Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2db81452 authored by Eric W. Biederman's avatar Eric W. Biederman
Browse files

userns: Convert apparmor to use kuid and kgid where appropriate 



Cc: John Johansen <john.johansen@canonical.com>
Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
parent e4849737

init/Kconfig

+0 −1
Original line number Diff line number Diff line
@@ -964,7 +964,6 @@ config UIDGID_CONVERTED 


	# Security modules

	depends on SECURITY_TOMOYO = n

	depends on SECURITY_APPARMOR = n



config UIDGID_STRICT_TYPE_CHECKS

	bool "Require conversions between uid/gids and their internal representation"

security/apparmor/domain.c

+2 −2
Original line number Diff line number Diff line
@@ -721,7 +721,7 @@ audit: 
	if (!permtest)

		error = aa_audit_file(profile, &perms, GFP_KERNEL,

				      OP_CHANGE_HAT, AA_MAY_CHANGEHAT, NULL,

				      target, 0, info, error);

				      target, GLOBAL_ROOT_UID, info, error);



out:

	aa_put_profile(hat);
@@ -848,7 +848,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, 
audit:

	if (!permtest)

		error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request,

				      name, hname, 0, info, error);

				      name, hname, GLOBAL_ROOT_UID, info, error);



	aa_put_namespace(ns);

	aa_put_profile(target);

security/apparmor/file.c

+7 −5
Original line number Diff line number Diff line
@@ -65,7 +65,7 @@ static void audit_file_mask(struct audit_buffer *ab, u32 mask) 
static void file_audit_cb(struct audit_buffer *ab, void *va)

{

	struct common_audit_data *sa = va;

	uid_t fsuid = current_fsuid();

	kuid_t fsuid = current_fsuid();



	if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) {

		audit_log_format(ab, " requested_mask=");
@@ -76,8 +76,10 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) 
		audit_file_mask(ab, sa->aad->fs.denied);

	}

	if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) {

		audit_log_format(ab, " fsuid=%d", fsuid);

		audit_log_format(ab, " ouid=%d", sa->aad->fs.ouid);

		audit_log_format(ab, " fsuid=%d",

				 from_kuid(&init_user_ns, fsuid));

		audit_log_format(ab, " ouid=%d",

				 from_kuid(&init_user_ns, sa->aad->fs.ouid));

	}



	if (sa->aad->fs.target) {
@@ -103,7 +105,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) 
 */

int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,

		  gfp_t gfp, int op, u32 request, const char *name,

		  const char *target, uid_t ouid, const char *info, int error)

		  const char *target, kuid_t ouid, const char *info, int error)

{

	int type = AUDIT_APPARMOR_AUTO;

	struct common_audit_data sa;
@@ -201,7 +203,7 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state, 
	 */

	perms.kill = 0;



	if (current_fsuid() == cond->uid) {

	if (uid_eq(current_fsuid(), cond->uid)) {

		perms.allow = map_old_perms(dfa_user_allow(dfa, state));

		perms.audit = map_old_perms(dfa_user_audit(dfa, state));

		perms.quiet = map_old_perms(dfa_user_quiet(dfa, state));

security/apparmor/include/audit.h

+1 −1
Original line number Diff line number Diff line
@@ -125,7 +125,7 @@ struct apparmor_audit_data { 
			const char *target;

			u32 request;

			u32 denied;

			uid_t ouid;

			kuid_t ouid;

		} fs;

	};

};

security/apparmor/include/file.h

+2 −2
Original line number Diff line number Diff line
@@ -71,7 +71,7 @@ struct path; 


/* need to make conditional which ones are being set */

struct path_cond {

	uid_t uid;

	kuid_t uid;

	umode_t mode;

};
@@ -146,7 +146,7 @@ static inline u16 dfa_map_xindex(u16 mask) 


int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,

		  gfp_t gfp, int op, u32 request, const char *name,

		  const char *target, uid_t ouid, const char *info, int error);

		  const char *target, kuid_t ouid, const char *info, int error);



/**

 * struct aa_file_rules - components used for file rule permissions