Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2ab47dae authored by John Johansen's avatar John Johansen
Browse files

apparmor: modify audit rule support to support profile stacks 



Allows for audit rules, where a rule could specify a profile stack
A//&B, while extending the current semantic so if the label specified
in the audit rule is a subset of the secid it is considered a match.

Eg. if the secid resolves to the label stack A//&B//&C

Then an audit rule specifying a label of

  A - would match
  B - would match
  C - would match
  D - would not
  A//&B - would match as a subset
  A//&C - would match as a subset
  B//&C - would match as a subset
  A//&B//&C - would match

  A//&D - would not match, because while A does match, D is also
  specified and does not

Note: audit rules are currently assumed to be coming from the root
namespace.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent e79c26d0

security/apparmor/audit.c

+10 −17
Original line number Diff line number Diff line
@@ -165,7 +165,7 @@ int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa, 
}



struct aa_audit_rule {

	char *profile;

	struct aa_label *label;

};



void aa_audit_rule_free(void *vrule)
@@ -173,7 +173,8 @@ void aa_audit_rule_free(void *vrule) 
	struct aa_audit_rule *rule = vrule;



	if (rule) {

		kfree(rule->profile);

		if (!IS_ERR(rule->label))

			aa_put_label(rule->label);

		kfree(rule);

	}

}
@@ -196,13 +197,11 @@ int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 
	if (!rule)

		return -ENOMEM;



	rule->profile = kstrdup(rulestr, GFP_KERNEL);



	if (!rule->profile) {

		kfree(rule);

		return -ENOMEM;

	}



	/* Currently rules are treated as coming from the root ns */

	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,

				     GFP_KERNEL, true, false);

	if (IS_ERR(rule->label))

		return PTR_ERR(rule->label);

	*vrule = rule;



	return 0;
@@ -229,8 +228,6 @@ int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, 
{

	struct aa_audit_rule *rule = vrule;

	struct aa_label *label;

	struct label_it i;

	struct aa_profile *profile;

	int found = 0;



	label = aa_secid_to_label(sid);
@@ -238,12 +235,8 @@ int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule, 
	if (!label)

		return -ENOENT;



	label_for_each(i, label, profile) {

		if (strcmp(rule->profile, profile->base.hname) == 0) {

	if (aa_label_is_subset(label, rule->label))

		found = 1;

			break;

		}

	}



	switch (field) {

	case AUDIT_SUBJ_ROLE: