- early bailout of change_hat/change_profile when the new_profile

doesn't exist - in do_change_profile rename profile to new_profile - fix bug in early bail out - don't audit change_hat/change_profile token - remove unused AA_AUDITTYPE defines
2025-03-04 08:24:42 +01:00 · 2007-07-15 15:27:08 +00:00 · 2007-07-15 15:27:08 +00:00 · 1ee0a2c2d3
commit 1ee0a2c2d3
parent c8c8ca442c
6 changed files with 209 additions and 0 deletions
--- a/kernel-patches/for-mainline/change_profile-4.diff
+++ b/kernel-patches/for-mainline/change_profile-4.diff
@ -0,0 +1,38 @@
+---
+ security/apparmor/main.c |   17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
+@@ -949,8 +949,13 @@ static int do_change_profile(struct aa_p
+ 		return -ENOMEM;
+ 
+ 	profile = aa_find_profile(name);
+-	if (!profile && !restore)
+	if (!profile && !restore) {
+		if (!PROFILE_COMPLAIN(expected)) {
+			error = -ENOENT;
+			goto out;
+		}
+ 		profile = aa_dup_profile(null_complain_profile);
+	}
+ 
+ 	cxt = lock_task_and_profiles(current, profile);
+ 	if (!cxt) {
+@@ -984,14 +989,8 @@ static int do_change_profile(struct aa_p
+ 		goto out;
+ 	}
+ 
+-	if (profile == null_complain_profile) {
+-		if (APPARMOR_COMPLAIN(cxt)) {
+-			aa_audit_hint(cxt->profile, sa);
+-		} else {
+-			error = -ENOENT;
+-			goto out;
+-		}
+-	}
+	if (profile == null_complain_profile)
+		aa_audit_hint(cxt->profile, sa);
+ 
+ 	if (APPARMOR_AUDIT(cxt))
+ 		aa_audit_message(cxt->profile, sa, AUDIT_APPARMOR_AUDIT);
--- a/kernel-patches/for-mainline/change_profile-5.diff
+++ b/kernel-patches/for-mainline/change_profile-5.diff
@ -0,0 +1,85 @@
+---
+ security/apparmor/main.c |   25 ++++++++++++-------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
+@@ -937,7 +937,7 @@ repeat:
+ static int do_change_profile(struct aa_profile *expected, const char *name,
+ 			     u64 cookie, int restore, struct aa_audit *sa)
+ {
+-	struct aa_profile *profile = NULL, *old_profile = NULL,
+	struct aa_profile *new_profile = NULL, *old_profile = NULL,
+ 		*previous_profile = NULL;
+ 	struct aa_task_context *new_cxt, *cxt;
+ 	int error = 0;
+@@ -948,23 +948,23 @@ static int do_change_profile(struct aa_p
+ 	if (!new_cxt)
+ 		return -ENOMEM;
+ 
+-	profile = aa_find_profile(name);
+-	if (!profile && !restore) {
+	new_profile = aa_find_profile(name);
+	if (!new_profile && !restore) {
+ 		if (!PROFILE_COMPLAIN(expected)) {
+ 			error = -ENOENT;
+ 			goto out;
+ 		}
+-		profile = aa_dup_profile(null_complain_profile);
+		new_profile = aa_dup_profile(null_complain_profile);
+ 	}
+ 
+-	cxt = lock_task_and_profiles(current, profile);
+	cxt = lock_task_and_profiles(current, new_profile);
+ 	if (!cxt) {
+ 		error = -EPERM;
+ 		goto out;
+ 	}
+ 	old_profile = cxt->profile;
+ 
+-	if (cxt->profile != expected || (profile && profile->isstale)) {
+	if (cxt->profile != expected || (new_profile && new_profile->isstale)) {
+ 		error = -ESTALE;
+ 		goto out;
+ 	}
+@@ -984,34 +984,33 @@ static int do_change_profile(struct aa_p
+ 	} else
+ 		previous_profile = cxt->profile;
+ 
+-	if ((current->ptrace & PT_PTRACED) && aa_may_ptrace(cxt, profile)) {
+	if ((current->ptrace & PT_PTRACED) && aa_may_ptrace(cxt, new_profile)) {
+ 		error = -EACCES;
+ 		goto out;
+ 	}
+ 
+-	if (profile == null_complain_profile)
+	if (new_profile == null_complain_profile)
+ 		aa_audit_hint(cxt->profile, sa);
+ 
+ 	if (APPARMOR_AUDIT(cxt))
+ 		aa_audit_message(cxt->profile, sa, AUDIT_APPARMOR_AUDIT);
+ 
+ 	if (!restore && cookie)
+-		aa_change_task_context(current, new_cxt, profile, cookie,
+		aa_change_task_context(current, new_cxt, new_profile, cookie,
