diff options
| author | John Johansen <john.johansen@canonical.com> | 2017-01-16 03:43:07 -0500 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2017-01-16 04:18:50 -0500 |
| commit | 31f75bfecd9cef7d485b1cda3c6c38cc0b4a5c6c (patch) | |
| tree | 0758d1473b978e95a90655ebdba9c7e25147b68c /security/apparmor | |
| parent | aa9a39ad8f60cc73e1bd2f18f0693bba6be8b067 (diff) | |
apparmor: make computing policy hashes conditional on kernel parameter
Allow turning off the computation of the policy hashes via the
apparmor.hash_policy kernel parameter.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor')
| -rw-r--r-- | security/apparmor/lsm.c | 46 | ||||
| -rw-r--r-- | security/apparmor/policy_unpack.c | 15 |
2 files changed, 32 insertions, 29 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 264aa192032e..6a5cf54cfa72 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c | |||
| @@ -166,42 +166,42 @@ static int common_perm(const char *op, const struct path *path, u32 mask, | |||
| 166 | } | 166 | } |
| 167 | 167 | ||
| 168 | /** | 168 | /** |
| 169 | * common_perm_dir_dentry - common permission wrapper when path is dir, dentry | 169 | * common_perm_cond - common permission wrapper around inode cond |
| 170 | * @op: operation being checked | 170 | * @op: operation being checked |
| 171 | * @dir: directory of the dentry (NOT NULL) | 171 | * @path: location to check (NOT NULL) |
| 172 | * @dentry: dentry to check (NOT NULL) | ||
| 173 | * @mask: requested permissions mask | 172 | * @mask: requested permissions mask |
| 174 | * @cond: conditional info for the permission request (NOT NULL) | ||
| 175 | * | 173 | * |
| 176 | * Returns: %0 else error code if error or permission denied | 174 | * Returns: %0 else error code if error or permission denied |
| 177 | */ | 175 | */ |
| 178 | static int common_perm_dir_dentry(const char *op, const struct path *dir, | 176 | static int common_perm_cond(const char *op, const struct path *path, u32 mask) |
| 179 | struct dentry *dentry, u32 mask, | ||
| 180 | struct path_cond *cond) | ||
| 181 | { | 177 | { |
| 182 | struct path path = { .mnt = dir->mnt, .dentry = dentry }; | 178 | struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, |
| 179 | d_backing_inode(path->dentry)->i_mode | ||
| 180 | }; | ||
| 183 | 181 | ||
| 184 | return common_perm(op, &path, mask, cond); | 182 | if (!path_mediated_fs(path->dentry)) |
| 183 | return 0; | ||
| 184 | |||
| 185 | return common_perm(op, path, mask, &cond); | ||
| 185 | } | 186 | } |
| 186 | 187 | ||
| 187 | /** | 188 | /** |
| 188 | * common_perm_path - common permission wrapper when mnt, dentry | 189 | * common_perm_dir_dentry - common permission wrapper when path is dir, dentry |
| 189 | * @op: operation being checked | 190 | * @op: operation being checked |
| 190 | * @path: location to check (NOT NULL) | 191 | * @dir: directory of the dentry (NOT NULL) |
| 192 | * @dentry: dentry to check (NOT NULL) | ||
| 191 | * @mask: requested permissions mask | 193 | * @mask: requested permissions mask |
| 194 | * @cond: conditional info for the permission request (NOT NULL) | ||
| 192 | * | 195 | * |
| 193 | * Returns: %0 else error code if error or permission denied | 196 | * Returns: %0 else error code if error or permission denied |
| 194 | */ | 197 | */ |
| 195 | static inline int common_perm_path(const char *op, const struct path *path, | 198 | static int common_perm_dir_dentry(const char *op, const struct path *dir, |
| 196 | u32 mask) | 199 | struct dentry *dentry, u32 mask, |
| 200 | struct path_cond *cond) | ||
| 197 | { | 201 | { |
| 198 | struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, | 202 | struct path path = { .mnt = dir->mnt, .dentry = dentry }; |
