Merge tag 'apparmor-pr-2018-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull AppArmor updates from John Johansen: "Features - add support for mapping secids and using secctxes - add the ability to get a task's secid - add support for audit rule filtering Cleanups: - multiple typo fixes - Convert to use match_string() helper - update git and wiki locations in AppArmor docs - improve get_buffers macro by using get_cpu_ptr - Use an IDR to allocate apparmor secids Bug fixes: - fix '*seclen' is never less than zero - fix mediation of prlimit - fix memory leak when deduping profile load - fix ptrace read check - fix memory leak of rule on error exit path" * tag 'apparmor-pr-2018-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (21 commits) apparmor: fix ptrace read check apparmor: fix memory leak when deduping profile load apparmor: fix mediation of prlimit apparmor: fixup secid map conversion to using IDR apparmor: Use an IDR to allocate apparmor secids apparmor: Fix memory leak of rule on error exit path apparmor: modify audit rule support to support profile stacks apparmor: Add support for audit rule filtering apparmor: update git and wiki locations in AppArmor docs apparmor: Convert to use match_string() helper apparmor: improve get_buffers macro by using get_cpu_ptr apparmor: fix '*seclen' is never less than zero apparmor: fix typo "preconfinement" apparmor: fix typo "independent" apparmor: fix typo "traverse" apparmor: fix typo "type" apparmor: fix typo "replace" apparmor: fix typo "comparison" apparmor: fix typo "loosen" apparmor: add the ability to get a task's secid ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2018-06-14 03:11:28 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2018-06-14 03:11:28 -0400
commit: 463f202172c31b9c36278001cabfbad4e12da42e (patch)
tree: 2e19e74001db3f5bc5012b90781435add1de4311 /security/apparmor/audit.c
parent: 050e9baa9dc9fbd9ce2b27f0056990fc9e0a08a0 (diff)
parent: 338d0be437ef10e247a35aed83dbab182cf406a2 (diff)
1 files changed, 89 insertions, 1 deletions
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 8f9ecac7f8de..eeaddfe0c0fb 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -19,7 +19,7 @@
 #include "include/audit.h"
 #include "include/policy.h"
 #include "include/policy_ns.h"
+#include "include/secid.h"
 const char *const audit_mode_names[] = {
        "normal",
@@ -163,3 +163,91 @@ int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
        return aad(sa)->error;
 }
+struct aa_audit_rule {
+        struct aa_label *label;
+};
+void aa_audit_rule_free(void *vrule)
+{
+        struct aa_audit_rule *rule = vrule;
+        if (rule) {
+                if (!IS_ERR(rule->label))
+                        aa_put_label(rule->label);
+                kfree(rule);
+        }
+}
+int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
+{
+        struct aa_audit_rule *rule;
+        switch (field) {
+        case AUDIT_SUBJ_ROLE:
+                if (op != Audit_equal && op != Audit_not_equal)
+                        return -EINVAL;
+                break;
+        default:
+                return -EINVAL;
+        }
+        rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);
+        if (!rule)
+                return -ENOMEM;
+        /* Currently rules are treated as coming from the root ns */
+        rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
+                                     GFP_KERNEL, true, false);
+        if (IS_ERR(rule->label)) {
+                aa_audit_rule_free(rule);
+                return PTR_ERR(rule->label);
+        }
+        *vrule = rule;
+        return 0;
+}
+int aa_audit_rule_known(struct audit_krule *rule)
+{
+        int i;
+        for (i = 0; i < rule->field_count; i++) {
+                struct audit_field *f = &rule->fields[i];
