[apparmor] [PATCH 3/4] Update permission mapping for changes made to the upstream kernel patch.

Thu Mar 15 19:43:46 UTC 2012

On Thu, Mar 15, 2012 at 12:36:37PM -0700, Steve Beattie wrote:
> On Thu, Mar 15, 2012 at 09:36:27AM -0700, John Johansen wrote:
> > The changes are around how user data is handled.
> > 
> > 1. permissions are mapped before data is matched
> > 2. If data is to be mapped a AA_CONT_MATCH flag is set in the permissions
> >    which allows data matching to continue.
> > 3. If data auditing is to occur the AA_AUDIT_MNT_DATA flag is set
> > 
> > This allows better control over matching and auditing of data which can
> > be binary and should not be matched or audited
> > 
> > Signed-off-by: John Johansen <john.johansen at canonical.com>
> > ---
> >  parser/mount.h        |    6 +++-
> >  parser/parser_regex.c |   56 ++++++++++++++++++++++++++++++++++++++++++-------
> >  2 files changed, 52 insertions(+), 10 deletions(-)
> > 
> > diff --git a/parser/mount.h b/parser/mount.h
> > index 8a102ed..16a2dc3 100644
> > --- a/parser/mount.h
> > +++ b/parser/mount.h
> > @@ -103,8 +103,10 @@
> >  #define AA_MAY_PIVOTROOT 1
> >  #define AA_MAY_MOUNT 2
> >  #define AA_MAY_UMOUNT 4
> > -#define AA_DUMMY_REMOUNT 32	/* dummy perm for remount rule - is remapped
> > -				 * to a mount option*/
> > +#define AA_AUDIT_MNT_DATA 0x40
> > +#define AA_MATCH_CONT 0x40
> 
> Are these two supposed to have the same value?

I should say, otherwise this patch looks OK.

> > +#define AA_DUMMY_REMOUNT 0x40000000	/* dummy perm for remount rule - is
> > +					 * remapped to a mount option*/
> >  
> >  
> >  struct mnt_entry {
> > diff --git a/parser/parser_regex.c b/parser/parser_regex.c
> > index 0e6e449..8c34799 100644
> > --- a/parser/parser_regex.c
> > +++ b/parser/parser_regex.c
> > @@ -784,6 +784,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
> >  
> >  	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_REMOUNT)
> >  	    && !entry->device && !entry->dev_type) {
> > +		int allow;
> >  		/* remount can't be conditional on device and type */
> >  		p = mntbuf;
> >  		/* rule class single byte header */
> > @@ -816,11 +817,31 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
> >  		vec[3] = flagsbuf;
> >  		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
> >  			goto fail;
> > -		vec[4] = optsbuf;
> > -		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
> > -				       entry->audit, 5, vec, dfaflags))
> > +
> > +		if (entry->opts)
> > +			allow = AA_MATCH_CONT;
> > +		else
> > +			allow = entry->allow;
> > +
> > +		/* rule for match without required data || data MATCH_CONT */
> > +		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
> > +				       entry->audit | AA_AUDIT_MNT_DATA, 4,
> > +				       vec, dfaflags))
> >  			goto fail;
> >  		count++;
> > +
> > +		if (entry->opts) {
> > +			/* rule with data match required */
> > +			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
> > +				goto fail;
> > +			vec[4] = optsbuf;
> > +			if (!aare_add_rule_vec(dfarules, entry->deny,
> > +					       entry->allow,
> > +					       entry->audit | AA_AUDIT_MNT_DATA,
> > +					       5, vec, dfaflags))
> > +				goto fail;
> > +			count++;
> > +		}
> >  	}
> >  	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_BIND)
> >  	    && !entry->dev_type && !entry->opts) {
> > @@ -919,6 +940,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
> >  	}
> >  	if ((entry->allow & AA_MAY_MOUNT) &&
> >  	    (entry->flags | entry->inv_flags) & ~MS_CMDS) {
> > +		int allow;
> >  		/* generic mount if flags are set that are not covered by
> >  		 * above commands
> >  		 */
> > @@ -944,13 +966,31 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
> >  		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
> >  			goto fail;
> >  		vec[3] = flagsbuf;
> > -		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
> > -			goto fail;
> > -		vec[4] = optsbuf;
> > -		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
> > -				       entry->audit, 5, vec, dfaflags))
> > +
> > +		if (entry->opts)
> > +			allow = AA_MATCH_CONT;
> > +		else
> > +			allow = entry->allow;
> > +
> > +		/* rule for match without required data || data MATCH_CONT */
> > +		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
> > +				       entry->audit | AA_AUDIT_MNT_DATA, 4,
> > +				       vec, dfaflags))
> >  			goto fail;
> >  		count++;
> > +
> > +		if (entry->opts) {
> > +			/* rule with data match required */
> > +			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
> > +				goto fail;
> > +			vec[4] = optsbuf;
> > +			if (!aare_add_rule_vec(dfarules, entry->deny,
> > +					       entry->allow,
> > +					       entry->audit | AA_AUDIT_MNT_DATA,
> > +					       5, vec, dfaflags))
> > +				goto fail;
> > +			count++;
> > +		}
> >  	}
> >  	if (entry->allow & AA_MAY_UMOUNT) {
> >  		p = mntbuf;
> > -- 
> > 1.7.9.1
> > 
> > 
> > -- 
> > AppArmor mailing list
> > AppArmor at lists.ubuntu.com
> > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
> -- 
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/

> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120315/4639e851/attachment.pgp>