[apparmor] [PATCH 2/4] apparmor: use security_path_chdir hook
John Johansen
john.johansen at canonical.com
Tue Nov 5 13:34:59 UTC 2013
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
security/apparmor/audit.c | 1 +
security/apparmor/include/audit.h | 1 +
security/apparmor/lsm.c | 13 +++++++++++++
3 files changed, 15 insertions(+)
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 89c7865..6ebebd5 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -36,6 +36,7 @@ const char *const op_table[] = {
"rename_dest",
"chmod",
"chown",
+ "chdir",
"getattr",
"open",
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index ba3dfd1..57f5ce8 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -64,6 +64,7 @@ enum aa_ops {
OP_RENAME_DEST,
OP_CHMOD,
OP_CHOWN,
+ OP_CHDIR,
OP_GETATTR,
OP_OPEN,
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 4257b7e..794aa1a 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -364,6 +364,18 @@ static int apparmor_path_chown(struct path *path, kuid_t uid, kgid_t gid)
return common_perm(OP_CHOWN, path, AA_MAY_CHOWN, &cond);
}
+static int apparmor_path_chdir(struct path *path)
+{
+ struct path_cond cond = { path->dentry->d_inode->i_uid,
+ path->dentry->d_inode->i_mode
+ };
+
+ if (!mediated_filesystem(path->dentry->d_inode))
+ return 0;
+
+ return common_perm(OP_CHDIR, path, MAY_READ, &cond);
+}
+
static int apparmor_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
{
if (!mediated_filesystem(dentry->d_inode))
@@ -632,6 +644,7 @@ static struct security_operations apparmor_ops = {
.path_rename = apparmor_path_rename,
.path_chmod = apparmor_path_chmod,
.path_chown = apparmor_path_chown,
+ .path_chdir = apparmor_path_chdir,
.path_truncate = apparmor_path_truncate,
.inode_getattr = apparmor_inode_getattr,
--
1.8.3.2
More information about the AppArmor
mailing list