+                switch (f->type) {
+                case AUDIT_SUBJ_ROLE:
+                        return 1;
+                }
+        }
+        return 0;
+}
+int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+                        struct audit_context *actx)
+{
+        struct aa_audit_rule *rule = vrule;
+        struct aa_label *label;
+        int found = 0;
+        label = aa_secid_to_label(sid);
+        if (!label)
+                return -ENOENT;
+        if (aa_label_is_subset(label, rule->label))
+                found = 1;
+        switch (field) {
+        case AUDIT_SUBJ_ROLE:
+                switch (op) {
+                case Audit_equal:
+                        return found;
+                case Audit_not_equal:
+                        return !found;
+                }
+        }
+        return 0;
+}
author	Linus Torvalds <torvalds@linux-foundation.org>	2018-06-14 03:11:28 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2018-06-14 03:11:28 -0400
commit	463f202172c31b9c36278001cabfbad4e12da42e (patch)
tree	2e19e74001db3f5bc5012b90781435add1de4311 /security/apparmor/audit.c
parent	050e9baa9dc9fbd9ce2b27f0056990fc9e0a08a0 (diff)
parent	338d0be437ef10e247a35aed83dbab182cf406a2 (diff)

diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index 8f9ecac7f8de..eeaddfe0c0fb 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c
@@ -19,7 +19,7 @@
19	#include "include/audit.h"	19	#include "include/audit.h"
20	#include "include/policy.h"	20	#include "include/policy.h"
21	#include "include/policy_ns.h"	21	#include "include/policy_ns.h"
22		22	#include "include/secid.h"
23		23
24	const char *const audit_mode_names[] = {	24	const char *const audit_mode_names[] = {
25	"normal",	25	"normal",
@@ -163,3 +163,91 @@ int aa_audit(int type, struct aa_profile profile, struct common_audit_data sa,
163		163
164	return aad(sa)->error;	164	return aad(sa)->error;
165	}	165	}
		166
		167	struct aa_audit_rule {
		168	struct aa_label *label;
		169	};
		170
		171	void aa_audit_rule_free(void *vrule)
		172	{
		173	struct aa_audit_rule *rule = vrule;
		174
		175	if (rule) {
		176	if (!IS_ERR(rule->label))
		177	aa_put_label(rule->label);
		178	kfree(rule);
		179	}
		180	}
		181
		182	int aa_audit_rule_init(u32 field, u32 op, char rulestr, void *vrule)
		183	{
		184	struct aa_audit_rule *rule;
		185
		186	switch (field) {
		187	case AUDIT_SUBJ_ROLE:
		188	if (op != Audit_equal && op != Audit_not_equal)
		189	return -EINVAL;
		190	break;
		191	default:
		192	return -EINVAL;
		193	}
		194
		195	rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);
		196
		197	if (!rule)
		198	return -ENOMEM;
		199
		200	/* Currently rules are treated as coming from the root ns */
		201	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
		202	GFP_KERNEL, true, false);
		203	if (IS_ERR(rule->label)) {
		204	aa_audit_rule_free(rule);
		205	return PTR_ERR(rule->label);
		206	}
		207
		208	*vrule = rule;
		209	return 0;
		210	}
		211
		212	int aa_audit_rule_known(struct audit_krule *rule)
		213	{
		214	int i;
		215
		216	for (i = 0; i < rule->field_count; i++) {
		217	struct audit_field *f = &rule->fields[i];
		218
		219	switch (f->type) {
		220	case AUDIT_SUBJ_ROLE:
		221	return 1;
		222	}
		223	}
		224
		225	return 0;
		226	}
		227
		228	int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
		229	struct audit_context *actx)
		230	{
		231	struct aa_audit_rule *rule = vrule;
		232	struct aa_label *label;
		233	int found = 0;
		234
		235	label = aa_secid_to_label(sid);
		236
		237	if (!label)
		238	return -ENOENT;
		239
		240	if (aa_label_is_subset(label, rule->label))
		241	found = 1;
		242
		243	switch (field) {
		244	case AUDIT_SUBJ_ROLE:
		245	switch (op) {
		246	case Audit_equal:
		247	return found;
		248	case Audit_not_equal:
		249	return !found;
		250	}
		251	}
		252	return 0;
		253	}