xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

apparmor: convert aa_change_XXX bool parameters to flags

Browse Source 
Instead of passing multiple booleans consolidate on a single flags
field.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2017-06-09 11:36:48 -07:00
parent dca91402e9
commit df8073c67f
5 changed files with 29 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
security/apparmor/domain.c
View File

@@ -563,7 +563,7 @@ static char *new_compound_name(const char *n1, const char *n2)
* @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0) * @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0)
* @count: number of hat names in @hats * @count: number of hat names in @hats
* @token: magic value to validate the hat change * @token: magic value to validate the hat change
* @permtest: true if this is just a permission test * @flags: flags affecting behavior of the change
* *
* Change to the first profile specified in @hats that exists, and store * Change to the first profile specified in @hats that exists, and store
* the @hat_magic in the current task context. If the count == 0 and the * the @hat_magic in the current task context. If the count == 0 and the
@@ -572,7 +572,7 @@ static char *new_compound_name(const char *n1, const char *n2)
* *
* Returns %0 on success, error otherwise. * Returns %0 on success, error otherwise.
*/ */
int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) int aa_change_hat(const char *hats[], int count, u64 token, int flags)
{ {
const struct cred *cred; const struct cred *cred;
struct aa_task_ctx *ctx; struct aa_task_ctx *ctx;
@@ -616,7 +616,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
/* released below */ /* released below */
hat = aa_find_child(root, hats[i]); hat = aa_find_child(root, hats[i]);
if (!hat) { if (!hat) {
if (!COMPLAIN_MODE(root) || permtest) { if (!COMPLAIN_MODE(root) || (flags & AA_CHANGE_TEST)) {
if (list_empty(&root->base.profiles)) if (list_empty(&root->base.profiles))
error = -ECHILD; error = -ECHILD;
else else
@@ -663,7 +663,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
goto audit; goto audit;
} }
if (!permtest) { if (!(flags & AA_CHANGE_TEST)) {
error = aa_set_current_hat(hat, token); error = aa_set_current_hat(hat, token);
if (error == -EACCES) if (error == -EACCES)
/* kill task in case of brute force attacks */ /* kill task in case of brute force attacks */
@@ -684,7 +684,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
goto out; goto out;
audit: audit:
if (!permtest) if (!(flags & AA_CHANGE_TEST))
error = aa_audit_file(profile, &perms, OP_CHANGE_HAT, error = aa_audit_file(profile, &perms, OP_CHANGE_HAT,
AA_MAY_CHANGEHAT, NULL, target, AA_MAY_CHANGEHAT, NULL, target,
GLOBAL_ROOT_UID, info, error); GLOBAL_ROOT_UID, info, error);
@@ -703,7 +703,7 @@ out:
* aa_change_profile - perform a one-way profile transition * aa_change_profile - perform a one-way profile transition
* @fqname: name of profile may include namespace (NOT NULL) * @fqname: name of profile may include namespace (NOT NULL)
* @onexec: whether this transition is to take place immediately or at exec * @onexec: whether this transition is to take place immediately or at exec
* @permtest: true if this is just a permission test * @flags: flags affecting change behavior
* *
* Change to new profile @name. Unlike with hats, there is no way * Change to new profile @name. Unlike with hats, there is no way
* to change back. If @name isn't specified the current profile name is * to change back. If @name isn't specified the current profile name is
@@ -713,8 +713,7 @@ out:
* *
* Returns %0 on success, error otherwise. * Returns %0 on success, error otherwise.
*/ */
int aa_change_profile(const char *fqname, bool onexec, int aa_change_profile(const char *fqname, int flags)
bool permtest, bool stack)
{ {
const struct cred *cred; const struct cred *cred;
struct aa_profile *profile, *target = NULL; struct aa_profile *profile, *target = NULL;
@@ -728,7 +727,7 @@ int aa_change_profile(const char *fqname, bool onexec,
return -EINVAL; return -EINVAL;
} }
if (onexec) { if (flags & AA_CHANGE_ONEXEC) {
request = AA_MAY_ONEXEC; request = AA_MAY_ONEXEC;
op = OP_CHANGE_ONEXEC; op = OP_CHANGE_ONEXEC;
} else { } else {
@@ -755,7 +754,8 @@ int aa_change_profile(const char *fqname, bool onexec,
if (!target) { if (!target) {
info = "profile not found"; info = "profile not found";
error = -ENOENT; error = -ENOENT;
if (permtest || !COMPLAIN_MODE(profile)) if ((flags & AA_CHANGE_TEST) ||
!COMPLAIN_MODE(profile))
goto audit; goto audit;
/* released below */ /* released below */
target = aa_new_null_profile(profile, false, fqname, target = aa_new_null_profile(profile, false, fqname,
@@ -781,16 +781,16 @@ int aa_change_profile(const char *fqname, bool onexec,
goto audit; goto audit;
} }
if (permtest) if (flags & AA_CHANGE_TEST)
goto audit; goto audit;
if (onexec) if (flags & AA_CHANGE_ONEXEC)
error = aa_set_current_onexec(target); error = aa_set_current_onexec(target);
else else
error = aa_replace_current_profile(target); error = aa_replace_current_profile(target);
audit: audit:
if (!permtest) if (!(flags & AA_CHANGE_TEST))
error = aa_audit_file(profile, &perms, op, request, NULL, error = aa_audit_file(profile, &perms, op, request, NULL,
fqname, GLOBAL_ROOT_UID, info, error); fqname, GLOBAL_ROOT_UID, info, error);

