Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

apparmor: add profile and ns params to aa_may_manage_policy()

Policy management will be expanded beyond traditional unconfined root.
This will require knowning the profile of the task doing the management
and the ns view.

Signed-off-by: John Johansen <john.johansen@canonical.com>
John Johansen 8 years ago
parent
fd2a80438d
commit
078c73c63f
3 changed files with 12 additions and 14 deletions
Unified View Show Diff Stats
  1. 1 1
      security/apparmor/apparmorfs.c
  2. 1 1
      security/apparmor/include/policy.h
  3. 10 12
      security/apparmor/policy.c

+ 1 - 1
security/apparmor/apparmorfs.c
View File 

@@ -100,7 +100,7 @@ static char *aa_simple_write_to_buffer(int op, const char __user *userbuf,
 
 	 * Don't allow profile load/replace/remove from profiles that don't
 
 	 * Don't allow profile load/replace/remove from profiles that don't
 
 	 * have CAP_MAC_ADMIN
 
 	 * have CAP_MAC_ADMIN
 
 	 */
 
 	 */
 
-	if (!aa_may_manage_policy(op))
 
+	if (!aa_may_manage_policy(__aa_current_profile(), NULL, op))
 
 		return ERR_PTR(-EACCES);
 
 		return ERR_PTR(-EACCES);
 
 
 
 	/* freed by caller to simple_write_to_buffer */
 
 	/* freed by caller to simple_write_to_buffer */

+ 1 - 1
security/apparmor/include/policy.h
View File 

@@ -301,6 +301,6 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
 
 
 
 bool policy_view_capable(struct aa_ns *ns);
 
 bool policy_view_capable(struct aa_ns *ns);
 
 bool policy_admin_capable(struct aa_ns *ns);
 
 bool policy_admin_capable(struct aa_ns *ns);
 
-bool aa_may_manage_policy(int op);
 
+int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op);
 
 
 
 #endif /* __AA_POLICY_H */
 
 #endif /* __AA_POLICY_H */

+ 10 - 12
security/apparmor/policy.c
View File 

@@ -650,26 +650,24 @@ bool policy_admin_capable(struct aa_ns *ns)
 
 
 
 /**
 
 /**
 
  * aa_may_manage_policy - can the current task manage policy
 
  * aa_may_manage_policy - can the current task manage policy
 
+ * @profile: profile to check if it can manage policy
 
  * @op: the policy manipulation operation being done
 
  * @op: the policy manipulation operation being done
 
  *
 
  *
 
- * Returns: true if the task is allowed to manipulate policy
 
+ * Returns: 0 if the task is allowed to manipulate policy else error
 
  */
 
  */
 
-bool aa_may_manage_policy(int op)
 
+int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op)
 
 {
 
 {
 
 	/* check if loading policy is locked out */
 
 	/* check if loading policy is locked out */
 
-	if (aa_g_lock_policy) {
 
-		audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
 
+	if (aa_g_lock_policy)
 
+		return audit_policy(profile, op, GFP_KERNEL, NULL,
 
 			     "policy_locked", -EACCES);
 
 			     "policy_locked", -EACCES);
 
-		return 0;
 
-	}
 
 
 
-	if (!policy_admin_capable(NULL)) {
 
-		audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
 
-			     "not policy admin", -EACCES);
 
-		return 0;
 
-	}
 
+	if (!policy_admin_capable(ns))
 
+		return audit_policy(profile, op, GFP_KERNEL, NULL,
 
+				    "not policy admin", -EACCES);
 
 
 
-	return 1;
 
+	/* TODO: add fine grained mediation of policy loads */
 
+	return 0;
 
 }
 
 }
 
 
 
 static struct aa_profile *__list_lookup_parent(struct list_head *lh,
 
 static struct aa_profile *__list_lookup_parent(struct list_head *lh,