tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

apparmor: extend policydb permission set by making use of the xbits

The policydb permission set has left the xbits unused. Make them
available for mediation.

Note: that this does not bring full auditing control of the
permissions as there are not enough bits. The quieting of denials is
provided as that is used more than forced auditing of allowed
permissions.

Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 3c076531 1cf26c3d

+27 -4
+27 -4
security/apparmor/policy_unpack.c
··· 38 38 #define v6 6 /* per entry policydb mediation check */ 39 39 #define v7 7 40 40 #define v8 8 /* full network masking */ 41 + #define v9 9 /* xbits are used as permission bits in policydb */ 41 42 42 43 /* 43 44 * The AppArmor interface treats data as a type byte followed by the ··· 797 796 ((x & 0x60) << 19); /* SETOPT/GETOPT */ 798 797 } 799 798 799 + static u32 map_xbits(u32 x) 800 + { 801 + return ((x & 0x1) << 7) | 802 + ((x & 0x7e) << 9); 803 + } 804 + 800 805 static struct aa_perms compute_perms_entry(struct aa_dfa *dfa, 801 806 aa_state_t state, 802 807 u32 version) ··· 813 806 perms.audit = dfa_user_audit(dfa, state); 814 807 perms.quiet = dfa_user_quiet(dfa, state); 815 808 816 - /* for v5 perm mapping in the policydb, the other set is used 817 - * to extend the general perm set 809 + /* 810 + * This mapping is convulated due to history. 811 + * v1-v4: only file perms, which are handled by compute_fperms 812 + * v5: added policydb which dropped user conditional to gain new 813 + * perm bits, but had to map around the xbits because the 814 + * userspace compiler was still munging them. 815 + * v9: adds using the xbits in policydb because the compiler now 816 + * supports treating policydb permission bits different. 817 + * Unfortunately there is no way to force auditing on the 818 + * perms represented by the xbits 818 819 */ 819 - 820 820 perms.allow |= map_other(dfa_other_allow(dfa, state)); 821 821 if (VERSION_LE(version, v8)) 822 822 perms.allow |= AA_MAY_LOCK; 823 + else 824 + perms.allow |= map_xbits(dfa_user_xbits(dfa, state)); 825 + 826 + /* 827 + * for v5-v9 perm mapping in the policydb, the other set is used 828 + * to extend the general perm set 829 + */ 823 830 perms.audit |= map_other(dfa_other_audit(dfa, state)); 824 831 perms.quiet |= map_other(dfa_other_quiet(dfa, state)); 832 + if (VERSION_GT(version, v8)) 833 + perms.quiet |= map_xbits(dfa_other_xbits(dfa, state)); 825 834 826 835 return perms; 827 836 } ··· 1211 1188 * if not specified use previous version 1212 1189 * Mask off everything that is not kernel abi version 1213 1190 */ 1214 - if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v8)) { 1191 + if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v9)) { 1215 1192 audit_iface(NULL, NULL, NULL, "unsupported interface version", 1216 1193 e, error); 1217 1194 return error;