diff options
| -rw-r--r-- | init/Kconfig | 1 | ||||
| -rw-r--r-- | security/apparmor/domain.c | 4 | ||||
| -rw-r--r-- | security/apparmor/file.c | 12 | ||||
| -rw-r--r-- | security/apparmor/include/audit.h | 2 | ||||
| -rw-r--r-- | security/apparmor/include/file.h | 4 |
5 files changed, 12 insertions, 11 deletions
diff --git a/init/Kconfig b/init/Kconfig index f31599739f7f..637faf8626cc 100644 --- a/init/Kconfig +++ b/init/Kconfig | |||
| @@ -964,7 +964,6 @@ config UIDGID_CONVERTED | |||
| 964 | 964 | ||
| 965 | # Security modules | 965 | # Security modules |
| 966 | depends on SECURITY_TOMOYO = n | 966 | depends on SECURITY_TOMOYO = n |
| 967 | depends on SECURITY_APPARMOR = n | ||
| 968 | 967 | ||
| 969 | config UIDGID_STRICT_TYPE_CHECKS | 968 | config UIDGID_STRICT_TYPE_CHECKS |
| 970 | bool "Require conversions between uid/gids and their internal representation" | 969 | bool "Require conversions between uid/gids and their internal representation" |
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index b81ea10a17a3..60f0c76a27d3 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c | |||
| @@ -721,7 +721,7 @@ audit: | |||
| 721 | if (!permtest) | 721 | if (!permtest) |
| 722 | error = aa_audit_file(profile, &perms, GFP_KERNEL, | 722 | error = aa_audit_file(profile, &perms, GFP_KERNEL, |
| 723 | OP_CHANGE_HAT, AA_MAY_CHANGEHAT, NULL, | 723 | OP_CHANGE_HAT, AA_MAY_CHANGEHAT, NULL, |
| 724 | target, 0, info, error); | 724 | target, GLOBAL_ROOT_UID, info, error); |
| 725 | 725 | ||
| 726 | out: | 726 | out: |
| 727 | aa_put_profile(hat); | 727 | aa_put_profile(hat); |
| @@ -848,7 +848,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, | |||
| 848 | audit: | 848 | audit: |
| 849 | if (!permtest) | 849 | if (!permtest) |
| 850 | error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, | 850 | error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, |
| 851 | name, hname, 0, info, error); | 851 | name, hname, GLOBAL_ROOT_UID, info, error); |
| 852 | 852 | ||
| 853 | aa_put_namespace(ns); | 853 | aa_put_namespace(ns); |
| 854 | aa_put_profile(target); | 854 | aa_put_profile(target); |
diff --git a/security/apparmor/file.c b/security/apparmor/file.c index cf19d4093ca4..cd21ec5b90af 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c | |||
| @@ -65,7 +65,7 @@ static void audit_file_mask(struct audit_buffer *ab, u32 mask) | |||
| 65 | static void file_audit_cb(struct audit_buffer *ab, void *va) | 65 | static void file_audit_cb(struct audit_buffer *ab, void *va) |
| 66 | { | 66 | { |
| 67 | struct common_audit_data *sa = va; | 67 | struct common_audit_data *sa = va; |
| 68 | uid_t fsuid = current_fsuid(); | 68 | kuid_t fsuid = current_fsuid(); |
| 69 | 69 | ||
| 70 | if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { | 70 | if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { |
| 71 | audit_log_format(ab, " requested_mask="); | 71 | audit_log_format(ab, " requested_mask="); |
| @@ -76,8 +76,10 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) | |||
| 76 | audit_file_mask(ab, sa->aad->fs.denied); | 76 | audit_file_mask(ab, sa->aad->fs.denied); |
| 77 | } | 77 | } |
| 78 | if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { | 78 | if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { |
| 79 | audit_log_format(ab, " fsuid=%d", fsuid); | 79 | audit_log_format(ab, " fsuid=%d", |
