apparmor: fix apparmor mediating locking non-fs unix sockets
the v8 and earlier policy does not encode the locking permission for no-fs unix sockets. However the kernel is enforcing mediation. Add the AA_MAY_LOCK perm to v8 and earlier computed perm mask which will grant permission for all current abi profiles, but still allow specifying auditing of the operation if needed. Link: http://bugs.launchpad.net/bugs/1780227 Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
parent
1b5a6198f5
commit
1cf26c3d2c
|
@ -31,6 +31,7 @@
|
|||
#define K_ABI_MASK 0x3ff
|
||||
#define FORCE_COMPLAIN_FLAG 0x800
|
||||
#define VERSION_LT(X, Y) (((X) & K_ABI_MASK) < ((Y) & K_ABI_MASK))
|
||||
#define VERSION_LE(X, Y) (((X) & K_ABI_MASK) <= ((Y) & K_ABI_MASK))
|
||||
#define VERSION_GT(X, Y) (((X) & K_ABI_MASK) > ((Y) & K_ABI_MASK))
|
||||
|
||||
#define v5 5 /* base version */
|
||||
|
@ -796,7 +797,8 @@ static u32 map_other(u32 x)
|
|||
}
|
||||
|
||||
static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
|
||||
aa_state_t state)
|
||||
aa_state_t state,
|
||||
u32 version)
|
||||
{
|
||||
struct aa_perms perms = { };
|
||||
|
||||
|
@ -809,13 +811,15 @@ static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
|
|||
*/
|
||||
|
||||
perms.allow |= map_other(dfa_other_allow(dfa, state));
|
||||
if (VERSION_LE(version, v8))
|
||||
perms.allow |= AA_MAY_LOCK;
|
||||
perms.audit |= map_other(dfa_other_audit(dfa, state));
|
||||
perms.quiet |= map_other(dfa_other_quiet(dfa, state));
|
||||
|
||||
return perms;
|
||||
}
|
||||
|
||||
static struct aa_perms *compute_perms(struct aa_dfa *dfa)
|
||||
static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version)
|
||||
{
|
||||
unsigned int state;
|
||||
unsigned int state_count;
|
||||
|
@ -831,7 +835,7 @@ static struct aa_perms *compute_perms(struct aa_dfa *dfa)
|
|||
|
||||
/* zero init so skip the trap state (state == 0) */
|
||||
for (state = 1; state < state_count; state++)
|
||||
table[state] = compute_perms_entry(dfa, state);
|
||||
table[state] = compute_perms_entry(dfa, state, version);
|
||||
|
||||
return table;
|
||||
}
|
||||
|
@ -1055,7 +1059,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
|
|||
}
|
||||
if (!unpack_nameX(e, AA_STRUCTEND, NULL))
|
||||
goto fail;
|
||||
profile->policy.perms = compute_perms(profile->policy.dfa);
|
||||
profile->policy.perms = compute_perms(profile->policy.dfa,
|
||||
e->version);
|
||||
if (!profile->policy.perms) {
|
||||
info = "failed to remap policydb permission table";
|
||||
goto fail;
|
||||
|
|
Loading…
Reference in New Issue