diff options
author | John Johansen <john.johansen@canonical.com> | 2022-07-16 03:33:43 -0700 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2022-10-03 14:49:03 -0700 |
commit | 90917d5b6866df79d892087ba51b46c983d2fcfe (patch) | |
tree | fe97819dd9858b6fc79a8ee06665082b5df845c4 | |
parent | caa9f579ca7255e9d6c25f072447d895c5928c97 (diff) |
apparmor: extend permissions to support a label and tag string
add indexes for label and tag entries. Rename the domain table to the
str_table as its a shared string table with label and tags.
Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r-- | security/apparmor/domain.c | 18 | ||||
-rw-r--r-- | security/apparmor/include/domain.h | 6 | ||||
-rw-r--r-- | security/apparmor/include/lib.h | 6 | ||||
-rw-r--r-- | security/apparmor/include/perms.h | 2 | ||||
-rw-r--r-- | security/apparmor/include/policy.h | 6 | ||||
-rw-r--r-- | security/apparmor/lib.c | 19 | ||||
-rw-r--r-- | security/apparmor/policy_unpack.c | 2 |
7 files changed, 32 insertions, 27 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 5883f0fc02d3..4cb046cf3a14 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -30,24 +30,6 @@ #include "include/policy_ns.h" /** - * aa_free_domain_entries - free entries in a domain table - * @domain: the domain table to free (MAYBE NULL) - */ -void aa_free_domain_entries(struct aa_domain *domain) -{ - int i; - if (domain) { - if (!domain->table) - return; - - for (i = 0; i < domain->size; i++) - kfree_sensitive(domain->table[i]); - kfree_sensitive(domain->table); - domain->table = NULL; - } -} - -/** * may_change_ptraced_domain - check if can change profile on ptraced task * @to_label: profile to change to (NOT NULL) * @info: message if there is an error diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h index d14928fe1c6f..77f9a0ed0f04 100644 --- a/security/apparmor/include/domain.h +++ b/security/apparmor/include/domain.h @@ -16,11 +16,6 @@ #ifndef __AA_DOMAIN_H #define __AA_DOMAIN_H -struct aa_domain { - int size; - char **table; -}; - #define AA_CHANGE_NOFLAGS 0 #define AA_CHANGE_TEST 1 #define AA_CHANGE_CHILD 2 @@ -32,7 +27,6 @@ struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex, int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm); -void aa_free_domain_entries(struct aa_domain *domain); int aa_change_hat(const char *hats[], int count, u64 token, int flags); int aa_change_profile(const char *fqname, int flags); diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h index f176f3ced2a3..f1a29ab7ea1b 100644 --- a/security/apparmor/include/lib.h +++ b/security/apparmor/include/lib.h @@ -99,6 +99,12 @@ static inline bool path_mediated_fs(struct dentry *dentry) return !(dentry->d_sb->s_flags & SB_NOUSER); } +struct aa_str_table { + int size; + char **table; +}; + +void aa_free_str_table(struct aa_str_table *table); struct counted_str { struct kref count; diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h index 8739cef73549..d66059fcebb4 100644 --- a/security/apparmor/include/perms.h +++ b/security/apparmor/include/perms.h @@ -79,6 +79,8 @@ struct aa_perms { u32 hide; /* set only when ~allow | deny */ u32 xindex; + u32 tag; /* tag string index, if present */ + u32 label; /* label string index, if present */ }; #define ALL_PERMS_MASK 0xffffffff diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index 3a7d165e8fcc..a28a662a0622 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -72,12 +72,14 @@ enum profile_mode { /* struct aa_policydb - match engine for a policy * dfa: dfa pattern match + * perms: table of permissions + * strs: table of strings, index by x * start: set of start states for the different classes of data */ struct aa_policydb { struct aa_dfa *dfa; struct aa_perms *perms; - struct aa_domain trans; + struct aa_str_table trans; aa_state_t start[AA_CLASS_LAST + 1]; }; @@ -86,7 +88,7 @@ static inline void aa_destroy_policydb(struct aa_policydb *policy) aa_put_dfa(policy->dfa); if (policy->perms) kvfree(policy->perms); - aa_free_domain_entries(&policy->trans); + aa_free_str_table(&policy->trans); } diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c index 60deb4dc30c7..69aeb2dbd6d6 100644 --- a/security/apparmor/lib.c +++ b/security/apparmor/lib.c @@ -26,6 +26,25 @@ struct aa_perms allperms = { .allow = ALL_PERMS_MASK, .hide = ALL_PERMS_MASK }; /** + * aa_free_str_table - free entries str table + * @str: the string table to free (MAYBE NULL) + */ +void aa_free_str_table(struct aa_str_table *t) +{ + int i; + + if (t) { + if (!t->table) + return; + + for (i = 0; i < t->size; i++) + kfree_sensitive(t->table[i]); + kfree_sensitive(t->table); + t->table = NULL; + } +} + +/** * aa_split_fqname - split a fqname into a profile and namespace name * @fqname: a full qualified name in namespace profile format (NOT NULL) * @ns_name: pointer to portion of the string containing the ns name (NOT NULL) diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 63196df2841b..df39ee8f4e03 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -534,7 +534,7 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) return true; fail: - aa_free_domain_entries(&profile->file.trans); + aa_free_str_table(&profile->file.trans); e->pos = saved_pos; return false; } |