Loading security/apparmor/domain.c +4 −2 Original line number Diff line number Diff line Loading @@ -518,6 +518,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) audit: error = aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name, new_profile ? new_profile->base.hname : NULL, new_profile ? &new_profile->label : NULL, cond.uid, info, error); cleanup: Loading Loading @@ -694,7 +695,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags) audit: if (!(flags & AA_CHANGE_TEST)) error = aa_audit_file(profile, &perms, OP_CHANGE_HAT, AA_MAY_CHANGEHAT, NULL, target, AA_MAY_CHANGEHAT, NULL, target, NULL, GLOBAL_ROOT_UID, info, error); out: Loading Loading @@ -802,7 +803,8 @@ int aa_change_profile(const char *fqname, int flags) audit: if (!(flags & AA_CHANGE_TEST)) error = aa_audit_file(profile, &perms, op, request, NULL, fqname, GLOBAL_ROOT_UID, info, error); fqname, NULL, GLOBAL_ROOT_UID, info, error); aa_put_profile(target); aa_put_label(label); Loading security/apparmor/file.c +12 −6 Original line number Diff line number Diff line Loading @@ -75,7 +75,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) from_kuid(&init_user_ns, aad(sa)->fs.ouid)); } if (aad(sa)->fs.target) { if (aad(sa)->peer) { audit_log_format(ab, " target="); aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, FLAG_VIEW_SUBNS, GFP_ATOMIC); } else if (aad(sa)->fs.target) { audit_log_format(ab, " target="); audit_log_untrustedstring(ab, aad(sa)->fs.target); } Loading @@ -85,11 +89,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) * aa_audit_file - handle the auditing of file operations * @profile: the profile being enforced (NOT NULL) * @perms: the permissions computed for the request (NOT NULL) * @gfp: allocation flags * @op: operation being mediated * @request: permissions requested * @name: name of object being mediated (MAYBE NULL) * @target: name of target (MAYBE NULL) * @tlabel: target label (MAY BE NULL) * @ouid: object uid * @info: extra information message (MAYBE NULL) * @error: 0 if operation allowed else failure error code Loading @@ -98,7 +102,8 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) */ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, const char *op, u32 request, const char *name, const char *target, kuid_t ouid, const char *info, int error) const char *target, struct aa_label *tlabel, kuid_t ouid, const char *info, int error) { int type = AUDIT_APPARMOR_AUTO; DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, op); Loading @@ -107,6 +112,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, aad(&sa)->request = request; aad(&sa)->name = name; aad(&sa)->fs.target = target; aad(&sa)->peer = tlabel; aad(&sa)->fs.ouid = ouid; aad(&sa)->info = info; aad(&sa)->error = error; Loading Loading @@ -139,7 +145,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, aad(&sa)->request &= ~perms->quiet; if (!aad(&sa)->request) return COMPLAIN_MODE(profile) ? 0 : aad(&sa)->error; return aad(&sa)->error; } aad(&sa)->denied = aad(&sa)->request & ~perms->allow; Loading Loading @@ -295,7 +301,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile, if (request & ~perms.allow) error = -EACCES; } error = aa_audit_file(profile, &perms, op, request, name, NULL, error = aa_audit_file(profile, &perms, op, request, name, NULL, NULL, cond->uid, info, error); put_buffers(buffer); Loading Loading @@ -425,7 +431,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry, audit: error = aa_audit_file(profile, &lperms, OP_LINK, request, lname, tname, cond.uid, info, error); lname, tname, NULL, cond.uid, info, error); put_buffers(buffer, buffer2); return error; Loading security/apparmor/include/file.h +2 −1 Original line number Diff line number Diff line Loading @@ -162,7 +162,8 @@ static inline u16 dfa_map_xindex(u16 mask) int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, const char *op, u32 request, const char *name, const char *target, kuid_t ouid, const char *info, int error); const char *target, struct aa_label *tlabel, kuid_t ouid, const char *info, int error); /** * struct aa_file_rules - components used for file rule permissions Loading Loading