10
security/apparmor/include/domain.h
View File

@@ -23,12 +23,16 @@ struct aa_domain {
char **table; char **table;
}; };
#define AA_CHANGE_NOFLAGS 0
#define AA_CHANGE_TEST 1
#define AA_CHANGE_CHILD 2
#define AA_CHANGE_ONEXEC 4
int apparmor_bprm_set_creds(struct linux_binprm *bprm); int apparmor_bprm_set_creds(struct linux_binprm *bprm);
int apparmor_bprm_secureexec(struct linux_binprm *bprm); int apparmor_bprm_secureexec(struct linux_binprm *bprm);
void aa_free_domain_entries(struct aa_domain *domain); void aa_free_domain_entries(struct aa_domain *domain);
int aa_change_hat(const char *hats[], int count, u64 token, bool permtest); int aa_change_hat(const char *hats[], int count, u64 token, int flags);
int aa_change_profile(const char *fqname, bool onexec, bool permtest, int aa_change_profile(const char *fqname, int flags);
bool stack);
#endif /* __AA_DOMAIN_H */ #endif /* __AA_DOMAIN_H */

6
security/apparmor/include/procattr.h
View File

@@ -15,11 +15,7 @@
#ifndef __AA_PROCATTR_H #ifndef __AA_PROCATTR_H
#define __AA_PROCATTR_H #define __AA_PROCATTR_H
#define AA_DO_TEST 1
#define AA_ONEXEC 1
int aa_getprocattr(struct aa_profile *profile, char **string); int aa_getprocattr(struct aa_profile *profile, char **string);
int aa_setprocattr_changehat(char *args, size_t size, int test); int aa_setprocattr_changehat(char *args, size_t size, int flags);
int aa_setprocattr_changeprofile(char *fqname, bool onexec, int test);
#endif /* __AA_PROCATTR_H */ #endif /* __AA_PROCATTR_H */

13
security/apparmor/lsm.c
View File

@@ -554,22 +554,19 @@ static int apparmor_setprocattr(const char *name, void *value,
if (strcmp(name, "current") == 0) { if (strcmp(name, "current") == 0) {
if (strcmp(command, "changehat") == 0) { if (strcmp(command, "changehat") == 0) {
error = aa_setprocattr_changehat(args, arg_size, error = aa_setprocattr_changehat(args, arg_size,
!AA_DO_TEST); AA_CHANGE_NOFLAGS);
} else if (strcmp(command, "permhat") == 0) { } else if (strcmp(command, "permhat") == 0) {
error = aa_setprocattr_changehat(args, arg_size, error = aa_setprocattr_changehat(args, arg_size,
AA_DO_TEST); AA_CHANGE_TEST);
} else if (strcmp(command, "changeprofile") == 0) { } else if (strcmp(command, "changeprofile") == 0) {
error = aa_change_profile(args, !AA_ONEXEC, error = aa_change_profile(args, AA_CHANGE_NOFLAGS);
!AA_DO_TEST, false);
} else if (strcmp(command, "permprofile") == 0) { } else if (strcmp(command, "permprofile") == 0) {
error = aa_change_profile(args, !AA_ONEXEC, AA_DO_TEST, error = aa_change_profile(args, AA_CHANGE_TEST);
false);
} else } else
goto fail; goto fail;
} else if (strcmp(name, "exec") == 0) { } else if (strcmp(name, "exec") == 0) {
if (strcmp(command, "exec") == 0) if (strcmp(command, "exec") == 0)
error = aa_change_profile(args, AA_ONEXEC, !AA_DO_TEST, error = aa_change_profile(args, AA_CHANGE_ONEXEC);
false);
else else
goto fail; goto fail;
} else } else

6
security/apparmor/procattr.c
View File

@@ -109,11 +109,11 @@ static char *split_token_from_name(const char *op, char *args, u64 *token)
* aa_setprocattr_chagnehat - handle procattr interface to change_hat * aa_setprocattr_chagnehat - handle procattr interface to change_hat
* @args: args received from writing to /proc/<pid>/attr/current (NOT NULL) * @args: args received from writing to /proc/<pid>/attr/current (NOT NULL)
* @size: size of the args * @size: size of the args
* @test: true if this is a test of change_hat permissions * @flags: set of flags governing behavior
* *
* Returns: %0 or error code if change_hat fails * Returns: %0 or error code if change_hat fails
*/ */
int aa_setprocattr_changehat(char *args, size_t size, int test) int aa_setprocattr_changehat(char *args, size_t size, int flags)
{ {
char *hat; char *hat;
u64 token; u64 token;
@@ -148,5 +148,5 @@ int aa_setprocattr_changehat(char *args, size_t size, int test)
AA_DEBUG("%s: (pid %d) Magic 0x%llx count %d Hat '%s'\n", AA_DEBUG("%s: (pid %d) Magic 0x%llx count %d Hat '%s'\n",
__func__, current->pid, token, count, "<NULL>"); __func__, current->pid, token, count, "<NULL>");
return aa_change_hat(hats, count, token, test); return aa_change_hat(hats, count, token, flags);
} }