mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
Update capabilities to support 64 bit caps
This commit is contained in:
John Johansen
parent
b8cde97ab7
commit
c8fa7815a6
5 changed files with 50 additions and 21 deletions
|
|
@ -88,11 +88,11 @@ struct codomain {
|
|||
|
||||
struct flagval flags;
|
||||
|
||||
unsigned int capabilities;
|
||||
unsigned int audit_caps;
|
||||
unsigned int deny_caps;
|
||||
unsigned int quiet_caps;
|
||||
unsigned int set_caps;
|
||||
uint64_t capabilities;
|
||||
uint64_t audit_caps;
|
||||
uint64_t deny_caps;
|
||||
uint64_t quiet_caps;
|
||||
uint64_t set_caps;
|
||||
|
||||
unsigned int *network_allowed; /* array of type masks
|
||||
* indexed by AF_FAMILY */
|
||||
|
|
|
|||
|
|
@ -610,7 +610,7 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
|
|||
int flattened)
|
||||
{
|
||||
struct cod_entry *entry;
|
||||
u32 allowed_caps;
|
||||
uint64_t allowed_caps;
|
||||
|
||||
if (!sd_write_struct(p, "profile"))
|
||||
return 0;
|
||||
|
|
@ -642,14 +642,30 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
|
|||
return 0;
|
||||
if (!sd_write_structend(p))
|
||||
return 0;
|
||||
|
||||
#define low_caps(X) ((u32) (X))
|
||||
#define high_caps(X) ((u32) ((X) >> 32))
|
||||
allowed_caps = (profile->capabilities | profile->set_caps) & ~profile->deny_caps;
|
||||
if (!sd_write32(p, allowed_caps))
|
||||
if (!sd_write32(p, low_caps(allowed_caps & 0xff)))
|
||||
return 0;
|
||||
if (!sd_write32(p, allowed_caps & profile->audit_caps))
|
||||
if (!sd_write32(p, low_caps(allowed_caps & profile->audit_caps)))
|
||||
return 0;
|
||||
if (!sd_write32(p, profile->deny_caps & profile->quiet_caps))
|
||||
if (!sd_write32(p, low_caps(profile->deny_caps & profile->quiet_caps)))
|
||||
return 0;
|
||||
if (!sd_write32(p, profile->set_caps & ~profile->deny_caps))
|
||||
if (!sd_write32(p, low_caps(profile->set_caps & ~profile->deny_caps)))
|
||||
return 0;
|
||||
|
||||
if (!sd_write_struct(p, "caps64"))
|
||||
return 0;
|
||||
if (!sd_write32(p, high_caps(allowed_caps & 0xff)))
|
||||
return 0;
|
||||
if (!sd_write32(p, high_caps(allowed_caps & profile->audit_caps)))
|
||||
return 0;
|
||||
if (!sd_write32(p, high_caps(profile->deny_caps & profile->quiet_caps)))
|
||||
return 0;
|
||||
if (!sd_write32(p, high_caps(profile->set_caps & ~profile->deny_caps)))
|
||||
return 0;
|
||||
if (!sd_write_structend(p))
|
||||
return 0;
|
||||
|
||||
if (!sd_serialize_rlimits(p, &profile->rlimits))
|
||||
|
|
|
|||
|
|
@ -806,7 +806,9 @@ static const char *capnames[] = {
|
|||
"mknod",
|
||||
"lease",
|
||||
"audit_write",
|
||||
"audit_control"
|
||||
"audit_control",
|
||||
"setfcap",
|
||||
"mac_override"
|
||||
};
|
||||
|
||||
const char *capability_to_name(unsigned int cap)
|
||||
|
|
@ -837,7 +839,7 @@ void debug_cod_list(struct codomain *cod)
|
|||
|
||||
printf("Capabilities:\t");
|
||||
for (i = 0; i < (sizeof(capnames)/sizeof(char *)); i++) {
|
||||
if (((1 << i) & cod->capabilities) != 0) {
|
||||
if (((1ull << i) & cod->capabilities) != 0) {
|
||||
printf ("%s ", capability_to_name(i));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -639,11 +639,11 @@ struct codomain *merge_policy(struct codomain *a, struct codomain *b)
|
|||
a->flags.complain = a->flags.complain || b->flags.complain;
|
||||
a->flags.audit = a->flags.audit || b->flags.audit;
|
||||
|
||||
a->capabilities = a->capabilities | b->capabilities;
|
||||
a->audit_caps = a->audit_caps | b->audit_caps;
|
||||
a->deny_caps = a->deny_caps | b->deny_caps;
|
||||
a->quiet_caps = a->quiet_caps | b->quiet_caps;
|
||||
a->set_caps = a->set_caps | b->set_caps;
|
||||
a->capabilities |= b->capabilities;
|
||||
a->audit_caps |= b->audit_caps;
|
||||
a->deny_caps |= b->deny_caps;
|
||||
a->quiet_caps |= b->quiet_caps;
|
||||
a->set_caps |= b->set_caps;
|
||||
|
||||
if (a->network_allowed) {
|
||||
size_t i;
|
||||
|
|
|
|||
|
|
@ -44,15 +44,24 @@
|
|||
#ifndef CAP_AUDIT_CONTROL
|
||||
#define CAP_AUDIT_CONTROL 30
|
||||
#endif
|
||||
|
||||
/* A few utility defines */
|
||||
#ifndef CAP_SETFCAP
|
||||
#define CAP_SETFCAP 31
|
||||
#endif
|
||||
#ifndef CAP_MAC_OVERRIDE
|
||||
#define CAP_MAC_OVERRIDE 32
|
||||
#endif
|
||||
|
||||
#define CIDR_32 htonl(0xffffffff)
|
||||
#define CIDR_24 htonl(0xffffff00)
|
||||
#define CIDR_16 htonl(0xffff0000)
|
||||
#define CIDR_8 htonl(0xff000000)
|
||||
|
||||
#define CAP_TO_MASK(x) (1 << (x))
|
||||
/* undefine linux/capability.h CAP_TO_MASK */
|
||||
#ifdef CAP_TO_MASK
|
||||
#undef CAP_TO_MASK
|
||||
#endif
|
||||
|
||||
#define CAP_TO_MASK(x) (1ull << (x))
|
||||
|
||||
/* from lex_config, for nice error messages */
|
||||
/* extern char *current_file; */
|
||||
|
|
@ -147,7 +156,7 @@ struct codomain *do_local_profile(struct codomain *cod, char *name, int mode, in
|
|||
struct cod_entry *user_entry;
|
||||
struct flagval flags;
|
||||
int fmode;
|
||||
unsigned int cap;
|
||||
uint64_t cap;
|
||||
unsigned int allowed_protocol;
|
||||
char *set_var;
|
||||
char *bool_var;
|
||||
|
|
@ -1045,6 +1054,7 @@ caps: caps TOK_ID
|
|||
int cap = name_to_capability($2);
|
||||
if (cap == -1)
|
||||
yyerror(_("Invalid capability %s."), $2);
|
||||
free($2);
|
||||
$$ = $1 | CAP_TO_MASK(cap);
|
||||
}
|
||||
|
||||
|
|
@ -1053,6 +1063,7 @@ caps: TOK_ID
|
|||
int cap = name_to_capability($1);
|
||||
if (cap == -1)
|
||||
yyerror(_("Invalid capability %s."), $1);
|
||||
free($1);
|
||||
$$ = CAP_TO_MASK(cap);
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue