Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 98c3d182 authored by John Johansen's avatar John Johansen
Browse files

apparmor: update aa_audit_file() to use labels

parent 190a9518
Loading
Loading
Loading
Loading
+4 −2
Original line number Diff line number Diff line
@@ -518,6 +518,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
audit:
	error = aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name,
			      new_profile ? new_profile->base.hname : NULL,
			      new_profile ? &new_profile->label : NULL,
			      cond.uid, info, error);

cleanup:
@@ -694,7 +695,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
audit:
	if (!(flags & AA_CHANGE_TEST))
		error = aa_audit_file(profile, &perms, OP_CHANGE_HAT,
				      AA_MAY_CHANGEHAT, NULL, target,
				      AA_MAY_CHANGEHAT, NULL, target, NULL,
				      GLOBAL_ROOT_UID, info, error);

out:
@@ -802,7 +803,8 @@ int aa_change_profile(const char *fqname, int flags)
audit:
	if (!(flags & AA_CHANGE_TEST))
		error = aa_audit_file(profile, &perms, op, request, NULL,
				      fqname, GLOBAL_ROOT_UID, info, error);
				      fqname, NULL, GLOBAL_ROOT_UID, info,
				      error);

	aa_put_profile(target);
	aa_put_label(label);
+12 −6
Original line number Diff line number Diff line
@@ -75,7 +75,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
				 from_kuid(&init_user_ns, aad(sa)->fs.ouid));
	}

	if (aad(sa)->fs.target) {
	if (aad(sa)->peer) {
		audit_log_format(ab, " target=");
		aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
				FLAG_VIEW_SUBNS, GFP_ATOMIC);
	} else if (aad(sa)->fs.target) {
		audit_log_format(ab, " target=");
		audit_log_untrustedstring(ab, aad(sa)->fs.target);
	}
@@ -85,11 +89,11 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
 * aa_audit_file - handle the auditing of file operations
 * @profile: the profile being enforced  (NOT NULL)
 * @perms: the permissions computed for the request (NOT NULL)
 * @gfp: allocation flags
 * @op: operation being mediated
 * @request: permissions requested
 * @name: name of object being mediated (MAYBE NULL)
 * @target: name of target (MAYBE NULL)
 * @tlabel: target label (MAY BE NULL)
 * @ouid: object uid
 * @info: extra information message (MAYBE NULL)
 * @error: 0 if operation allowed else failure error code
@@ -98,7 +102,8 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
 */
int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
		  const char *op, u32 request, const char *name,
		  const char *target, kuid_t ouid, const char *info, int error)
		  const char *target, struct aa_label *tlabel,
		  kuid_t ouid, const char *info, int error)
{
	int type = AUDIT_APPARMOR_AUTO;
	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, op);
@@ -107,6 +112,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
	aad(&sa)->request = request;
	aad(&sa)->name = name;
	aad(&sa)->fs.target = target;
	aad(&sa)->peer = tlabel;
	aad(&sa)->fs.ouid = ouid;
	aad(&sa)->info = info;
	aad(&sa)->error = error;
@@ -139,7 +145,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
			aad(&sa)->request &= ~perms->quiet;

		if (!aad(&sa)->request)
			return COMPLAIN_MODE(profile) ? 0 : aad(&sa)->error;
			return aad(&sa)->error;
	}

	aad(&sa)->denied = aad(&sa)->request & ~perms->allow;
@@ -295,7 +301,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile,
		if (request & ~perms.allow)
			error = -EACCES;
	}
	error = aa_audit_file(profile, &perms, op, request, name, NULL,
	error = aa_audit_file(profile, &perms, op, request, name, NULL, NULL,
			      cond->uid, info, error);
	put_buffers(buffer);

@@ -425,7 +431,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,

audit:
	error = aa_audit_file(profile, &lperms, OP_LINK, request,
			      lname, tname, cond.uid, info, error);
			      lname, tname, NULL, cond.uid, info, error);
	put_buffers(buffer, buffer2);

	return error;
+2 −1
Original line number Diff line number Diff line
@@ -162,7 +162,8 @@ static inline u16 dfa_map_xindex(u16 mask)

int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
		  const char *op, u32 request, const char *name,
		  const char *target, kuid_t ouid, const char *info, int error);
		  const char *target, struct aa_label *tlabel, kuid_t ouid,
		  const char *info, int error);

/**
 * struct aa_file_rules - components used for file rule permissions