summaryrefslogtreecommitdiff
path: root/security/apparmor
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2022-05-07 01:58:36 -0700
committerJohn Johansen <john.johansen@canonical.com>2022-10-03 14:49:03 -0700
commit1cf26c3d2c4c2098e39a9905174d7842b531e693 (patch)
tree1296514bd9a116969e6b2dc2b936de582d430523 /security/apparmor
parent1b5a6198f5a9d0aa5497da0dc4bcd4fc166ee516 (diff)
apparmor: fix apparmor mediating locking non-fs unix sockets
the v8 and earlier policy does not encode the locking permission for no-fs unix sockets. However the kernel is enforcing mediation. Add the AA_MAY_LOCK perm to v8 and earlier computed perm mask which will grant permission for all current abi profiles, but still allow specifying auditing of the operation if needed. Link: http://bugs.launchpad.net/bugs/1780227 Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor')
-rw-r--r--security/apparmor/policy_unpack.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 0203e43460b6..2406c5c4caaf 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -31,6 +31,7 @@
#define K_ABI_MASK 0x3ff
#define FORCE_COMPLAIN_FLAG 0x800
#define VERSION_LT(X, Y) (((X) & K_ABI_MASK) < ((Y) & K_ABI_MASK))
+#define VERSION_LE(X, Y) (((X) & K_ABI_MASK) <= ((Y) & K_ABI_MASK))
#define VERSION_GT(X, Y) (((X) & K_ABI_MASK) > ((Y) & K_ABI_MASK))
#define v5 5 /* base version */
@@ -796,7 +797,8 @@ static u32 map_other(u32 x)
}
static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
- aa_state_t state)
+ aa_state_t state,
+ u32 version)
{
struct aa_perms perms = { };
@@ -809,13 +811,15 @@ static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
*/
perms.allow |= map_other(dfa_other_allow(dfa, state));
+ if (VERSION_LE(version, v8))
+ perms.allow |= AA_MAY_LOCK;
perms.audit |= map_other(dfa_other_audit(dfa, state));
perms.quiet |= map_other(dfa_other_quiet(dfa, state));
return perms;
}
-static struct aa_perms *compute_perms(struct aa_dfa *dfa)
+static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version)
{
unsigned int state;
unsigned int state_count;
@@ -831,7 +835,7 @@ static struct aa_perms *compute_perms(struct aa_dfa *dfa)
/* zero init so skip the trap state (state == 0) */
for (state = 1; state < state_count; state++)
- table[state] = compute_perms_entry(dfa, state);
+ table[state] = compute_perms_entry(dfa, state, version);
return table;
}
@@ -1055,7 +1059,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
}
if (!unpack_nameX(e, AA_STRUCTEND, NULL))
goto fail;
- profile->policy.perms = compute_perms(profile->policy.dfa);
+ profile->policy.perms = compute_perms(profile->policy.dfa,
+ e->version);
if (!profile->policy.perms) {
info = "failed to remap policydb permission table";
goto fail;