diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-10-09 03:02:35 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-10-09 03:02:35 -0400 |
| commit | 1236d6bb6e19fc72ffc6bbcdeb1bfefe450e54ee (patch) | |
| tree | 47da3feee8e263e8c9352c85cf518e624be3c211 /security/apparmor/file.c | |
| parent | 750b1a6894ecc9b178c6e3d0a1170122971b2036 (diff) | |
| parent | 8a5776a5f49812d29fe4b2d0a2d71675c3facf3f (diff) | |
Merge 4.14-rc4 into staging-next
We want the staging/iio fixes in here as well to handle merge issues.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'security/apparmor/file.c')
| -rw-r--r-- | security/apparmor/file.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/security/apparmor/file.c b/security/apparmor/file.c index 3382518b87fa..db80221891c6 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c | |||
| @@ -21,6 +21,7 @@ | |||
| 21 | #include "include/context.h" | 21 | #include "include/context.h" |
| 22 | #include "include/file.h" | 22 | #include "include/file.h" |
| 23 | #include "include/match.h" | 23 | #include "include/match.h" |
| 24 | #include "include/net.h" | ||
| 24 | #include "include/path.h" | 25 | #include "include/path.h" |
| 25 | #include "include/policy.h" | 26 | #include "include/policy.h" |
| 26 | #include "include/label.h" | 27 | #include "include/label.h" |
| @@ -566,6 +567,32 @@ static int __file_path_perm(const char *op, struct aa_label *label, | |||
| 566 | return error; | 567 | return error; |
| 567 | } | 568 | } |
| 568 | 569 | ||
| 570 | static int __file_sock_perm(const char *op, struct aa_label *label, | ||
| 571 | struct aa_label *flabel, struct file *file, | ||
| 572 | u32 request, u32 denied) | ||
| 573 | { | ||
| 574 | struct socket *sock = (struct socket *) file->private_data; | ||
| 575 | int error; | ||
| 576 | |||
| 577 | AA_BUG(!sock); | ||
| 578 | |||
| 579 | /* revalidation due to label out of date. No revocation at this time */ | ||
| 580 | if (!denied && aa_label_is_subset(flabel, label)) | ||
| 581 | return 0; | ||
| 582 | |||
| 583 | /* TODO: improve to skip profiles cached in flabel */ | ||
| 584 | error = aa_sock_file_perm(label, op, request, sock); | ||
| 585 | if (denied) { | ||
| 586 | /* TODO: improve to skip profiles checked above */ | ||
| 587 | /* check every profile in file label to is cached */ | ||
| 588 | last_error(error, aa_sock_file_perm(flabel, op, request, sock)); | ||
| 589 | } | ||
| 590 | if (!error) | ||
| 591 | update_file_ctx(file_ctx(file), label, request); | ||
| 592 | |||
| 593 | return error; | ||
| 594 | } | ||
| 595 | |||
| 569 | /** | 596 | /** |
| 570 | * aa_file_perm - do permission revalidation check & audit for @file | 597 | * aa_file_perm - do permission revalidation check & audit for @file |
| 571 | * @op: operation being checked | 598 | * @op: operation being checked |
| @@ -610,6 +637,9 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file, | |||
| 610 | error = __file_path_perm(op, label, flabel, file, request, | 637 | error = __file_path_perm(op, label, flabel, file, request, |
| 611 | denied); | 638 | denied); |
| 612 | 639 | ||
| 640 | else if (S_ISSOCK(file_inode(file)->i_mode)) | ||
| 641 | error = __file_sock_perm(op, label, flabel, file, request, | ||
| 642 | denied); | ||
| 613 | done: | 643 | done: |
| 614 | rcu_read_unlock(); | 644 | rcu_read_unlock(); |
| 615 | 645 | ||