tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

apparmor: fix af_unix auditing to include all address information

The auditing of addresses currently doesn't include the source address
and mixes source and foreign/peer under the same audit name. Fix this
so source is always addr, and the foreign/peer is peer_addr.

Fixes: c05e705812d1 ("apparmor: add fine grained af_unix mediation")
Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen a30a9fdb bc6e5f69

+18 -10
+2 -2
security/apparmor/af_unix.c
··· 584 584 struct aa_profile *profile; 585 585 DEFINE_AUDIT_SK(ad, op, subj_cred, sk); 586 586 587 - ad.net.addr = peer_addr; 588 - ad.net.addrlen = peer_addrlen; 587 + ad.net.peer.addr = peer_addr; 588 + ad.net.peer.addrlen = peer_addrlen; 589 589 590 590 return fn_for_each_confined(label, profile, 591 591 profile_peer_perm(profile, request, sk,
+4
security/apparmor/include/audit.h
··· 140 140 int type, protocol; 141 141 void *addr; 142 142 int addrlen; 143 + struct { 144 + void *addr; 145 + int addrlen; 146 + } peer; 143 147 } net; 144 148 }; 145 149 };
+12 -8
security/apparmor/net.c
··· 99 99 { 100 100 const struct unix_sock *u = unix_sk(sk); 101 101 102 - if (u && u->addr) 103 - audit_unix_addr(ab, str, u->addr->name, u->addr->len); 104 - else 102 + if (u && u->addr) { 103 + int addrlen; 104 + struct sockaddr_un *addr = aa_sunaddr(u, &addrlen); 105 + 106 + audit_unix_addr(ab, str, addr, addrlen); 107 + } else { 105 108 audit_unix_addr(ab, str, NULL, 0); 109 + 110 + } 106 111 } 107 112 108 113 /* audit callback for net specific fields */ ··· 142 137 } 143 138 } 144 139 if (ad->common.u.net->family == PF_UNIX) { 145 - if ((ad->request & ~NET_PEER_MASK) && ad->net.addr) 140 + if (ad->net.addr || !ad->common.u.net->sk) 146 141 audit_unix_addr(ab, "addr", 147 142 unix_addr(ad->net.addr), 148 143 ad->net.addrlen); 149 144 else 150 145 audit_unix_sk_addr(ab, "addr", ad->common.u.net->sk); 151 146 if (ad->request & NET_PEER_MASK) { 152 - if (ad->net.addr) 153 - audit_unix_addr(ab, "peer_addr", 154 - unix_addr(ad->net.addr), 155 - ad->net.addrlen); 147 + audit_unix_addr(ab, "peer_addr", 148 + unix_addr(ad->net.peer.addr), 149 + ad->net.peer.addrlen); 156 150 } 157 151 } 158 152 if (ad->peer) {