diff options
| author | John Johansen <john.johansen@canonical.com> | 2010-07-29 17:48:05 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2010-08-02 01:38:35 -0400 |
| commit | 0ed3b28ab8bf460a3a026f3f1782bf4c53840184 (patch) | |
| tree | 9da3a2c6d9f55d3166726fe7c51671a6029c1269 /security/apparmor/ipc.c | |
| parent | b5e95b48685e3481139a5634d14d630d12c7d5ce (diff) | |
AppArmor: mediation of non file objects
ipc:
AppArmor ipc is currently limited to mediation done by file mediation
and basic ptrace tests. Improved mediation is a wip.
rlimits:
AppArmor provides basic abilities to set and control rlimits at
a per profile level. Only resources specified in a profile are controled
or set. AppArmor rules set the hard limit to a value <= to the current
hard limit (ie. they can not currently raise hard limits), and if
necessary will lower the soft limit to the new hard limit value.
AppArmor does not track resource limits to reset them when a profile
is left so that children processes inherit the limits set by the
parent even if they are not confined by the same profile.
Capabilities: AppArmor provides a per profile mask of capabilities,
that will further restrict.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/apparmor/ipc.c')
| -rw-r--r-- | security/apparmor/ipc.c | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c new file mode 100644 index 000000000000..9013a78a1663 --- /dev/null +++ b/security/apparmor/ipc.c | |||
| @@ -0,0 +1,114 @@ | |||
| 1 | /* | ||
| 2 | * AppArmor security module | ||
| 3 | * | ||
| 4 | * This file contains AppArmor ipc mediation | ||
| 5 | * | ||
| 6 | * Copyright (C) 1998-2008 Novell/SUSE | ||
| 7 | * Copyright 2009-2010 Canonical Ltd. | ||
| 8 | * | ||
| 9 | * This program is free software; you can redistribute it and/or | ||
| 10 | * modify it under the terms of the GNU General Public License as | ||
| 11 | * published by the Free Software Foundation, version 2 of the | ||
| 12 | * License. | ||
| 13 | */ | ||
| 14 | |||
| 15 | #include <linux/gfp.h> | ||
| 16 | #include <linux/ptrace.h> | ||
| 17 | |||
| 18 | #include "include/audit.h" | ||
| 19 | #include "include/capability.h" | ||
| 20 | #include "include/context.h" | ||
| 21 | #include "include/policy.h" | ||
| 22 | |||
| 23 | /* call back to audit ptrace fields */ | ||
| 24 | static void audit_cb(struct audit_buffer *ab, void *va) | ||
| 25 | { | ||
| 26 | struct common_audit_data *sa = va; | ||
| 27 | audit_log_format(ab, " target="); | ||
| 28 | audit_log_untrustedstring(ab, sa->aad.target); | ||
| 29 | } | ||
| 30 | |||
| 31 | /** | ||
| 32 | * aa_audit_ptrace - do auditing for ptrace | ||
| 33 | * @profile: profile being enforced (NOT NULL) | ||
| 34 | * @target: profile being traced (NOT NULL) | ||
| 35 | * @error: error condition | ||
| 36 | * | ||
| 37 | * Returns: %0 or error code | ||
| 38 | */ | ||
| 39 | static int aa_audit_ptrace(struct aa_profile *profile, | ||
| 40 | struct aa_profile *target, int error) | ||
| 41 | { | ||
| 42 | struct common_audit_data sa; | ||
| 43 | COMMON_AUDIT_DATA_INIT(&sa, NONE); | ||
| 44 | sa.aad.op = OP_PTRACE; | ||
| 45 | sa.aad.target = target; | ||
| 46 | sa.aad.error = error; | ||
| 47 | |||
| 48 | return aa_audit(AUDIT_APPARMOR_AUTO, profile, GFP_ATOMIC, &sa, | ||
| 49 | audit_cb); | ||
| 50 | } | ||
| 51 | |||
| 52 | /** | ||
| 53 | * aa_may_ptrace - test if tracer task can trace the tracee | ||
| 54 | * @tracer_task: task who will do the tracing (NOT NULL) | ||
| 55 | * @tracer: profile of the task doing the tracing (NOT NULL) | ||
| 56 | * @tracee: task to be traced | ||
| 57 | * @mode: whether PTRACE_MODE_READ || PTRACE_MODE_ATTACH | ||
| 58 | * | ||
| 59 | * Returns: %0 else error code if permission denied or error | ||
| 60 | */ | ||
| 61 | int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer, | ||
| 62 | struct aa_profile *tracee, unsigned int mode) | ||
| 63 | { | ||
| 64 | /* TODO: currently only based on capability, not extended ptrace | ||
| 65 | * rules, | ||
| 66 | * Test mode for PTRACE_MODE_READ || PTRACE_MODE_ATTACH | ||
| 67 | */ | ||
| 68 | |||
| 69 | if (unconfined(tracer) || tracer == tracee) | ||
| 70 | return 0; | ||
| 71 | /* log this capability request */ | ||
| 72 | return aa_capable(tracer_task, tracer, CAP_SYS_PTRACE, 1); | ||
| 73 | } | ||
| 74 | |||
| 75 | /** | ||
| 76 | * aa_ptrace - do ptrace permission check and auditing | ||
| 77 | * @tracer: task doing the tracing (NOT NULL) | ||
| 78 | * @tracee: task being traced (NOT NULL) | ||
| 79 | * @mode: ptrace mode either PTRACE_MODE_READ || PTRACE_MODE_ATTACH | ||
| 80 | * | ||
| 81 | * Returns: %0 else error code if permission denied or error | ||
| 82 | */ | ||
| 83 | int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee, | ||
| 84 | unsigned int mode) | ||
| 85 | { | ||
| 86 | /* | ||
| 87 | * tracer can ptrace tracee when | ||
| 88 | * - tracer is unconfined || | ||
| 89 | * - tracer is in complain mode | ||
| 90 | * - tracer has rules allowing it to trace tracee currently this is: | ||
| 91 | * - confined by the same profile || | ||
| 92 | * - tracer profile has CAP_SYS_PTRACE | ||
| 93 | */ | ||
| 94 | |||
| 95 | struct aa_profile *tracer_p; | ||
| 96 | /* cred released below */ | ||
| 97 | const struct cred *cred = get_task_cred(tracer); | ||
| 98 | int error = 0; | ||
| 99 | tracer_p = aa_cred_profile(cred); | ||
| 100 | |||
| 101 | if (!unconfined(tracer_p)) { | ||
| 102 | /* lcred released below */ | ||
| 103 | struct cred *lcred = get_task_cred(tracee); | ||
| 104 | struct aa_profile *tracee_p = aa_cred_profile(lcred); | ||
| 105 | |||
| 106 | error = aa_may_ptrace(tracer, tracer_p, tracee_p, mode); | ||
| 107 | error = aa_audit_ptrace(tracer_p, tracee_p, error); | ||
| 108 | |||
| 109 | put_cred(lcred); | ||
| 110 | } | ||
| 111 | put_cred(cred); | ||
| 112 | |||
| 113 | return error; | ||
| 114 | } | ||