untrustedstring(ab, ad->mnt.data);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -134,7 +135,7 @@ static int audit_mount(struct aa_profile *profile, const char *op,
|
|||
struct aa_perms *perms, const char *info, int error)
|
||||
{
|
||||
int audit_type = AUDIT_APPARMOR_AUTO;
|
||||
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op);
|
||||
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op);
|
||||
|
||||
if (likely(!error)) {
|
||||
u32 mask = perms->audit;
|
||||
|
|
@ -165,17 +166,17 @@ static int audit_mount(struct aa_profile *profile, const char *op,
|
|||
return error;
|
||||
}
|
||||
|
||||
aad(&sa)->name = name;
|
||||
aad(&sa)->mnt.src_name = src_name;
|
||||
aad(&sa)->mnt.type = type;
|
||||
aad(&sa)->mnt.trans = trans;
|
||||
aad(&sa)->mnt.flags = flags;
|
||||
ad.name = name;
|
||||
ad.mnt.src_name = src_name;
|
||||
ad.mnt.type = type;
|
||||
ad.mnt.trans = trans;
|
||||
ad.mnt.flags = flags;
|
||||
if (data && (perms->audit & AA_AUDIT_DATA))
|
||||
aad(&sa)->mnt.data = data;
|
||||
aad(&sa)->info = info;
|
||||
aad(&sa)->error = error;
|
||||
ad.mnt.data = data;
|
||||
ad.info = info;
|
||||
ad.error = error;
|
||||
|
||||
return aa_audit(audit_type, profile, &sa, audit_cb);
|
||||
return aa_audit(audit_type, profile, &ad, audit_cb);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -71,6 +71,7 @@ static const char * const net_mask_names[] = {
|
|||
void audit_net_cb(struct audit_buffer *ab, void *va)
|
||||
{
|
||||
struct common_audit_data *sa = va;
|
||||
struct apparmor_audit_data *ad = aad(sa);
|
||||
|
||||
if (address_family_names[sa->u.net->family])
|
||||
audit_log_format(ab, " family=\"%s\"",
|
||||
|
|
@ -78,35 +79,36 @@ void audit_net_cb(struct audit_buffer *ab, void *va)
|
|||
else
|
||||
audit_log_format(ab, " family=\"unknown(%d)\"",
|
||||
sa->u.net->family);
|
||||
if (sock_type_names[aad(sa)->net.type])
|
||||
if (sock_type_names[ad->net.type])
|
||||
audit_log_format(ab, " sock_type=\"%s\"",
|
||||
sock_type_names[aad(sa)->net.type]);
|
||||
sock_type_names[ad->net.type]);
|
||||
else
|
||||
audit_log_format(ab, " sock_type=\"unknown(%d)\"",
|
||||
aad(sa)->net.type);
|
||||
audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
|
||||
ad->net.type);
|
||||
audit_log_format(ab, " protocol=%d", ad->net.protocol);
|
||||
|
||||
if (aad(sa)->request & NET_PERMS_MASK) {
|
||||
if (ad->request & NET_PERMS_MASK) {
|
||||
audit_log_format(ab, " requested_mask=");
|
||||
aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
|
||||
aa_audit_perm_mask(ab, ad->request, NULL, 0,
|
||||
net_mask_names, NET_PERMS_MASK);
|
||||
|
||||
if (aad(sa)->denied & NET_PERMS_MASK) {
|
||||
if (ad->denied & NET_PERMS_MASK) {
|
||||
audit_log_format(ab, " denied_mask=");
|
||||
aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
|
||||
aa_audit_perm_mask(ab, ad->denied, NULL, 0,
|
||||
net_mask_names, NET_PERMS_MASK);
|
||||
}
|
||||
}
|
||||
if (aad(sa)->peer) {
|
||||
if (ad->peer) {
|
||||
audit_log_format(ab, " peer=");
|
||||
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
|
||||
aa_label_xaudit(ab, labels_ns(ad->label), ad->peer,
|
||||
FLAGS_NONE, GFP_ATOMIC);
|
||||
}
|
||||
}
|
||||
|
||||
/* Generic af perm */
|
||||
int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
|
||||
u32 request, u16 family, int type)
|
||||
int aa_profile_af_perm(struct aa_profile *profile,
|
||||
struct apparmor_audit_data *ad, u32 request, u16 family,
|
||||
int type)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
|
|
