diff options
| author | John Johansen <john.johansen@canonical.com> | 2013-02-27 06:44:40 -0500 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2013-04-28 03:39:36 -0400 |
| commit | 3eea57c26e49a5add4c053a031cc2a1977b7c48e (patch) | |
| tree | e55284fa1568c745daf04295dc0285373fe42a7b | |
| parent | 214beacaa7b669473bc963af719fa359a8312ea4 (diff) | |
apparmor: fix setprocattr arg processing for onexec
the exec file isn't processing its command arg. It should only set be
responding to a command of exec.
Also cleanup setprocattr some more while we are at it.
Signed-off-by: John Johansen <john.johansen@canonical.com>
| -rw-r--r-- | security/apparmor/lsm.c | 37 |
1 files changed, 21 insertions, 16 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 2027fdf2060b..2e2a0dd4a73f 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c | |||
| @@ -529,6 +529,8 @@ static int apparmor_getprocattr(struct task_struct *task, char *name, | |||
| 529 | static int apparmor_setprocattr(struct task_struct *task, char *name, | 529 | static int apparmor_setprocattr(struct task_struct *task, char *name, |
| 530 | void *value, size_t size) | 530 | void *value, size_t size) |
| 531 | { | 531 | { |
| 532 | struct common_audit_data sa; | ||
| 533 | struct apparmor_audit_data aad = {0,}; | ||
| 532 | char *command, *args = value; | 534 | char *command, *args = value; |
| 533 | size_t arg_size; | 535 | size_t arg_size; |
| 534 | int error; | 536 | int error; |
| @@ -572,28 +574,31 @@ static int apparmor_setprocattr(struct task_struct *task, char *name, | |||
| 572 | } else if (strcmp(command, "permprofile") == 0) { | 574 | } else if (strcmp(command, "permprofile") == 0) { |
| 573 | error = aa_setprocattr_changeprofile(args, !AA_ONEXEC, | 575 | error = aa_setprocattr_changeprofile(args, !AA_ONEXEC, |
| 574 | AA_DO_TEST); | 576 | AA_DO_TEST); |
| 575 | } else { | 577 | } else |
| 576 | struct common_audit_data sa; | 578 | goto fail; |
| 577 | struct apparmor_audit_data aad = {0,}; | ||
| 578 | sa.type = LSM_AUDIT_DATA_NONE; | ||
| 579 | sa.aad = &aad; | ||
| 580 | aad.op = OP_SETPROCATTR; | ||
| 581 | aad.info = name; | ||
| 582 | aad.error = -EINVAL; | ||
| 583 | return aa_audit(AUDIT_APPARMOR_DENIED, | ||
| 584 | __aa_current_profile(), GFP_KERNEL, | ||
| 585 | &sa, NULL); | ||
| 586 | } | ||
| 587 | } else if (strcmp(name, "exec") == 0) { | 579 | } else if (strcmp(name, "exec") == 0) { |
| 588 | error = aa_setprocattr_changeprofile(args, AA_ONEXEC, | 580 | if (strcmp(command, "exec") == 0) |
| 589 | !AA_DO_TEST); | 581 | error = aa_setprocattr_changeprofile(args, AA_ONEXEC, |
| 590 | } else { | 582 | !AA_DO_TEST); |
| 583 | else | ||
| 584 | goto fail; | ||
| 585 | } else | ||
| 591 | /* only support the "current" and "exec" process attributes */ | 586 | /* only support the "current" and "exec" process attributes */ |
| 592 | return -EINVAL; | 587 | return -EINVAL; |
| 593 | } | 588 | |
| 594 | if (!error) | 589 | if (!error) |
| 595 | error = size; | 590 | error = size; |
| 596 | return error; | 591 | return error; |
| 592 | |||
| 593 | fail: | ||
| 594 | sa.type = LSM_AUDIT_DATA_NONE; | ||
| 595 | sa.aad = &aad; | ||
| 596 | aad.profile = aa_current_profile(); | ||
| 597 | aad.op = OP_SETPROCATTR; | ||
| 598 | aad.info = name; | ||
| 599 | aad.error = -EINVAL; | ||
| 600 | aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL); | ||
| 601 | return -EINVAL; | ||
| 597 | } | 602 | } |
| 598 | 603 | ||
| 599 | static int apparmor_task_setrlimit(struct task_struct *task, | 604 | static int apparmor_task_setrlimit(struct task_struct *task, |