Loading security/apparmor/domain.c +1 −1 Original line number Diff line number Diff line Loading @@ -366,7 +366,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) /* buffer freed below, name is pointer into buffer */ error = aa_path_name(&bprm->file->f_path, profile->path_flags, &buffer, &name, &info); &name, &info, profile->disconnected); if (error) { if (unconfined(profile) || (profile->flags & PFLAG_IX_ON_NAME_ERROR)) Loading security/apparmor/file.c +4 −3 Original line number Diff line number Diff line Loading @@ -285,7 +285,8 @@ int aa_path_perm(const char *op, struct aa_profile *profile, int error; flags |= profile->path_flags | (S_ISDIR(cond->mode) ? PATH_IS_DIR : 0); error = aa_path_name(path, flags, &buffer, &name, &info); error = aa_path_name(path, flags, &buffer, &name, &info, profile->disconnected); if (error) { if (error == -ENOENT && is_deleted(path->dentry)) { /* Access to open files that are deleted are Loading Loading @@ -366,13 +367,13 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry, /* buffer freed below, lname is pointer in buffer */ error = aa_path_name(&link, profile->path_flags, &buffer, &lname, &info); &info, profile->disconnected); if (error) goto audit; /* buffer2 freed below, tname is pointer in buffer2 */ error = aa_path_name(&target, profile->path_flags, &buffer2, &tname, &info); &info, profile->disconnected); if (error) goto audit; Loading security/apparmor/include/path.h +2 −1 Original line number Diff line number Diff line Loading @@ -27,7 +27,8 @@ enum path_flags { }; int aa_path_name(const struct path *path, int flags, char **buffer, const char **name, const char **info); const char **name, const char **info, const char *disconnected); #define MAX_PATH_BUFFERS 2 Loading security/apparmor/include/policy.h +2 −0 Original line number Diff line number Diff line Loading @@ -128,6 +128,7 @@ struct aa_data { * @mode: the enforcement mode of the profile * @flags: flags controlling profile behavior * @path_flags: flags controlling path generation behavior * @disconnected: what to prepend if attach_disconnected is specified * @size: the memory consumed by this profiles rules * @policy: general match rules governing policy * @file: The set of rules governing basic file access and domain transitions Loading Loading @@ -169,6 +170,7 @@ struct aa_profile { long mode; long flags; u32 path_flags; const char *disconnected; int size; struct aa_policydb policy; Loading security/apparmor/path.c +22 −12 Original line number Diff line number Diff line Loading @@ -50,7 +50,7 @@ static int prepend(char **buffer, int buflen, const char *str, int namelen) * namespace root. */ static int disconnect(const struct path *path, char *buf, char **name, int flags) int flags, const char *disconnected) { int error = 0; Loading @@ -63,9 +63,14 @@ static int disconnect(const struct path *path, char *buf, char **name, error = -EACCES; if (**name == '/') *name = *name + 1; } else if (**name != '/') } else { if (**name != '/') /* CONNECT_PATH with missing root */ error = prepend(name, *name - buf, "/", 1); if (!error && disconnected) error = prepend(name, *name - buf, disconnected, strlen(disconnected)); } return error; } Loading @@ -77,6 +82,7 @@ static int disconnect(const struct path *path, char *buf, char **name, * @buflen: length of @buf * @name: Returns - pointer for start of path name with in @buf (NOT NULL) * @flags: flags controlling path lookup * @disconnected: string to prefix to disconnected paths * * Handle path name lookup. * Loading @@ -85,7 +91,7 @@ static int disconnect(const struct path *path, char *buf, char **name, * to a position in @buf */ static int d_namespace_path(const struct path *path, char *buf, int buflen, char **name, int flags) char **name, int flags, const char *disconnected) { char *res; int error = 0; Loading @@ -106,8 +112,8 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen, */ return prepend(name, *name - buf, "/proc", 5); } else return disconnect(path, buf, name, flags); return 0; return disconnect(path, buf, name, flags, disconnected); } /* resolve paths relative to chroot?*/ Loading Loading @@ -153,7 +159,7 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen, } if (!connected) error = disconnect(path, buf, name, flags); error = disconnect(path, buf, name, flags, disconnected); out: return error; Loading @@ -170,10 +176,12 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen, * Returns: %0 else error on failure */ static int get_name_to_buffer(const struct path *path, int flags, char *buffer, int size, char **name, const char **info) int size, char **name, const char **info, const char *disconnected) { int adjust = (flags & PATH_IS_DIR) ? 1 : 0; int error = d_namespace_path(path, buffer, size - adjust, name, flags); int error = d_namespace_path(path, buffer, size - adjust, name, flags, disconnected); if (!error && (flags & PATH_IS_DIR) && (*name)[1] != '\0') /* Loading Loading @@ -203,6 +211,7 @@ static int get_name_to_buffer(const struct path *path, int flags, char *buffer, * @buffer: buffer that aa_get_name() allocated (NOT NULL) * @name: Returns - the generated path name if !error (NOT NULL) * @info: Returns - information on why the path lookup failed (MAYBE NULL) * @disconnected: string to prepend to disconnected paths * * @name is a pointer to the beginning of the pathname (which usually differs * from the beginning of the buffer), or NULL. If there is an error @name Loading @@ -216,7 +225,7 @@ static int get_name_to_buffer(const struct path *path, int flags, char *buffer, * Returns: %0 else error code if could retrieve name */ int aa_path_name(const struct path *path, int flags, char **buffer, const char **name, const char **info) const char **name, const char **info, const char *disconnected) { char *buf, *str = NULL; int size = 256; Loading @@ -230,7 +239,8 @@ int aa_path_name(const struct path *path, int flags, char **buffer, if (!buf) return -ENOMEM; error = get_name_to_buffer(path, flags, buf, size, &str, info); error = get_name_to_buffer(path, flags, buf, size, &str, info, disconnected); if (error != -ENAMETOOLONG) break; Loading Loading
security/apparmor/domain.c +1 −1 Original line number Diff line number Diff line Loading @@ -366,7 +366,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) /* buffer freed below, name is pointer into buffer */ error = aa_path_name(&bprm->file->f_path, profile->path_flags, &buffer, &name, &info); &name, &info, profile->disconnected); if (error) { if (unconfined(profile) || (profile->flags & PFLAG_IX_ON_NAME_ERROR)) Loading
security/apparmor/file.c +4 −3 Original line number Diff line number Diff line Loading @@ -285,7 +285,8 @@ int aa_path_perm(const char *op, struct aa_profile *profile, int error; flags |= profile->path_flags | (S_ISDIR(cond->mode) ? PATH_IS_DIR : 0); error = aa_path_name(path, flags, &buffer, &name, &info); error = aa_path_name(path, flags, &buffer, &name, &info, profile->disconnected); if (error) { if (error == -ENOENT && is_deleted(path->dentry)) { /* Access to open files that are deleted are Loading Loading @@ -366,13 +367,13 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry, /* buffer freed below, lname is pointer in buffer */ error = aa_path_name(&link, profile->path_flags, &buffer, &lname, &info); &info, profile->disconnected); if (error) goto audit; /* buffer2 freed below, tname is pointer in buffer2 */ error = aa_path_name(&target, profile->path_flags, &buffer2, &tname, &info); &info, profile->disconnected); if (error) goto audit; Loading
security/apparmor/include/path.h +2 −1 Original line number Diff line number Diff line Loading @@ -27,7 +27,8 @@ enum path_flags { }; int aa_path_name(const struct path *path, int flags, char **buffer, const char **name, const char **info); const char **name, const char **info, const char *disconnected); #define MAX_PATH_BUFFERS 2 Loading
security/apparmor/include/policy.h +2 −0 Original line number Diff line number Diff line Loading @@ -128,6 +128,7 @@ struct aa_data { * @mode: the enforcement mode of the profile * @flags: flags controlling profile behavior * @path_flags: flags controlling path generation behavior * @disconnected: what to prepend if attach_disconnected is specified * @size: the memory consumed by this profiles rules * @policy: general match rules governing policy * @file: The set of rules governing basic file access and domain transitions Loading Loading @@ -169,6 +170,7 @@ struct aa_profile { long mode; long flags; u32 path_flags; const char *disconnected; int size; struct aa_policydb policy; Loading
security/apparmor/path.c +22 −12 Original line number Diff line number Diff line Loading @@ -50,7 +50,7 @@ static int prepend(char **buffer, int buflen, const char *str, int namelen) * namespace root. */ static int disconnect(const struct path *path, char *buf, char **name, int flags) int flags, const char *disconnected) { int error = 0; Loading @@ -63,9 +63,14 @@ static int disconnect(const struct path *path, char *buf, char **name, error = -EACCES; if (**name == '/') *name = *name + 1; } else if (**name != '/') } else { if (**name != '/') /* CONNECT_PATH with missing root */ error = prepend(name, *name - buf, "/", 1); if (!error && disconnected) error = prepend(name, *name - buf, disconnected, strlen(disconnected)); } return error; } Loading @@ -77,6 +82,7 @@ static int disconnect(const struct path *path, char *buf, char **name, * @buflen: length of @buf * @name: Returns - pointer for start of path name with in @buf (NOT NULL) * @flags: flags controlling path lookup * @disconnected: string to prefix to disconnected paths * * Handle path name lookup. * Loading @@ -85,7 +91,7 @@ static int disconnect(const struct path *path, char *buf, char **name, * to a position in @buf */ static int d_namespace_path(const struct path *path, char *buf, int buflen, char **name, int flags) char **name, int flags, const char *disconnected) { char *res; int error = 0; Loading @@ -106,8 +112,8 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen, */ return prepend(name, *name - buf, "/proc", 5); } else return disconnect(path, buf, name, flags); return 0; return disconnect(path, buf, name, flags, disconnected); } /* resolve paths relative to chroot?*/ Loading Loading @@ -153,7 +159,7 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen, } if (!connected) error = disconnect(path, buf, name, flags); error = disconnect(path, buf, name, flags, disconnected); out: return error; Loading @@ -170,10 +176,12 @@ static int d_namespace_path(const struct path *path, char *buf, int buflen, * Returns: %0 else error on failure */ static int get_name_to_buffer(const struct path *path, int flags, char *buffer, int size, char **name, const char **info) int size, char **name, const char **info, const char *disconnected) { int adjust = (flags & PATH_IS_DIR) ? 1 : 0; int error = d_namespace_path(path, buffer, size - adjust, name, flags); int error = d_namespace_path(path, buffer, size - adjust, name, flags, disconnected); if (!error && (flags & PATH_IS_DIR) && (*name)[1] != '\0') /* Loading Loading @@ -203,6 +211,7 @@ static int get_name_to_buffer(const struct path *path, int flags, char *buffer, * @buffer: buffer that aa_get_name() allocated (NOT NULL) * @name: Returns - the generated path name if !error (NOT NULL) * @info: Returns - information on why the path lookup failed (MAYBE NULL) * @disconnected: string to prepend to disconnected paths * * @name is a pointer to the beginning of the pathname (which usually differs * from the beginning of the buffer), or NULL. If there is an error @name Loading @@ -216,7 +225,7 @@ static int get_name_to_buffer(const struct path *path, int flags, char *buffer, * Returns: %0 else error code if could retrieve name */ int aa_path_name(const struct path *path, int flags, char **buffer, const char **name, const char **info) const char **name, const char **info, const char *disconnected) { char *buf, *str = NULL; int size = 256; Loading @@ -230,7 +239,8 @@ int aa_path_name(const struct path *path, int flags, char **buffer, if (!buf) return -ENOMEM; error = get_name_to_buffer(path, flags, buf, size, &str, info); error = get_name_to_buffer(path, flags, buf, size, &str, info, disconnected); if (error != -ENAMETOOLONG) break; Loading
John Johansen <john.johansen@canonical.com>John Johansen <john.johansen@canonical.com>