@ -130,17 +132,17 @@ int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
|
|||
perms = *aa_lookup_perms(&rules->policy, state);
|
||||
aa_apply_modes_to_perms(profile, &perms);
|
||||
|
||||
return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
|
||||
return aa_check_perms(profile, &perms, request, ad, audit_net_cb);
|
||||
}
|
||||
|
||||
int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
|
||||
int type, int protocol)
|
||||
{
|
||||
struct aa_profile *profile;
|
||||
DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);
|
||||
DEFINE_AUDIT_NET(ad, op, NULL, family, type, protocol);
|
||||
|
||||
return fn_for_each_confined(label, profile,
|
||||
aa_profile_af_perm(profile, &sa, request, family,
|
||||
aa_profile_af_perm(profile, &ad, request, family,
|
||||
type));
|
||||
}
|
||||
|
||||
|
|
@ -155,10 +157,10 @@ static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
|
|||
|
||||
if (ctx->label != kernel_t && !unconfined(label)) {
|
||||
struct aa_profile *profile;
|
||||
DEFINE_AUDIT_SK(sa, op, sk);
|
||||
DEFINE_AUDIT_SK(ad, op, sk);
|
||||
|
||||
error = fn_for_each_confined(label, profile,
|
||||
aa_profile_af_sk_perm(profile, &sa, request, sk));
|
||||
aa_profile_af_sk_perm(profile, &ad, request, sk));
|
||||
}
|
||||
|
||||
return error;
|
||||
|
|
@ -214,7 +216,7 @@ static int apparmor_secmark_init(struct aa_secmark *secmark)
|
|||
}
|
||||
|
||||
static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid,
|
||||
struct common_audit_data *sa)
|
||||
struct apparmor_audit_data *ad)
|
||||
{
|
||||
int i, ret;
|
||||
struct aa_perms perms = { };
|
||||
|
|
@ -245,17 +247,17 @@ static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid,
|
|||
|
||||
aa_apply_modes_to_perms(profile, &perms);
|
||||
|
||||
return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
|
||||
return aa_check_perms(profile, &perms, request, ad, audit_net_cb);
|
||||
}
|
||||
|
||||
int apparmor_secmark_check(struct aa_label *label, char *op, u32 request,
|
||||
u32 secid, const struct sock *sk)
|
||||
{
|
||||
struct aa_profile *profile;
|
||||
DEFINE_AUDIT_SK(sa, op, sk);
|
||||
DEFINE_AUDIT_SK(ad, op, sk);
|
||||
|
||||
return fn_for_each_confined(label, profile,
|
||||
aa_secmark_perm(profile, request, secid,
|
||||
&sa));
|
||||
&ad));
|
||||
}
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -723,10 +723,11 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace,
|
|||
static void audit_cb(struct audit_buffer *ab, void *va)
|
||||
{
|
||||
struct common_audit_data *sa = va;
|
||||
struct apparmor_audit_data *ad = aad(sa);
|
||||
|
||||
if (aad(sa)->iface.ns) {
|
||||
if (ad->iface.ns) {
|
||||
audit_log_format(ab, " ns=");
|
||||
audit_log_untrustedstring(ab, aad(sa)->iface.ns);
|
||||
audit_log_untrustedstring(ab, ad->iface.ns);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -745,15 +746,15 @@ static int audit_policy(struct aa_label *label, const char *op,
|
|||
const char *ns_name, const char *name,
|
||||
const char *info, int error)
|
||||
{
|
||||
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, op);
|
||||
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, op);
|
||||
|
||||
aad(&sa)->iface.ns = ns_name;
|
||||
aad(&sa)->name = name;
|
||||
aad(&sa)->info = info;
|
||||
aad(&sa)->error = error;
|
||||
aad(&sa)->label = label;
|
||||
ad.iface.ns = ns_name;
|
||||
ad.name = name;
|
||||
ad.info = info;
|
||||
ad.error = error;
|
||||
ad.label = label;
|
||||
|
||||
aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, audit_cb);
|
||||
