Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 03816507 authored by John Johansen's avatar John Johansen
Browse files

apparmor: allow setting any profile into the unconfined state 



Allow emulating the default profile behavior from boot, by allowing
loading of a profile in the unconfined state into a new NS.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
parent 8651e1d6

security/apparmor/domain.c

+2 −2
Original line number Diff line number Diff line
@@ -371,8 +371,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) 
	error = aa_path_name(&bprm->file->f_path, profile->path_flags, &buffer,

			     &name, &info);

	if (error) {

		if (profile->flags &

		    (PFLAG_IX_ON_NAME_ERROR | PFLAG_UNCONFINED))

		if (unconfined(profile) ||

		    (profile->flags & PFLAG_IX_ON_NAME_ERROR))

			error = 0;

		name = bprm->filename;

		goto audit;

security/apparmor/include/policy.h

+3 −3
Original line number Diff line number Diff line
@@ -56,11 +56,11 @@ enum profile_mode { 
	APPARMOR_ENFORCE,	/* enforce access rules */

	APPARMOR_COMPLAIN,	/* allow and log access violations */

	APPARMOR_KILL,		/* kill task on access violation */

	APPARMOR_UNCONFINED,	/* profile set to unconfined */

};



enum profile_flags {

	PFLAG_HAT = 1,			/* profile is a hat */

	PFLAG_UNCONFINED = 2,		/* profile is an unconfined profile */

	PFLAG_NULL = 4,			/* profile is null learning profile */

	PFLAG_IX_ON_NAME_ERROR = 8,	/* fallback to ix on name lookup fail */

	PFLAG_IMMUTABLE = 0x10,		/* don't allow changes/replacement */
@@ -199,7 +199,7 @@ struct aa_profile { 
	struct aa_dfa *xmatch;

	int xmatch_len;

	enum audit_mode audit;

	enum profile_mode mode;

	long mode;

	long flags;

	u32 path_flags;

	int size;
@@ -240,7 +240,7 @@ ssize_t aa_remove_profiles(char *name, size_t size); 
#define PROF_ADD 1

#define PROF_REPLACE 0



#define unconfined(X) ((X)->flags & PFLAG_UNCONFINED)

#define unconfined(X) ((X)->mode == APPARMOR_UNCONFINED)





/**

security/apparmor/include/policy_unpack.h

+7 −0
Original line number Diff line number Diff line
@@ -27,6 +27,13 @@ struct aa_load_ent { 
void aa_load_ent_free(struct aa_load_ent *ent);

struct aa_load_ent *aa_load_ent_alloc(void);



#define PACKED_FLAG_HAT		1



#define PACKED_MODE_ENFORCE	0

#define PACKED_MODE_COMPLAIN	1

#define PACKED_MODE_KILL	2

#define PACKED_MODE_UNCONFINED	3



int aa_unpack(void *udata, size_t size, struct list_head *lh, const char **ns);



#endif /* __POLICY_INTERFACE_H */

security/apparmor/policy.c

+4 −2
Original line number Diff line number Diff line
@@ -96,6 +96,7 @@ const char *const profile_mode_names[] = { 
	"enforce",

	"complain",

	"kill",

	"unconfined",

};



/**
@@ -290,8 +291,9 @@ static struct aa_namespace *alloc_namespace(const char *prefix, 
	if (!ns->unconfined)

		goto fail_unconfined;



	ns->unconfined->flags = PFLAG_UNCONFINED | PFLAG_IX_ON_NAME_ERROR |

	ns->unconfined->flags = PFLAG_IX_ON_NAME_ERROR |

		PFLAG_IMMUTABLE | PFLAG_NS_COUNT;

	ns->unconfined->mode = APPARMOR_UNCONFINED;



	/* ns and ns->unconfined share ns->unconfined refcount */

	ns->unconfined->ns = ns;

security/apparmor/policy_unpack.c

+6 −2
Original line number Diff line number Diff line
@@ -511,12 +511,16 @@ static struct aa_profile *unpack_profile(struct aa_ext *e) 
		goto fail;

	if (!unpack_u32(e, &tmp, NULL))

		goto fail;

	if (tmp)

	if (tmp & PACKED_FLAG_HAT)

		profile->flags |= PFLAG_HAT;

	if (!unpack_u32(e, &tmp, NULL))

		goto fail;

	if (tmp)

	if (tmp == PACKED_MODE_COMPLAIN)

		profile->mode = APPARMOR_COMPLAIN;

	else if (tmp == PACKED_MODE_KILL)

		profile->mode = APPARMOR_KILL;

	else if (tmp == PACKED_MODE_UNCONFINED)

		profile->mode = APPARMOR_UNCONFINED;

	if (!unpack_u32(e, &tmp, NULL))

		goto fail;

	if (tmp)