[apparmor] [PATCH 3/4] Update permission mapping for changes made to the upstream kernel patch.

John Johansen john.johansen at canonical.com
Thu Mar 15 19:51:03 UTC 2012 

On 03/15/2012 12:36 PM, Steve Beattie wrote:
> On Thu, Mar 15, 2012 at 09:36:27AM -0700, John Johansen wrote:
>> The changes are around how user data is handled.
>>
>> 1. permissions are mapped before data is matched
>> 2. If data is to be mapped a AA_CONT_MATCH flag is set in the permissions
>>    which allows data matching to continue.
>> 3. If data auditing is to occur the AA_AUDIT_MNT_DATA flag is set
>>
>> This allows better control over matching and auditing of data which can
>> be binary and should not be matched or audited
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>> ---
>>  parser/mount.h        |    6 +++-
>>  parser/parser_regex.c |   56 ++++++++++++++++++++++++++++++++++++++++++-------
>>  2 files changed, 52 insertions(+), 10 deletions(-)
>>
>> diff --git a/parser/mount.h b/parser/mount.h
>> index 8a102ed..16a2dc3 100644
>> --- a/parser/mount.h
>> +++ b/parser/mount.h
>> @@ -103,8 +103,10 @@
>>  #define AA_MAY_PIVOTROOT 1
>>  #define AA_MAY_MOUNT 2
>>  #define AA_MAY_UMOUNT 4
>> -#define AA_DUMMY_REMOUNT 32	/* dummy perm for remount rule - is remapped
>> -				 * to a mount option*/
>> +#define AA_AUDIT_MNT_DATA 0x40
>> +#define AA_MATCH_CONT 0x40
> 
> Are these two supposed to have the same value?
> 
Yes that was deliberate, I suppose I should have made one reference the other

>> +#define AA_DUMMY_REMOUNT 0x40000000	/* dummy perm for remount rule - is
>> +					 * remapped to a mount option*/
>>  
>>  
>>  struct mnt_entry {
>> diff --git a/parser/parser_regex.c b/parser/parser_regex.c
>> index 0e6e449..8c34799 100644
>> --- a/parser/parser_regex.c
>> +++ b/parser/parser_regex.c
>> @@ -784,6 +784,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
>>  
>>  	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_REMOUNT)
>>  	    && !entry->device && !entry->dev_type) {
>> +		int allow;
>>  		/* remount can't be conditional on device and type */
>>  		p = mntbuf;
>>  		/* rule class single byte header */
>> @@ -816,11 +817,31 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
>>  		vec[3] = flagsbuf;
>>  		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
>>  			goto fail;
>> -		vec[4] = optsbuf;
>> -		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
>> -				       entry->audit, 5, vec, dfaflags))
>> +
>> +		if (entry->opts)
>> +			allow = AA_MATCH_CONT;
>> +		else
>> +			allow = entry->allow;
>> +
>> +		/* rule for match without required data || data MATCH_CONT */
>> +		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
>> +				       entry->audit | AA_AUDIT_MNT_DATA, 4,
>> +				       vec, dfaflags))
>>  			goto fail;
>>  		count++;
>> +
>> +		if (entry->opts) {
>> +			/* rule with data match required */
>> +			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
>> +				goto fail;
>> +			vec[4] = optsbuf;
>> +			if (!aare_add_rule_vec(dfarules, entry->deny,
>> +					       entry->allow,
>> +					       entry->audit | AA_AUDIT_MNT_DATA,
>> +					       5, vec, dfaflags))
>> +				goto fail;
>> +			count++;
>> +		}
>>  	}
>>  	if ((entry->allow & AA_MAY_MOUNT) && (entry->flags & MS_BIND)
>>  	    && !entry->dev_type && !entry->opts) {
>> @@ -919,6 +940,7 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
>>  	}
>>  	if ((entry->allow & AA_MAY_MOUNT) &&
>>  	    (entry->flags | entry->inv_flags) & ~MS_CMDS) {
>> +		int allow;
>>  		/* generic mount if flags are set that are not covered by
>>  		 * above commands
>>  		 */
>> @@ -944,13 +966,31 @@ static int process_mnt_entry(aare_ruleset_t *dfarules, struct mnt_entry *entry)
>>  		if (!build_mnt_flags(flagsbuf, PATH_MAX, flags, inv_flags))
>>  			goto fail;
>>  		vec[3] = flagsbuf;
>> -		if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
>> -			goto fail;
>> -		vec[4] = optsbuf;
>> -		if (!aare_add_rule_vec(dfarules, entry->deny, entry->allow,
>> -				       entry->audit, 5, vec, dfaflags))
>> +
>> +		if (entry->opts)
>> +			allow = AA_MATCH_CONT;
>> +		else
>> +			allow = entry->allow;
>> +
>> +		/* rule for match without required data || data MATCH_CONT */
>> +		if (!aare_add_rule_vec(dfarules, entry->deny, allow,
>> +				       entry->audit | AA_AUDIT_MNT_DATA, 4,
>> +				       vec, dfaflags))
>>  			goto fail;
>>  		count++;
>> +
>> +		if (entry->opts) {
>> +			/* rule with data match required */
>> +			if (!build_mnt_opts(optsbuf, PATH_MAX, entry->opts))
>> +				goto fail;
>> +			vec[4] = optsbuf;
>> +			if (!aare_add_rule_vec(dfarules, entry->deny,
>> +					       entry->allow,
>> +					       entry->audit | AA_AUDIT_MNT_DATA,
>> +					       5, vec, dfaflags))
>> +				goto fail;
>> +			count++;
>> +		}
>>  	}
>>  	if (entry->allow & AA_MAY_UMOUNT) {
>>  		p = mntbuf;
>> -- 
>> 1.7.9.1
>>
>>
>> -- 
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
> 
>

More information about the AppArmor mailing list