aa_audit_msg(AUDIT_APPARMOR_STATUS, &ad, audit_cb);
|
||||
|
||||
return error;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,17 +34,18 @@
|
|||
static void audit_cb(struct audit_buffer *ab, void *va)
|
||||
{
|
||||
struct common_audit_data *sa = va;
|
||||
struct apparmor_audit_data *ad = aad(sa);
|
||||
|
||||
if (aad(sa)->iface.ns) {
|
||||
if (ad->iface.ns) {
|
||||
audit_log_format(ab, " ns=");
|
||||
audit_log_untrustedstring(ab, aad(sa)->iface.ns);
|
||||
audit_log_untrustedstring(ab, ad->iface.ns);
|
||||
}
|
||||
if (aad(sa)->name) {
|
||||
if (ad->name) {
|
||||
audit_log_format(ab, " name=");
|
||||
audit_log_untrustedstring(ab, aad(sa)->name);
|
||||
audit_log_untrustedstring(ab, ad->name);
|
||||
}
|
||||
if (aad(sa)->iface.pos)
|
||||
audit_log_format(ab, " offset=%ld", aad(sa)->iface.pos);
|
||||
if (ad->iface.pos)
|
||||
audit_log_format(ab, " offset=%ld", ad->iface.pos);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -63,18 +64,18 @@ static int audit_iface(struct aa_profile *new, const char *ns_name,
|
|||
int error)
|
||||
{
|
||||
struct aa_profile *profile = labels_profile(aa_current_raw_label());
|
||||
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
|
||||
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
|
||||
if (e)
|
||||
aad(&sa)->iface.pos = e->pos - e->start;
|
||||
aad(&sa)->iface.ns = ns_name;
|
||||
ad.iface.pos = e->pos - e->start;
|
||||
ad.iface.ns = ns_name;
|
||||
if (new)
|
||||
aad(&sa)->name = new->base.hname;
|
||||
ad.name = new->base.hname;
|
||||
else
|
||||
aad(&sa)->name = name;
|
||||
aad(&sa)->info = info;
|
||||
aad(&sa)->error = error;
|
||||
ad.name = name;
|
||||
ad.info = info;
|
||||
ad.error = error;
|
||||
|
||||
return aa_audit(AUDIT_APPARMOR_STATUS, profile, &sa, audit_cb);
|
||||
return aa_audit(AUDIT_APPARMOR_STATUS, profile, &ad, audit_cb);
|
||||
}
|
||||
|
||||
void __aa_loaddata_update(struct aa_loaddata *data, long revision)
|
||||
|
|
|
|||
|
|
@ -30,12 +30,13 @@ struct aa_sfs_entry aa_sfs_entry_rlimit[] = {
|
|||
static void audit_cb(struct audit_buffer *ab, void *va)
|
||||
{
|
||||
struct common_audit_data *sa = va;
|
||||
struct apparmor_audit_data *ad = aad(sa);
|
||||
|
||||
audit_log_format(ab, " rlimit=%s value=%lu",
|
||||
rlim_names[aad(sa)->rlim.rlim], aad(sa)->rlim.max);
|
||||
if (aad(sa)->peer) {
|
||||
rlim_names[ad->rlim.rlim], ad->rlim.max);
|
||||
if (ad->peer) {
|
||||
audit_log_format(ab, " peer=");
|
||||
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
|
||||
aa_label_xaudit(ab, labels_ns(ad->label), ad->peer,
|
||||
FLAGS_NONE, GFP_ATOMIC);
|
||||
}
|
||||
}
|
||||
|
|
@ -49,22 +50,22 @@ static void audit_cb(struct audit_buffer *ab, void *va)
|
|||
* @info: info being auditing
|
||||
* @error: error value
|
||||
*
|
||||
* Returns: 0 or sa->error else other error code on failure
|
||||
* Returns: 0 or ad->error else other error code on failure
|
||||
*/
|
||||
static int audit_resource(struct aa_profile *profile, unsigned int resource,
|
||||
unsigned long value, struct aa_label *peer,
|
||||
const char *info, int error)
|
||||
{
|
||||
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_RLIMITS,
|
||||
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_RLIMITS,
|
||||
OP_SETRLIMIT);
|
||||
|
||||
aad(&sa)->rlim.rlim = resource;
|
||||
aad(&sa)->rlim.max = value;
|
||||
aad(&sa)->peer = peer;
|
||||
aad(&sa)->info = info;
|
||||
aad(&sa)->error = error;
|
||||
ad.rlim.rlim = resource;
|
||||
ad.rlim.max = value;
|
||||
ad.peer = peer;
|
||||
ad.info = info;
|
||||
ad.error = error;
