mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
Fix change_profile to grant access to api
http://bugs.launchpad.net/bugs/979135 Currently a change_profile rule does not grant access to the /proc/<pid>/attr/{current,exec} interfaces that are needed to perform a change_profile or change_onexec, requiring that an explicit rule allowing access to the interface be granted. Make it so change_profile implies the necessary /proc/@{PID}/attr/{current,exec} w, rule just like the presence of hats does for change_hat Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-By: Steve Beattie <sbeattie@ubuntu.com>
This commit is contained in:
John Johansen
parent
6f27ba3abb
commit
68297d9398
3 changed files with 25 additions and 3 deletions
|
|
@ -381,7 +381,7 @@ extern int cache_fd;
|
|||
extern void add_to_list(struct codomain *codomain);
|
||||
extern void add_hat_to_policy(struct codomain *policy, struct codomain *hat);
|
||||
extern void add_entry_to_policy(struct codomain *policy, struct cod_entry *entry);
|
||||
extern void post_process_nt_entries(struct codomain *cod);
|
||||
extern void post_process_file_entries(struct codomain *cod);
|
||||
extern void post_process_mnt_entries(struct codomain *cod);
|
||||
extern int post_process_policy(int debug_only);
|
||||
extern int process_hat_regex(struct codomain *cod);
|
||||
|
|
|
|||
|
|
@ -172,9 +172,10 @@ void add_entry_to_policy(struct codomain *cod, struct cod_entry *entry)
|
|||
cod->entries = entry;
|
||||
}
|
||||
|
||||
void post_process_nt_entries(struct codomain *cod)
|
||||
void post_process_file_entries(struct codomain *cod)
|
||||
{
|
||||
struct cod_entry *entry;
|
||||
int cp_mode = 0;
|
||||
|
||||
list_for_each(cod->entries, entry) {
|
||||
if (entry->nt_name) {
|
||||
|
|
@ -193,6 +194,27 @@ void post_process_nt_entries(struct codomain *cod)
|
|||
entry->namespace = NULL;
|
||||
entry->nt_name = NULL;
|
||||
}
|
||||
/* FIXME: currently change_profile also implies onexec */
|
||||
cp_mode |= entry->mode & (AA_CHANGE_PROFILE);
|
||||
}
|
||||
|
||||
/* if there are change_profile rules, this implies that we need
|
||||
* access to /proc/self/attr/current
|
||||
*/
|
||||
if (cp_mode & AA_CHANGE_PROFILE) {
|
||||
/* FIXME: should use @{PROC}/@{PID}/attr/{current,exec} */
|
||||
struct cod_entry *new_ent;
|
||||
char *buffer = strdup("/proc/*/attr/{current,exec}");
|
||||
if (!buffer) {
|
||||
PERROR("Memory allocation error\n");
|
||||
exit(1);
|
||||
}
|
||||
new_ent = new_entry(NULL, buffer, AA_MAY_WRITE, NULL);
|
||||
if (!new_ent) {
|
||||
PERROR("Memory allocation error\n");
|
||||
exit(1);
|
||||
}
|
||||
add_entry_to_policy(cod, new_ent);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -257,7 +257,7 @@ profile_base: TOK_ID opt_id flags TOK_OPEN rules TOK_CLOSE
|
|||
if (force_complain)
|
||||
cod->flags.complain = 1;
|
||||
|
||||
post_process_nt_entries(cod);
|
||||
post_process_file_entries(cod);
|
||||
post_process_mnt_entries(cod);
|
||||
PDEBUG("%s: flags='%s%s'\n",
|
||||
$2,
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue