aboutsummaryrefslogtreecommitdiffstats
path: root/security/apparmor
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2012-02-07 19:33:13 -0500
committerEric W. Biederman <ebiederm@xmission.com>2012-09-21 06:13:21 -0400
commit2db81452931eb51cc739d6e495cf1bd4860c3c99 (patch)
tree959805577a8e8c449fc4b3c576d2f0c840090fa4 /security/apparmor
parente4849737f76c8767e70dc1575f6e59fc3682b3fe (diff)
userns: Convert apparmor to use kuid and kgid where appropriate
Cc: John Johansen <john.johansen@canonical.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'security/apparmor')
-rw-r--r--security/apparmor/domain.c4
-rw-r--r--security/apparmor/file.c12
-rw-r--r--security/apparmor/include/audit.h2
-rw-r--r--security/apparmor/include/file.h4
4 files changed, 12 insertions, 10 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index b81ea10a17a3..60f0c76a27d3 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -721,7 +721,7 @@ audit:
721 if (!permtest) 721 if (!permtest)
722 error = aa_audit_file(profile, &perms, GFP_KERNEL, 722 error = aa_audit_file(profile, &perms, GFP_KERNEL,
723 OP_CHANGE_HAT, AA_MAY_CHANGEHAT, NULL, 723 OP_CHANGE_HAT, AA_MAY_CHANGEHAT, NULL,
724 target, 0, info, error); 724 target, GLOBAL_ROOT_UID, info, error);
725 725
726out: 726out:
727 aa_put_profile(hat); 727 aa_put_profile(hat);
@@ -848,7 +848,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
848audit: 848audit:
849 if (!permtest) 849 if (!permtest)
850 error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, 850 error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request,
851 name, hname, 0, info, error); 851 name, hname, GLOBAL_ROOT_UID, info, error);
852 852
853 aa_put_namespace(ns); 853 aa_put_namespace(ns);
854 aa_put_profile(target); 854 aa_put_profile(target);
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index cf19d4093ca4..cd21ec5b90af 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -65,7 +65,7 @@ static void audit_file_mask(struct audit_buffer *ab, u32 mask)
65static void file_audit_cb(struct audit_buffer *ab, void *va) 65static void file_audit_cb(struct audit_buffer *ab, void *va)
66{ 66{
67 struct common_audit_data *sa = va; 67 struct common_audit_data *sa = va;
68 uid_t fsuid = current_fsuid(); 68 kuid_t fsuid = current_fsuid();
69 69
70 if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { 70 if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) {
71 audit_log_format(ab, " requested_mask="); 71 audit_log_format(ab, " requested_mask=");
@@ -76,8 +76,10 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
76 audit_file_mask(ab, sa->aad->fs.denied); 76 audit_file_mask(ab, sa->aad->fs.denied);
77 } 77 }
78 if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { 78 if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) {
79 audit_log_format(ab, " fsuid=%d", fsuid); 79 audit_log_format(ab, " fsuid=%d",
80 audit_log_format(ab, " ouid=%d", sa->aad->fs.ouid); 80 from_kuid(&init_user_ns, fsuid));
81 audit_log_format(ab, " ouid=%d",
82 from_kuid(&init_user_ns, sa->aad->fs.ouid));
81 } 83 }
82 84
83 if (sa->aad->fs.target) { 85 if (sa->aad->fs.target) {
@@ -103,7 +105,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
103 */ 105 */
104int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, 106int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
105 gfp_t gfp, int op, u32 request, const char *name, 107 gfp_t gfp, int op, u32 request, const char *name,
106 const char *target, uid_t ouid, const char *info, int error) 108 const char *target, kuid_t ouid, const char *info, int error)
107{ 109{
108 int type = AUDIT_APPARMOR_AUTO; 110 int type = AUDIT_APPARMOR_AUTO;
109 struct common_audit_data sa; 111 struct common_audit_data sa;
@@ -201,7 +203,7 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
201 */ 203 */
202 perms.kill = 0; 204 perms.kill = 0;
203 205
204 if (current_fsuid() == cond->uid) { 206 if (uid_eq(current_fsuid(), cond->uid)) {
205 perms.allow = map_old_perms(dfa_user_allow(dfa, state)); 207 perms.allow = map_old_perms(dfa_user_allow(dfa, state));
206 perms.audit = map_old_perms(dfa_user_audit(dfa, state)); 208 perms.audit = map_old_perms(dfa_user_audit(dfa, state));
207 perms.quiet = map_old_perms(dfa_user_quiet(dfa, state)); 209 perms.quiet = map_old_perms(dfa_user_quiet(dfa, state));
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 4b7e18951aea..69d8cae634e7 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -125,7 +125,7 @@ struct apparmor_audit_data {
125 const char *target; 125 const char *target;
126 u32 request; 126 u32 request;
127 u32 denied; 127 u32 denied;
128 uid_t ouid; 128 kuid_t ouid;
129 } fs; 129 } fs;
130 }; 130 };
131}; 131};
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index f98fd4701d80..967b2deda376 100644
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -71,7 +71,7 @@ struct path;
71 71
72/* need to make conditional which ones are being set */ 72/* need to make conditional which ones are being set */
73struct path_cond { 73struct path_cond {
74 uid_t uid; 74 kuid_t uid;
75 umode_t mode; 75 umode_t mode;
76}; 76};
77 77
@@ -146,7 +146,7 @@ static inline u16 dfa_map_xindex(u16 mask)
146 146
147int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, 147int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
148 gfp_t gfp, int op, u32 request, const char *name, 148 gfp_t gfp, int op, u32 request, const char *name,
149 const char *target, uid_t ouid, const char *info, int error); 149 const char *target, kuid_t ouid, const char *info, int error);
150 150
151/** 151/**
152 * struct aa_file_rules - components used for file rule permissions 152 * struct aa_file_rules - components used for file rule permissions