hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

apparmor: allow ns visibility question to consider subnses 

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2017-01-16 00:42:25 -08:00
parent 31617ddfdd
commit 92b6d8eff5
4 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
security/apparmor/apparmorfs.c
View File

@ -750,7 +750,7 @@ static int seq_show_profile(struct seq_file *f, void *p)
struct aa_ns *root = f->private; struct aa_ns *root = f->private;
if (profile->ns != root) if (profile->ns != root)
seq_printf(f, ":%s://", aa_ns_name(root, profile->ns)); seq_printf(f, ":%s://", aa_ns_name(root, profile->ns, true));
seq_printf(f, "%s (%s)\n", profile->base.hname, seq_printf(f, "%s (%s)\n", profile->base.hname,
aa_profile_mode_names[profile->mode]); aa_profile_mode_names[profile->mode]);

4
security/apparmor/include/policy_ns.h
View File

@ -74,8 +74,8 @@ extern struct aa_ns *root_ns;
extern const char *aa_hidden_ns_name; extern const char *aa_hidden_ns_name;
bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view); bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns);
const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child); const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns);
void aa_free_ns(struct aa_ns *ns); void aa_free_ns(struct aa_ns *ns);
int aa_alloc_root_ns(void); int aa_alloc_root_ns(void);
void aa_free_root_ns(void); void aa_free_root_ns(void);

12
security/apparmor/policy_ns.c
View File

@ -33,18 +33,23 @@ const char *aa_hidden_ns_name = "---";
* aa_ns_visible - test if @view is visible from @curr * aa_ns_visible - test if @view is visible from @curr
* @curr: namespace to treat as the parent (NOT NULL) * @curr: namespace to treat as the parent (NOT NULL)
* @view: namespace to test if visible from @curr (NOT NULL) * @view: namespace to test if visible from @curr (NOT NULL)
* @subns: whether view of a subns is allowed
* *
* Returns: true if @view is visible from @curr else false * Returns: true if @view is visible from @curr else false
*/ */
bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view) bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns)
{ {
if (curr == view) if (curr == view)
return true; return true;
if (!subns)
return false;
for ( ; view; view = view->parent) { for ( ; view; view = view->parent) {
if (view->parent == curr) if (view->parent == curr)
return true; return true;
} }
return false; return false;
} }
@ -52,16 +57,17 @@ bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view)
* aa_na_name - Find the ns name to display for @view from @curr * aa_na_name - Find the ns name to display for @view from @curr
* @curr - current namespace (NOT NULL) * @curr - current namespace (NOT NULL)
* @view - namespace attempting to view (NOT NULL) * @view - namespace attempting to view (NOT NULL)
* @subns - are subns visible
* *
* Returns: name of @view visible from @curr * Returns: name of @view visible from @curr
*/ */
const char *aa_ns_name(struct aa_ns *curr, struct aa_ns *view) const char *aa_ns_name(struct aa_ns *curr, struct aa_ns *view, bool subns)
{ {
/* if view == curr then the namespace name isn't displayed */ /* if view == curr then the namespace name isn't displayed */
if (curr == view) if (curr == view)
return ""; return "";
if (aa_ns_visible(curr, view)) { if (aa_ns_visible(curr, view, subns)) {
/* at this point if a ns is visible it is in a view ns /* at this point if a ns is visible it is in a view ns
* thus the curr ns.hname is a prefix of its name. * thus the curr ns.hname is a prefix of its name.
* Only output the virtualized portion of the name * Only output the virtualized portion of the name

4
security/apparmor/procattr.c
View File

@ -44,10 +44,10 @@ int aa_getprocattr(struct aa_profile *profile, char **string)
struct aa_ns *current_ns = __aa_current_profile()->ns; struct aa_ns *current_ns = __aa_current_profile()->ns;
char *s; char *s;
if (!aa_ns_visible(current_ns, ns)) if (!aa_ns_visible(current_ns, ns, true))
return -EACCES; return -EACCES;
ns_name = aa_ns_name(current_ns, ns); ns_name = aa_ns_name(current_ns, ns, true);
ns_len = strlen(ns_name); ns_len = strlen(ns_name);
/* if the visible ns_name is > 0 increase size for : :// seperator */ /* if the visible ns_name is > 0 increase size for : :// seperator */