+ 				       previous_profile);
+ 	else
+ 		/* either return to previous_profile, or a permanent change */
+-		aa_change_task_context(current, new_cxt, profile, 0, NULL);
+		aa_change_task_context(current, new_cxt, new_profile, 0, NULL);
+ 
+ out:
+ 	if (aa_task_context(current) != new_cxt)
+ 		aa_free_task_context(new_cxt);
+ 	task_unlock(current);
+-	unlock_both_profiles(old_profile, profile);
+-	aa_put_profile(profile);
+	unlock_both_profiles(old_profile, new_profile);
+	aa_put_profile(new_profile);
+ 	return error;
+ }
+ 
+-
+ /**
+  * aa_change_profile - change profile to/from previous stored profile
+  * @name: name of profile to change to
--- a/kernel-patches/for-mainline/change_profile-7.diff
+++ b/kernel-patches/for-mainline/change_profile-7.diff
@ -0,0 +1,15 @@
+---
+ security/apparmor/lsm.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
+@@ -633,7 +633,7 @@ static int apparmor_setprocattr(struct t
+ 		if (current != task)
+ 			return -EACCES;
+ 		error = aa_setprocattr_changeprofile(args);
+-	} else if (strcmp(command, "setprofile")) {
+	} else if (strcmp(command, "setprofile") == 0) {
+ 		struct aa_profile *profile;
+ 
+ 		/* Only an unconfined process with admin capabilities
--- a/kernel-patches/for-mainline/no-audit-token.diff
+++ b/kernel-patches/for-mainline/no-audit-token.diff
@ -0,0 +1,43 @@
+---
+ security/apparmor/apparmor.h |    1 -
+ security/apparmor/main.c     |    5 -----
+ 2 files changed, 6 deletions(-)
+
+--- a/security/apparmor/apparmor.h
+++ b/security/apparmor/apparmor.h
+@@ -156,7 +156,6 @@ struct aa_audit {
+ 	int requested_mask, denied_mask;
+ 	struct iattr *iattr;
+ 	pid_t task, parent;
+-	u64 cookie;
+ 	int error_code;
+ };
+ 
+--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
+@@ -343,9 +343,6 @@ static int aa_audit_base(struct aa_profi
+ 		audit_log_untrustedstring(ab, sa->name2);
+ 	}
+ 
+-	if (sa->cookie)
+-		audit_log_format(ab, " cookie=%llu", sa->cookie);
+-
+ 	audit_log_format(ab, " pid=%d", current->pid);
+ 
+ 	if (profile) {
+@@ -1029,7 +1026,6 @@ int aa_change_profile(const char *name, 
+ 
+ 	memset(&sa, 0, sizeof(sa));
+ 	sa.gfp_mask = GFP_ATOMIC;
+-	sa.cookie = cookie;
+ 	sa.operation = "change_profile";
+ 
+ repeat:
+@@ -1085,7 +1081,6 @@ int aa_change_hat(const char *hat_name, 
+ 
+ 	memset(&sa, 0, sizeof(sa));
+ 	sa.gfp_mask = GFP_ATOMIC;
+-	sa.cookie = cookie;
+ 	sa.operation = "change_hat";
+ 
+ repeat:
--- a/kernel-patches/for-mainline/remove-audit-types.diff
+++ b/kernel-patches/for-mainline/remove-audit-types.diff
@ -0,0 +1,23 @@
+---
+ security/apparmor/apparmor.h |   10 ----------
+ 1 file changed, 10 deletions(-)
+
+--- a/security/apparmor/apparmor.h
+++ b/security/apparmor/apparmor.h
+@@ -159,16 +159,6 @@ struct aa_audit {
+ 	int error_code;
+ };
+ 
+-/* audit types */
+-#define AA_AUDITTYPE_FILE	1
+-#define AA_AUDITTYPE_DIR	2
+-#define AA_AUDITTYPE_ATTR	3
+-#define AA_AUDITTYPE_XATTR	4
+-#define AA_AUDITTYPE_LINK	5
+-#define AA_AUDITTYPE_CAP	6
+-#define AA_AUDITTYPE_MSG	7
+-#define AA_AUDITTYPE_SYSCALL	8
+-
+ /* Flags for the permission check functions */
+ #define AA_CHECK_FD	1  /* coming from a file descriptor */
+ #define AA_CHECK_DIR	2  /* file type is directory */
--- a/kernel-patches/for-mainline/series
+++ b/kernel-patches/for-mainline/series
@ -40,6 +40,11 @@ apparmor-lsm.diff
 apparmor-module_interface.diff
 apparmor-misc.diff
 apparmor-intree.diff
+change_profile-4.diff
+change_profile-5.diff
+change_profile-7.diff
+no-audit-token.diff
+remove-audit-types.diff
 do_path_lookup-nameidata.diff
 sys_fchdir-nameidata.diff
 file_permission-nameidata.diff