Commit 463f2021 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'apparmor-pr-2018-06-13' of... 

Merge tag 'apparmor-pr-2018-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull AppArmor updates from John Johansen:
 "Features
   - add support for mapping secids and using secctxes
   - add the ability to get a task's secid
   - add support for audit rule filtering

  Cleanups:
   - multiple typo fixes
   - Convert to use match_string() helper
   - update git and wiki locations in AppArmor docs
   - improve get_buffers macro by using get_cpu_ptr
   - Use an IDR to allocate apparmor secids

  Bug fixes:
   - fix '*seclen' is never less than zero
   - fix mediation of prlimit
   - fix memory leak when deduping profile load
   - fix ptrace read check
   - fix memory leak of rule on error exit path"

* tag 'apparmor-pr-2018-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (21 commits)
  apparmor: fix ptrace read check
  apparmor: fix memory leak when deduping profile load
  apparmor: fix mediation of prlimit
  apparmor: fixup secid map conversion to using IDR
  apparmor: Use an IDR to allocate apparmor secids
  apparmor: Fix memory leak of rule on error exit path
  apparmor: modify audit rule support to support profile stacks
  apparmor: Add support for audit rule filtering
  apparmor: update git and wiki locations in AppArmor docs
  apparmor: Convert to use match_string() helper
  apparmor: improve get_buffers macro by using get_cpu_ptr
  apparmor: fix '*seclen' is never less than zero
  apparmor: fix typo "preconfinement"
  apparmor: fix typo "independent"
  apparmor: fix typo "traverse"
  apparmor: fix typo "type"
  apparmor: fix typo "replace"
  apparmor: fix typo "comparison"
  apparmor: fix typo "loosen"
  apparmor: add the ability to get a task's secid
  ...
parents 050e9baa 338d0be4

Documentation/admin-guide/LSM/apparmor.rst

+3 −3
Original line number Diff line number Diff line
@@ -44,8 +44,8 @@ Links 


Mailing List - apparmor@lists.ubuntu.com



Wiki - http://apparmor.wiki.kernel.org/

Wiki - http://wiki.apparmor.net



User space tools - https://launchpad.net/apparmor

User space tools - https://gitlab.com/apparmor



Kernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git
 
Kernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

security/apparmor/audit.c

+89 −1
Original line number Diff line number Diff line
@@ -19,7 +19,7 @@ 
#include "include/audit.h"

#include "include/policy.h"

#include "include/policy_ns.h"



#include "include/secid.h"



const char *const audit_mode_names[] = {

	"normal",
@@ -163,3 +163,91 @@ int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa, 


	return aad(sa)->error;

}



struct aa_audit_rule {

	struct aa_label *label;

};



void aa_audit_rule_free(void *vrule)

{

	struct aa_audit_rule *rule = vrule;



	if (rule) {

		if (!IS_ERR(rule->label))

			aa_put_label(rule->label);

		kfree(rule);

	}

}



int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)

{

	struct aa_audit_rule *rule;



	switch (field) {

	case AUDIT_SUBJ_ROLE:

		if (op != Audit_equal && op != Audit_not_equal)

			return -EINVAL;

		break;

	default:

		return -EINVAL;

	}



	rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);



	if (!rule)

		return -ENOMEM;



	/* Currently rules are treated as coming from the root ns */

	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,

				     GFP_KERNEL, true, false);

	if (IS_ERR(rule->label)) {

		aa_audit_rule_free(rule);

		return PTR_ERR(rule->label);

	}



	*vrule = rule;

	return 0;

}



int aa_audit_rule_known(struct audit_krule *rule)

{

	int i;



	for (i = 0; i < rule->field_count; i++) {

		struct audit_field *f = &rule->fields[i];



		switch (f->type) {

		case AUDIT_SUBJ_ROLE:

			return 1;

		}

	}



	return 0;

}



int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,

			struct audit_context *actx)

{

	struct aa_audit_rule *rule = vrule;

	struct aa_label *label;

	int found = 0;



	label = aa_secid_to_label(sid);



	if (!label)

		return -ENOENT;



	if (aa_label_is_subset(label, rule->label))

		found = 1;



	switch (field) {

	case AUDIT_SUBJ_ROLE:

		switch (op) {

		case Audit_equal:

			return found;

		case Audit_not_equal:

			return !found;

		}

	}

	return 0;

}

security/apparmor/domain.c

+1 −1
Original line number Diff line number Diff line
@@ -839,7 +839,7 @@ static struct aa_label *handle_onexec(struct aa_label *label, 
						   cond, unsafe));



	} else {

		/* TODO: determine how much we want to losen this */

		/* TODO: determine how much we want to loosen this */

		error = fn_for_each_in_ns(label, profile,

				profile_onexec(profile, onexec, stack, bprm,

					       buffer, cond, unsafe));

security/apparmor/include/audit.h

+6 −0
Original line number Diff line number Diff line
@@ -189,4 +189,10 @@ static inline int complain_error(int error) 
	return error;

}



void aa_audit_rule_free(void *vrule);

int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);

int aa_audit_rule_known(struct audit_krule *rule);

int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,

			struct audit_context *actx);



#endif /* __AA_AUDIT_H */

security/apparmor/include/label.h

+1 −1
Original line number Diff line number Diff line
@@ -281,7 +281,7 @@ void __aa_labelset_update_subtree(struct aa_ns *ns); 


void aa_label_free(struct aa_label *label);

void aa_label_kref(struct kref *kref);

bool aa_label_init(struct aa_label *label, int size);

bool aa_label_init(struct aa_label *label, int size, gfp_t gfp);

struct aa_label *aa_label_alloc(int size, struct aa_proxy *proxy, gfp_t gfp);



bool aa_label_is_subset(struct aa_label *set, struct aa_label *sub);