[apparmor] [PATCH 3/4] Update permission mapping for changes made to the upstream kernel patch.
John Johansen
john.johansen at canonical.com
Thu Mar 15 16:36:27 UTC 2012
The changes are around how user data is handled.
1. permissions are mapped before data is matched
2. If data is to be mapped a AA_CONT_MATCH flag is set in the permissions
which allows data matching to continue.
3. If data auditing is to occur the AA_AUDIT_MNT_DATA flag is set
This allows better control over matching and auditing of data which can
be binary and should not be matched or audited
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/mount.h | 6 +++-
parser/parser_regex.c | 56 ++++++++++++++++++++++++++++++++++++++++++-------
2 files changed, 52 insertions(+), 10 deletions(-)
diff --git a/parser/mount.h b/parser/mount.h
index 8a102ed..16a2dc3 100644
--- a/parser/mount.h
+++ b/parser/mount.h
@@ -103,8 +103,10 @@
#define AA_MAY_PIVOTROOT 1
#define AA_MAY_MOUNT 2
#define AA_MAY_UMOUNT 4
-#define AA_DUMMY_REMOUNT 32 /* dummy perm for remount rule - is remapped
- * to a mount option*/
+#define AA_AUDIT_MNT_DATA 0x40
+#define AA_MATCH_CONT 0x40
+#define AA_DUMMY_REMOUNT 0x40000000 /* dummy perm for remount rule - is
+ * remapped to a mount option*/
struct mnt_entry {
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 0e6e449..8c34799 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -784,6 +784,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_REMOUNT)
&& !entry->device && !entry->dev_type) {
+ int allow;
/* remount can't be conditional on device and type */
p = mntbuf;
/* rule class single byte header */
@@ -816,11 +817,31 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
vec[3] = flagsbuf;
if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
goto fail;
- vec[4] = optsbuf;
- if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
- entry->audit, 5, vec, dfaflags))
+
+ if (entry->opts)
+ allow = AA_MATCH_CONT;
+ else
+ allow = entry->allow;
+
+ /* rule for match without required data || data MATCH_CONT */
+ if (!aare_add_rule_vec(dfarules, entry->deny, allow,
+ entry->audit | AA_AUDIT_MNT_DATA, 4,
+ vec, dfaflags))
goto fail;
count++;
+
+ if (entry->opts) {
+ /* rule with data match required */
+ if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
+ goto fail;
+ vec[4] = optsbuf;
+ if (!aare_add_rule_vec(dfarules, entry->deny,
+ entry->allow,
+ entry->audit | AA_AUDIT_MNT_DATA,
+ 5, vec, dfaflags))
+ goto fail;
+ count++;
+ }
}
if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_BIND)
&& !entry->dev_type && !entry->opts) {
@@ -919,6 +940,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
}
if ((entry->allow & AA_MAY_MOUNT) &&
(entry->flags | entry->inv_flags) & ~MS_CMDS) {
+ int allow;
/* generic mount if flags are set that are not covered by
* above commands
*/
@@ -944,13 +966,31 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
goto fail;
vec[3] = flagsbuf;
- if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
- goto fail;
- vec[4] = optsbuf;
- if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
- entry->audit, 5, vec, dfaflags))
+
+ if (entry->opts)
+ allow = AA_MATCH_CONT;
+ else
+ allow = entry->allow;
+
+ /* rule for match without required data || data MATCH_CONT */
+ if (!aare_add_rule_vec(dfarules, entry->deny, allow,
+ entry->audit | AA_AUDIT_MNT_DATA, 4,
+ vec, dfaflags))
goto fail;
count++;
+
+ if (entry->opts) {
+ /* rule with data match required */
+ if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
+ goto fail;
+ vec[4] = optsbuf;
+ if (!aare_add_rule_vec(dfarules, entry->deny,
+ entry->allow,
+ entry->audit | AA_AUDIT_MNT_DATA,
+ 5, vec, dfaflags))
+ goto fail;
+ count++;
+ }
}
if (entry->allow & AA_MAY_UMOUNT) {
p = mntbuf;
--
1.7.9.1
More information about the AppArmor
mailing list