diff options
author | Eric W. Biederman <ebiederm@xmission.com> | 2012-02-07 19:33:13 -0500 |
---|---|---|
committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-09-21 06:13:21 -0400 |
commit | 2db81452931eb51cc739d6e495cf1bd4860c3c99 (patch) | |
tree | 959805577a8e8c449fc4b3c576d2f0c840090fa4 /security/apparmor | |
parent | e4849737f76c8767e70dc1575f6e59fc3682b3fe (diff) |
userns: Convert apparmor to use kuid and kgid where appropriate
Cc: John Johansen <john.johansen@canonical.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'security/apparmor')
-rw-r--r-- | security/apparmor/domain.c | 4 | ||||
-rw-r--r-- | security/apparmor/file.c | 12 | ||||
-rw-r--r-- | security/apparmor/include/audit.h | 2 | ||||
-rw-r--r-- | security/apparmor/include/file.h | 4 |
4 files changed, 12 insertions, 10 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index b81ea10a17a3..60f0c76a27d3 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c | |||
@@ -721,7 +721,7 @@ audit: | |||
721 | if (!permtest) | 721 | if (!permtest) |
722 | error = aa_audit_file(profile, &perms, GFP_KERNEL, | 722 | error = aa_audit_file(profile, &perms, GFP_KERNEL, |
723 | OP_CHANGE_HAT, AA_MAY_CHANGEHAT, NULL, | 723 | OP_CHANGE_HAT, AA_MAY_CHANGEHAT, NULL, |
724 | target, 0, info, error); | 724 | target, GLOBAL_ROOT_UID, info, error); |
725 | 725 | ||
726 | out: | 726 | out: |
727 | aa_put_profile(hat); | 727 | aa_put_profile(hat); |
@@ -848,7 +848,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, | |||
848 | audit: | 848 | audit: |
849 | if (!permtest) | 849 | if (!permtest) |
850 | error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, | 850 | error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, |
851 | name, hname, 0, info, error); | 851 | name, hname, GLOBAL_ROOT_UID, info, error); |
852 | 852 | ||
853 | aa_put_namespace(ns); | 853 | aa_put_namespace(ns); |
854 | aa_put_profile(target); | 854 | aa_put_profile(target); |
diff --git a/security/apparmor/file.c b/security/apparmor/file.c index cf19d4093ca4..cd21ec5b90af 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c | |||
@@ -65,7 +65,7 @@ static void audit_file_mask(struct audit_buffer *ab, u32 mask) | |||
65 | static void file_audit_cb(struct audit_buffer *ab, void *va) | 65 | static void file_audit_cb(struct audit_buffer *ab, void *va) |
66 | { | 66 | { |
67 | struct common_audit_data *sa = va; | 67 | struct common_audit_data *sa = va; |
68 | uid_t fsuid = current_fsuid(); | 68 | kuid_t fsuid = current_fsuid(); |
69 | 69 | ||
70 | if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { | 70 | if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { |
71 | audit_log_format(ab, " requested_mask="); | 71 | audit_log_format(ab, " requested_mask="); |
@@ -76,8 +76,10 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) | |||
76 | audit_file_mask(ab, sa->aad->fs.denied); | 76 | audit_file_mask(ab, sa->aad->fs.denied); |
77 | } | 77 | } |
78 | if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { | 78 | if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { |
79 | audit_log_format(ab, " fsuid=%d", fsuid); | 79 | audit_log_format(ab, " fsuid=%d", |
80 | audit_log_format(ab, " ouid=%d", sa->aad->fs.ouid); | 80 | from_kuid(&init_user_ns, fsuid)); |
81 | audit_log_format(ab, " ouid=%d", | ||
82 | from_kuid(&init_user_ns, sa->aad->fs.ouid)); | ||
81 | } | 83 | } |
82 | 84 | ||
83 | if (sa->aad->fs.target) { | 85 | if (sa->aad->fs.target) { |
@@ -103,7 +105,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) | |||
103 | */ | 105 | */ |
104 | int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, | 106 | int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, |
105 | gfp_t gfp, int op, u32 request, const char *name, | 107 | gfp_t gfp, int op, u32 request, const char *name, |
106 | const char *target, uid_t ouid, const char *info, int error) | 108 | const char *target, kuid_t ouid, const char *info, int error) |
107 | { | 109 | { |
108 | int type = AUDIT_APPARMOR_AUTO; | 110 | int type = AUDIT_APPARMOR_AUTO; |
109 | struct common_audit_data sa; | 111 | struct common_audit_data sa; |
@@ -201,7 +203,7 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state, | |||
201 | */ | 203 | */ |
202 | perms.kill = 0; | 204 | perms.kill = 0; |
203 | 205 | ||
204 | if (current_fsuid() == cond->uid) { | 206 | if (uid_eq(current_fsuid(), cond->uid)) { |
205 | perms.allow = map_old_perms(dfa_user_allow(dfa, state)); | 207 | perms.allow = map_old_perms(dfa_user_allow(dfa, state)); |
206 | perms.audit = map_old_perms(dfa_user_audit(dfa, state)); | 208 | perms.audit = map_old_perms(dfa_user_audit(dfa, state)); |
207 | perms.quiet = map_old_perms(dfa_user_quiet(dfa, state)); | 209 | perms.quiet = map_old_perms(dfa_user_quiet(dfa, state)); |
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index 4b7e18951aea..69d8cae634e7 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h | |||
@@ -125,7 +125,7 @@ struct apparmor_audit_data { | |||
125 | const char *target; | 125 | const char *target; |
126 | u32 request; | 126 | u32 request; |
127 | u32 denied; | 127 | u32 denied; |
128 | uid_t ouid; | 128 | kuid_t ouid; |
129 | } fs; | 129 | } fs; |
130 | }; | 130 | }; |
131 | }; | 131 | }; |
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h index f98fd4701d80..967b2deda376 100644 --- a/security/apparmor/include/file.h +++ b/security/apparmor/include/file.h | |||
@@ -71,7 +71,7 @@ struct path; | |||
71 | 71 | ||
72 | /* need to make conditional which ones are being set */ | 72 | /* need to make conditional which ones are being set */ |
73 | struct path_cond { | 73 | struct path_cond { |
74 | uid_t uid; | 74 | kuid_t uid; |
75 | umode_t mode; | 75 | umode_t mode; |
76 | }; | 76 | }; |
77 | 77 | ||
@@ -146,7 +146,7 @@ static inline u16 dfa_map_xindex(u16 mask) | |||
146 | 146 | ||
147 | int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, | 147 | int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, |
148 | gfp_t gfp, int op, u32 request, const char *name, | 148 | gfp_t gfp, int op, u32 request, const char *name, |
149 | const char *target, uid_t ouid, const char *info, int error); | 149 | const char *target, kuid_t ouid, const char *info, int error); |
150 | 150 | ||
151 | /** | 151 | /** |
152 | * struct aa_file_rules - components used for file rule permissions | 152 | * struct aa_file_rules - components used for file rule permissions |