security/apparmor/domain.c +4 −2 Original line number Diff line number Diff line Loading @@ -518,6 +518,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) audit: error = aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name, new_profile ? new_profile->base.hname : NULL, new_profile ? &new_profile->label : NULL, cond.uid, info, error); cleanup: Loading Loading @@ -694,7 +695,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags) audit: if (!(flags & AA_CHANGE_TEST)) error = aa_audit_file(profile, &perms, OP_CHANGE_HAT, AA_MAY_CHANGEHAT, NULL, target, AA_MAY_CHANGEHAT, NULL, target, NULL, GLOBAL_ROOT_UID, info, error); out: Loading Loading @@ -802,7 +803,8 @@ int aa_change_profile(const char *fqname, int flags) audit: if (!(flags & AA_CHANGE_TEST)) error = aa_audit_file(profile, &perms, op, request, NULL, fqname, GLOBAL_ROOT_UID, info, error); fqname, NULL, GLOBAL_ROOT_UID, info, error); aa_put_profile(target); aa_put_label(label); Loading
security/apparmor/file.c +12 −6 Original line number Diff line number Diff line Loading @@ -75,7 +75,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) from_kuid(&init_user_ns, aad(sa)->fs.ouid)); } if (aad(sa)->fs.target) { if (aad(sa)->peer) { audit_log_format(ab, " target="); aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, FLAG_VIEW_SUBNS, GFP_ATOMIC); } else if (aad(sa)->fs.target) { audit_log_format(ab, " target="); audit_log_untrustedstring(ab, aad(sa)->fs.target); } Loading @@ -85,11 +89,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) * aa_audit_file - handle the auditing of file operations * @profile: the profile being enforced (NOT NULL) * @perms: the permissions computed for the request (NOT NULL) * @gfp: allocation flags * @op: operation being mediated * @request: permissions requested * @name: name of object being mediated (MAYBE NULL) * @target: name of target (MAYBE NULL) * @tlabel: target label (MAY BE NULL) * @ouid: object uid * @info: extra information message (MAYBE NULL) * @error: 0 if operation allowed else failure error code Loading @@ -98,7 +102,8 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) */ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, const char *op, u32 request, const char *name, const char *target, kuid_t ouid, const char *info, int error) const char *target, struct aa_label *tlabel, kuid_t ouid, const char *info, int error) { int type = AUDIT_APPARMOR_AUTO; DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, op); Loading @@ -107,6 +112,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, aad(&sa)->request = request; aad(&sa)->name = name; aad(&sa)->fs.target = target; aad(&sa)->peer = tlabel; aad(&sa)->fs.ouid = ouid; aad(&sa)->info = info; aad(&sa)->error = error; Loading Loading @@ -139,7 +145,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, aad(&sa)->request &= ~perms->quiet; if (!aad(&sa)->request) return COMPLAIN_MODE(profile) ? 0 : aad(&sa)->error; return aad(&sa)->error; } aad(&sa)->denied = aad(&sa)->request & ~perms->allow; Loading Loading @@ -295,7 +301,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile, if (request & ~perms.allow) error = -EACCES; } error = aa_audit_file(profile, &perms, op, request, name, NULL, error = aa_audit_file(profile, &perms, op, request, name, NULL, NULL, cond->uid, info, error); put_buffers(buffer); Loading Loading @@ -425,7 +431,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry, audit: error = aa_audit_file(profile, &lperms, OP_LINK, request, lname, tname, cond.uid, info, error); lname, tname, NULL, cond.uid, info, error); put_buffers(buffer, buffer2); return error; Loading
security/apparmor/include/file.h +2 −1 Original line number Diff line number Diff line Loading @@ -162,7 +162,8 @@ static inline u16 dfa_map_xindex(u16 mask) int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, const char *op, u32 request, const char *name, const char *target, kuid_t ouid, const char *info, int error); const char *target, struct aa_label *tlabel, kuid_t ouid, const char *info, int error); /** * struct aa_file_rules - components used for file rule permissions Loading
John Johansen <john.johansen@canonical.com>John Johansen <john.johansen@canonical.com>