Revert "apparmor: add base infastructure for socket mediation" (80c094a4) · Commits · e / devices / android_kernel_xiaomi_nabu

security/apparmor/.gitignore

+0 −1

Original line number	Diff line number	Diff line
		#
		# Generated include files
		#
		net_names.h
		capability_names.h
		rlim_names.h

security/apparmor/Makefile

+2 −41

Original line number	Diff line number	Diff line
		@@ -4,44 +4,11 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o

		apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
		path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
		resource.o secid.o file.o policy_ns.o label.o mount.o net.o
		resource.o secid.o file.o policy_ns.o label.o mount.o
		apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o

		clean-files := capability_names.h rlim_names.h net_names.h
		clean-files := capability_names.h rlim_names.h

		# Build a lower case string table of address family names
		# Transform lines from
		# #define AF_LOCAL 1 /* POSIX name for AF_UNIX */
		# #define AF_INET 2 /* Internet IP Protocol */
		# to
		# [1] = "local",
		# [2] = "inet",
		#
		# and build the securityfs entries for the mapping.
		# Transforms lines from
		# #define AF_INET 2 /* Internet IP Protocol */
		# to
		# #define AA_SFS_AF_MASK "local inet"
		quiet_cmd_make-af = GEN $@
		cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
		sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \
		's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
		echo "};" >> $@ ;\
		printf '%s' '\#define AA_SFS_AF_MASK "' >> $@ ;\
		sed -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \
		's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\
		$< \| tr '\n' ' ' \| sed -e 's/ $$/"\n/' >> $@

		# Build a lower case string table of sock type names
		# Transform lines from
		# SOCK_STREAM = 1,
		# to
		# [1] = "stream",
		quiet_cmd_make-sock = GEN $@
		cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\
		sed $^ >>$@ -r -n \
		-e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
		echo "};" >> $@

		# Build a lower case string table of capability names
		# Transforms lines from
		@@ -94,7 +61,6 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
		tr '\n' ' ' \| sed -e 's/ $$/"\n/' >> $@

		$(obj)/capability.o : $(obj)/capability_names.h
		$(obj)/net.o : $(obj)/net_names.h
		$(obj)/resource.o : $(obj)/rlim_names.h
		$(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
		$(src)/Makefile
		@@ -102,8 +68,3 @@ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
		$(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \
		$(src)/Makefile
		$(call cmd,make-rlim)
		$(obj)/net_names.h : $(srctree)/include/linux/socket.h \
		$(srctree)/include/linux/net.h \
		$(src)/Makefile
		$(call cmd,make-af)
		$(call cmd,make-sock)

security/apparmor/apparmorfs.c

+0 −1

Original line number	Diff line number	Diff line
		@@ -2202,7 +2202,6 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = {
		AA_SFS_DIR("policy", aa_sfs_entry_policy),
		AA_SFS_DIR("domain", aa_sfs_entry_domain),
		AA_SFS_DIR("file", aa_sfs_entry_file),
		AA_SFS_DIR("network", aa_sfs_entry_network),
		AA_SFS_DIR("mount", aa_sfs_entry_mount),
		AA_SFS_DIR("namespaces", aa_sfs_entry_ns),
		AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),

security/apparmor/file.c

+0 −30

Original line number	Diff line number	Diff line
		@@ -21,7 +21,6 @@
		#include "include/context.h"
		#include "include/file.h"
		#include "include/match.h"
		#include "include/net.h"
		#include "include/path.h"
		#include "include/policy.h"
		#include "include/label.h"
		@@ -567,32 +566,6 @@ static int __file_path_perm(const char op, struct aa_label label,
		return error;
		}

		static int __file_sock_perm(const char op, struct aa_label label,
		struct aa_label flabel, struct file file,
		u32 request, u32 denied)
		{
		struct socket sock = (struct socket ) file->private_data;
		int error;

		AA_BUG(!sock);

		/* revalidation due to label out of date. No revocation at this time */
		if (!denied && aa_label_is_subset(flabel, label))
		return 0;

		/* TODO: improve to skip profiles cached in flabel */
		error = aa_sock_file_perm(label, op, request, sock);
		if (denied) {
		/* TODO: improve to skip profiles checked above */
		/* check every profile in file label to is cached */
		last_error(error, aa_sock_file_perm(flabel, op, request, sock));
		}
		if (!error)
		update_file_ctx(file_ctx(file), label, request);

		return error;
		}

		/**
		* aa_file_perm - do permission revalidation check & audit for @file
		* @op: operation being checked
		@@ -637,9 +610,6 @@ int aa_file_perm(const char op, struct aa_label label, struct file *file,
		error = __file_path_perm(op, label, flabel, file, request,
		denied);

		else if (S_ISSOCK(file_inode(file)->i_mode))
		error = __file_sock_perm(op, label, flabel, file, request,
		denied);
		done:
		rcu_read_unlock();

security/apparmor/include/audit.h

+9 −17

Original line number	Diff line number	Diff line
		@@ -121,29 +121,21 @@ struct apparmor_audit_data {
		/* these entries require a custom callback fn */
		struct {
		struct aa_label *peer;
		union {
		struct {
		kuid_t ouid;
		const char *target;
		kuid_t ouid;
		} fs;
		struct {
		int type, protocol;
		struct sock *peer_sk;
		void *addr;
		int addrlen;
		} net;
		int signal;
		struct {
		int rlim;
		unsigned long max;
		} rlim;
		};
		};
		struct {
		struct aa_profile *profile;
		const char *ns;
		long pos;
		} iface;
		int signal;
		struct {
		int rlim;
		unsigned long max;
		} rlim;
		struct {
		const char *src_name;
		const char *type;