tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

apparmor: userns: Add support for execpath in userns

This new field allows reliable identification of the binary that
triggered a denial since the existing field (comm) only gives the name of
the binary, not its path. Thus comm doesn't work for binaries outside of
$PATH or works unreliably when two binaries have the same name.
Additionally comm can be modified by a program, for example, comm="(tor)"
or comm=4143504920506F6C6C6572 (= ACPI Poller).

Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

authored by

Maxime Bélair and committed by
John Johansen 8d34e16f 3d28e239

+32
+32
security/apparmor/task.c
··· 15 15 #include <linux/gfp.h> 16 16 #include <linux/ptrace.h> 17 17 18 + #include "include/path.h" 18 19 #include "include/audit.h" 19 20 #include "include/cred.h" 20 21 #include "include/policy.h" ··· 301 300 xrequest, &sa)); 302 301 } 303 302 303 + static const char *get_current_exe_path(char *buffer, int buffer_size) 304 + { 305 + struct file *exe_file; 306 + struct path p; 307 + const char *path_str; 308 + 309 + exe_file = get_task_exe_file(current); 310 + if (!exe_file) 311 + return ERR_PTR(-ENOENT); 312 + p = exe_file->f_path; 313 + path_get(&p); 314 + 315 + if (aa_path_name(&p, FLAG_VIEW_SUBNS, buffer, &path_str, NULL, NULL)) 316 + return ERR_PTR(-ENOMEM); 317 + 318 + fput(exe_file); 319 + path_put(&p); 320 + 321 + return path_str; 322 + } 323 + 304 324 /* call back to audit ptrace fields */ 305 325 static void audit_ns_cb(struct audit_buffer *ab, void *va) 306 326 { 307 327 struct apparmor_audit_data *ad = aad_of_va(va); 328 + char *buffer; 329 + const char *path; 308 330 309 331 if (ad->request & AA_USERNS_CREATE) 310 332 audit_log_format(ab, " requested=\"userns_create\""); 311 333 312 334 if (ad->denied & AA_USERNS_CREATE) 313 335 audit_log_format(ab, " denied=\"userns_create\""); 336 + 337 + buffer = aa_get_buffer(false); 338 + if (!buffer) 339 + return; // OOM 340 + path = get_current_exe_path(buffer, aa_g_path_max); 341 + if (!IS_ERR(path)) 342 + audit_log_format(ab, " execpath=\"%s\"", path); 343 + aa_put_buffer(buffer); 314 344 } 315 345 316 346 int aa_profile_ns_perm(struct aa_profile *profile,