| 199 | d_backing_inode(path->dentry)->i_mode | ||
| 200 | }; | ||
| 201 | if (!path_mediated_fs(path->dentry)) | ||
| 202 | return 0; | ||
| 203 | 203 | ||
| 204 | return common_perm(op, path, mask, &cond); | 204 | return common_perm(op, &path, mask, cond); |
| 205 | } | 205 | } |
| 206 | 206 | ||
| 207 | /** | 207 | /** |
| @@ -274,7 +274,7 @@ static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, | |||
| 274 | 274 | ||
| 275 | static int apparmor_path_truncate(const struct path *path) | 275 | static int apparmor_path_truncate(const struct path *path) |
| 276 | { | 276 | { |
| 277 | return common_perm_path(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE); | 277 | return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE); |
| 278 | } | 278 | } |
| 279 | 279 | ||
| 280 | static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, | 280 | static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, |
| @@ -333,17 +333,17 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d | |||
| 333 | 333 | ||
| 334 | static int apparmor_path_chmod(const struct path *path, umode_t mode) | 334 | static int apparmor_path_chmod(const struct path *path, umode_t mode) |
| 335 | { | 335 | { |
| 336 | return common_perm_path(OP_CHMOD, path, AA_MAY_CHMOD); | 336 | return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); |
| 337 | } | 337 | } |
| 338 | 338 | ||
| 339 | static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) | 339 | static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) |
| 340 | { | 340 | { |
| 341 | return common_perm_path(OP_CHOWN, path, AA_MAY_CHOWN); | 341 | return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); |
| 342 | } | 342 | } |
| 343 | 343 | ||
| 344 | static int apparmor_inode_getattr(const struct path *path) | 344 | static int apparmor_inode_getattr(const struct path *path) |
| 345 | { | 345 | { |
| 346 | return common_perm_path(OP_GETATTR, path, AA_MAY_META_READ); | 346 | return common_perm_cond(OP_GETATTR, path, AA_MAY_META_READ); |
| 347 | } | 347 | } |
| 348 | 348 | ||
| 349 | static int apparmor_file_open(struct file *file, const struct cred *cred) | 349 | static int apparmor_file_open(struct file *file, const struct cred *cred) |
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 441efc965f2b..59c891ad1270 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c | |||
| @@ -825,7 +825,8 @@ int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, | |||
| 825 | if (error) | 825 | if (error) |
| 826 | goto fail_profile; | 826 | goto fail_profile; |
| 827 | 827 | ||
| 828 | error = aa_calc_profile_hash(profile, e.version, start, | 828 | if (aa_g_hash_policy) |
| 829 | error = aa_calc_profile_hash(profile, e.version, start, | ||
| 829 | e.pos - start); | 830 | e.pos - start); |
| 830 | if (error) | 831 | if (error) |
| 831 | goto fail_profile; | 832 | goto fail_profile; |
| @@ -841,11 +842,13 @@ int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, | |||
| 841 | list_add_tail(&ent->list, lh); | 842 | list_add_tail(&ent->list, lh); |
| 842 | } | 843 | } |
| 843 | udata->abi = e.version & K_ABI_MASK; | 844 | udata->abi = e.version & K_ABI_MASK; |
| 844 | udata->hash = aa_calc_hash(udata->data, udata->size); | 845 | if (aa_g_hash_policy) { |
| 845 | if (IS_ERR(udata->hash)) { | 846 | udata->hash = aa_calc_hash(udata->data, udata->size); |
| 846 | error = PTR_ERR(udata->hash); | 847 | if (IS_ERR(udata->hash)) { |
| 847 | udata->hash = NULL; | 848 | error = PTR_ERR(udata->hash); |
| 848 | goto fail; | 849 | udata->hash = NULL; |
| 850 | goto fail; | ||
| 851 | } | ||
| 849 | } | 852 | } |
| 850 | return 0; | 853 | return 0; |
| 851 | 854 | ||