|
||||
|
||||
return aa_audit(AUDIT_APPARMOR_AUTO, profile, &sa, audit_cb);
|
||||
return aa_audit(AUDIT_APPARMOR_AUTO, profile, &ad, audit_cb);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -205,18 +205,19 @@ static const char *audit_ptrace_mask(u32 mask)
|
|||
static void audit_ptrace_cb(struct audit_buffer *ab, void *va)
|
||||
{
|
||||
struct common_audit_data *sa = va;
|
||||
struct apparmor_audit_data *ad = aad(sa);
|
||||
|
||||
if (aad(sa)->request & AA_PTRACE_PERM_MASK) {
|
||||
if (ad->request & AA_PTRACE_PERM_MASK) {
|
||||
audit_log_format(ab, " requested_mask=\"%s\"",
|
||||
audit_ptrace_mask(aad(sa)->request));
|
||||
audit_ptrace_mask(ad->request));
|
||||
|
||||
if (aad(sa)->denied & AA_PTRACE_PERM_MASK) {
|
||||
if (ad->denied & AA_PTRACE_PERM_MASK) {
|
||||
audit_log_format(ab, " denied_mask=\"%s\"",
|
||||
audit_ptrace_mask(aad(sa)->denied));
|
||||
audit_ptrace_mask(ad->denied));
|
||||
}
|
||||
}
|
||||
audit_log_format(ab, " peer=");
|
||||
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
|
||||
aa_label_xaudit(ab, labels_ns(ad->label), ad->peer,
|
||||
FLAGS_NONE, GFP_ATOMIC);
|
||||
}
|
||||
|
||||
|
|
@ -224,51 +225,51 @@ static void audit_ptrace_cb(struct audit_buffer *ab, void *va)
|
|||
/* TODO: conditionals */
|
||||
static int profile_ptrace_perm(struct aa_profile *profile,
|
||||
struct aa_label *peer, u32 request,
|
||||
struct common_audit_data *sa)
|
||||
struct apparmor_audit_data *ad)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_perms perms = { };
|
||||
|
||||
aad(sa)->peer = peer;
|
||||
ad->peer = peer;
|
||||
aa_profile_match_label(profile, rules, peer, AA_CLASS_PTRACE, request,
|
||||
&perms);
|
||||
aa_apply_modes_to_perms(profile, &perms);
|
||||
return aa_check_perms(profile, &perms, request, sa, audit_ptrace_cb);
|
||||
return aa_check_perms(profile, &perms, request, ad, audit_ptrace_cb);
|
||||
}
|
||||
|
||||
static int profile_tracee_perm(struct aa_profile *tracee,
|
||||
struct aa_label *tracer, u32 request,
|
||||
struct common_audit_data *sa)
|
||||
struct apparmor_audit_data *ad)
|
||||
{
|
||||
if (profile_unconfined(tracee) || unconfined(tracer) ||
|
||||
!ANY_RULE_MEDIATES(&tracee->rules, AA_CLASS_PTRACE))
|
||||
return 0;
|
||||
|
||||
return profile_ptrace_perm(tracee, tracer, request, sa);
|
||||
return profile_ptrace_perm(tracee, tracer, request, ad);
|
||||
}
|
||||
|
||||
static int profile_tracer_perm(struct aa_profile *tracer,
|
||||
struct aa_label *tracee, u32 request,
|
||||
struct common_audit_data *sa)
|
||||
struct apparmor_audit_data *ad)
|
||||
{
|
||||
if (profile_unconfined(tracer))
|
||||
return 0;
|
||||
|
||||
if (ANY_RULE_MEDIATES(&tracer->rules, AA_CLASS_PTRACE))
|
||||
return profile_ptrace_perm(tracer, tracee, request, sa);
|
||||
return profile_ptrace_perm(tracer, tracee, request, ad);
|
||||
|
||||
/* profile uses the old style capability check for ptrace */
|
||||
if (&tracer->label == tracee)
|
||||
return 0;
|
||||
|
||||
aad(sa)->label = &tracer->label;
|
||||
aad(sa)->peer = tracee;
|
||||
aad(sa)->request = 0;
|
||||
aad(sa)->error = aa_capable(&tracer->label, CAP_SYS_PTRACE,
|
||||
ad->label = &tracer->label;
|
||||
ad->peer = tracee;
|
||||
ad->request = 0;
|
||||
ad->error = aa_capable(&tracer->label, CAP_SYS_PTRACE,
|
||||
CAP_OPT_NONE);
|
||||
|
||||
return aa_audit(AUDIT_APPARMOR_AUTO, tracer, sa, audit_ptrace_cb);
|
||||
return aa_audit(AUDIT_APPARMOR_AUTO, tracer, ad, audit_ptrace_cb);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Reference in a new issue