| 80 | audit_log_format(ab, " ouid=%d", sa->aad->fs.ouid); | 80 | from_kuid(&init_user_ns, fsuid)); |
| 81 | audit_log_format(ab, " ouid=%d", | ||
| 82 | from_kuid(&init_user_ns, sa->aad->fs.ouid)); | ||
| 81 | } | 83 | } |
| 82 | 84 | ||
| 83 | if (sa->aad->fs.target) { | 85 | if (sa->aad->fs.target) { |
| @@ -103,7 +105,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) | |||
| 103 | */ | 105 | */ |
| 104 | int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, | 106 | int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, |
| 105 | gfp_t gfp, int op, u32 request, const char *name, | 107 | gfp_t gfp, int op, u32 request, const char *name, |
| 106 | const char *target, uid_t ouid, const char *info, int error) | 108 | const char *target, kuid_t ouid, const char *info, int error) |
| 107 | { | 109 | { |
| 108 | int type = AUDIT_APPARMOR_AUTO; | 110 | int type = AUDIT_APPARMOR_AUTO; |
| 109 | struct common_audit_data sa; | 111 | struct common_audit_data sa; |
| @@ -201,7 +203,7 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state, | |||
| 201 | */ | 203 | */ |
| 202 | perms.kill = 0; | 204 | perms.kill = 0; |
| 203 | 205 | ||
| 204 | if (current_fsuid() == cond->uid) { | 206 | if (uid_eq(current_fsuid(), cond->uid)) { |
| 205 | perms.allow = map_old_perms(dfa_user_allow(dfa, state)); | 207 | perms.allow = map_old_perms(dfa_user_allow(dfa, state)); |
| 206 | perms.audit = map_old_perms(dfa_user_audit(dfa, state)); | 208 | perms.audit = map_old_perms(dfa_user_audit(dfa, state)); |
| 207 | perms.quiet = map_old_perms(dfa_user_quiet(dfa, state)); | 209 | perms.quiet = map_old_perms(dfa_user_quiet(dfa, state)); |
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index 4b7e18951aea..69d8cae634e7 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h | |||
| @@ -125,7 +125,7 @@ struct apparmor_audit_data { | |||
| 125 | const char *target; | 125 | const char *target; |
| 126 | u32 request; | 126 | u32 request; |
| 127 | u32 denied; | 127 | u32 denied; |
| 128 | uid_t ouid; | 128 | kuid_t ouid; |
| 129 | } fs; | 129 | } fs; |
| 130 | }; | 130 | }; |
| 131 | }; | 131 | }; |
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h index f98fd4701d80..967b2deda376 100644 --- a/security/apparmor/include/file.h +++ b/security/apparmor/include/file.h | |||
| @@ -71,7 +71,7 @@ struct path; | |||
| 71 | 71 | ||
| 72 | /* need to make conditional which ones are being set */ | 72 | /* need to make conditional which ones are being set */ |
| 73 | struct path_cond { | 73 | struct path_cond { |
| 74 | uid_t uid; | 74 | kuid_t uid; |
| 75 | umode_t mode; | 75 | umode_t mode; |
| 76 | }; | 76 | }; |
| 77 | 77 | ||
| @@ -146,7 +146,7 @@ static inline u16 dfa_map_xindex(u16 mask) | |||
| 146 | 146 | ||
| 147 | int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, | 147 | int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, |
| 148 | gfp_t gfp, int op, u32 request, const char *name, | 148 | gfp_t gfp, int op, u32 request, const char *name, |
| 149 | const char *target, uid_t ouid, const char *info, int error); | 149 | const char *target, kuid_t ouid, const char *info, int error); |
| 150 | 150 | ||
| 151 | /** | 151 | /** |
| 152 | * struct aa_file_rules - components used for file rule permissions | 152 | * struct aa_file_rules - components used for file rule permissions |