[apparmor] [PATCH 3/3] Fix change_profile to grant access to api
John Johansen
john.johansen at canonical.com
Wed Apr 11 20:53:42 UTC 2012
Currently a change_profile rule does not grant access to the
/proc/<pid>/attr/{current,exec} interfaces that are needed to perform
a change_profile or change_onexec, requiring that an explicit rule allowing
access to the interface be granted.
Make it so change_profile implies the necessary
/proc/@{PID}/attr/{current,exec} w,
rule just like the presence of hats does for change_hat
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/parser.h | 2 +-
parser/parser_policy.c | 24 +++++++++++++++++++++++-
parser/parser_yacc.y | 2 +-
3 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/parser/parser.h b/parser/parser.h
index fa2d191..8199f43 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -381,7 +381,7 @@ extern int cache_fd;
extern void add_to_list(struct codomain *codomain);
extern void add_hat_to_policy(struct codomain *policy, struct codomain *hat);
extern void add_entry_to_policy(struct codomain *policy, struct cod_entry *entry);
-extern void post_process_nt_entries(struct codomain *cod);
+extern void post_process_file_entries(struct codomain *cod);
extern void post_process_mnt_entries(struct codomain *cod);
extern int post_process_policy(int debug_only);
extern int process_hat_regex(struct codomain *cod);
diff --git a/parser/parser_policy.c b/parser/parser_policy.c
index b3405e6..dce1b0d 100644
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -172,9 +172,10 @@ void add_entry_to_policy(struct codomain *cod, struct cod_entry *entry)
cod->entries = entry;
}
-void post_process_nt_entries(struct codomain *cod)
+void post_process_file_entries(struct codomain *cod)
{
struct cod_entry *entry;
+ int cp_mode = 0;
list_for_each(cod->entries, entry) {
if (entry->nt_name) {
@@ -193,6 +194,27 @@ void post_process_nt_entries(struct codomain *cod)
entry->namespace = NULL;
entry->nt_name = NULL;
}
+ /* FIXME: currently change_profile also implies onexec */
+ cp_mode |= entry->mode & (AA_CHANGE_PROFILE);
+ }
+
+ /* if there are change_profile rules, this implies that we need
+ * access to /proc/self/attr/current
+ */
+ if (cp_mode & AA_CHANGE_PROFILE) {
+ /* FIXME: should use @{PROC}/@{PID}/attr/{current,exec} */
+ struct cod_entry *new_ent;
+ char *buffer = strdup("/proc/*/attr/{current,exec}");
+ if (!buffer) {
+ PERROR("Memory allocation error\n");
+ exit(1);
+ }
+ new_ent = new_entry(NULL, buffer, AA_MAY_WRITE, NULL);
+ if (!new_ent) {
+ PERROR("Memory allocation error\n");
+ exit(1);
+ }
+ add_entry_to_policy(cod, new_ent);
}
}
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index a79be85..a0c8fc6 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -257,7 +257,7 @@ profile_base: TOK_ID opt_id flags TOK_OPEN rules TOK_CLOSE
if (force_complain)
cod->flags.complain = 1;
- post_process_nt_entries(cod);
+ post_process_file_entries(cod);
post_process_mnt_entries(cod);
PDEBUG("%s: flags='%s%s'\n",
$2,
--
1.7.9.1
More information about the AppArmor
mailing list