summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-06-09 15:48:20 -0700
committerJohn Johansen <john.johansen@canonical.com>2017-06-10 17:11:43 -0700
commit98c3d182321d489d8bfaa596127020ec3027edb2 (patch)
tree65370e360b436d6f4e478ae46444ae82a6ccf951
parent190a95189eb9e2233ed71a85cd6dd0c8efc9d392 (diff)
apparmor: update aa_audit_file() to use labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r--security/apparmor/domain.c6
-rw-r--r--security/apparmor/file.c18
-rw-r--r--security/apparmor/include/file.h3
3 files changed, 18 insertions, 9 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index fab8923ae38e..896bca01828e 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -518,6 +518,7 @@ x_clear:
audit:
error = aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name,
new_profile ? new_profile->base.hname : NULL,
+ new_profile ? &new_profile->label : NULL,
cond.uid, info, error);
cleanup:
@@ -694,7 +695,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
audit:
if (!(flags & AA_CHANGE_TEST))
error = aa_audit_file(profile, &perms, OP_CHANGE_HAT,
- AA_MAY_CHANGEHAT, NULL, target,
+ AA_MAY_CHANGEHAT, NULL, target, NULL,
GLOBAL_ROOT_UID, info, error);
out:
@@ -802,7 +803,8 @@ int aa_change_profile(const char *fqname, int flags)
audit:
if (!(flags & AA_CHANGE_TEST))
error = aa_audit_file(profile, &perms, op, request, NULL,
- fqname, GLOBAL_ROOT_UID, info, error);
+ fqname, NULL, GLOBAL_ROOT_UID, info,
+ error);
aa_put_profile(target);
aa_put_label(label);
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index c13e967137a8..a40bc1e276dc 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -75,7 +75,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
from_kuid(&init_user_ns, aad(sa)->fs.ouid));
}
- if (aad(sa)->fs.target) {
+ if (aad(sa)->peer) {
+ audit_log_format(ab, " target=");
+ aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
+ FLAG_VIEW_SUBNS, GFP_ATOMIC);
+ } else if (aad(sa)->fs.target) {
audit_log_format(ab, " target=");
audit_log_untrustedstring(ab, aad(sa)->fs.target);
}
@@ -85,11 +89,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
* aa_audit_file - handle the auditing of file operations
* @profile: the profile being enforced (NOT NULL)
* @perms: the permissions computed for the request (NOT NULL)
- * @gfp: allocation flags
* @op: operation being mediated
* @request: permissions requested
* @name: name of object being mediated (MAYBE NULL)
* @target: name of target (MAYBE NULL)
+ * @tlabel: target label (MAY BE NULL)
* @ouid: object uid
* @info: extra information message (MAYBE NULL)
* @error: 0 if operation allowed else failure error code
@@ -98,7 +102,8 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
*/
int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
const char *op, u32 request, const char *name,
- const char *target, kuid_t ouid, const char *info, int error)
+ const char *target, struct aa_label *tlabel,
+ kuid_t ouid, const char *info, int error)
{
int type = AUDIT_APPARMOR_AUTO;
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, op);
@@ -107,6 +112,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
aad(&sa)->request = request;
aad(&sa)->name = name;
aad(&sa)->fs.target = target;
+ aad(&sa)->peer = tlabel;
aad(&sa)->fs.ouid = ouid;
aad(&sa)->info = info;
aad(&sa)->error = error;
@@ -139,7 +145,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
aad(&sa)->request &= ~perms->quiet;
if (!aad(&sa)->request)
- return COMPLAIN_MODE(profile) ? 0 : aad(&sa)->error;
+ return aad(&sa)->error;
}
aad(&sa)->denied = aad(&sa)->request & ~perms->allow;
@@ -295,7 +301,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile,
if (request & ~perms.allow)
error = -EACCES;
}
- error = aa_audit_file(profile, &perms, op, request, name, NULL,
+ error = aa_audit_file(profile, &perms, op, request, name, NULL, NULL,
cond->uid, info, error);
put_buffers(buffer);
@@ -425,7 +431,7 @@ done_tests:
audit:
error = aa_audit_file(profile, &lperms, OP_LINK, request,
- lname, tname, cond.uid, info, error);
+ lname, tname, NULL, cond.uid, info, error);
put_buffers(buffer, buffer2);
return error;
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index 415512771bff..7c6026460272 100644
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -162,7 +162,8 @@ static inline u16 dfa_map_xindex(u16 mask)
int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
const char *op, u32 request, const char *name,
- const char *target, kuid_t ouid, const char *info, int error);
+ const char *target, struct aa_label *tlabel, kuid_t ouid,
+ const char *info, int error);
/**
* struct aa_file_rules - components used for file rule permissions