uses the linux kernel definitions of them.
(It also adds to the simple capbilities regression tests verifying the
parser can parse the new audit capiability names.)
(updated) error codes returned by the module and the libapparmor
function. It also converts the package to use the svn repo version as
the package version.
pam_apparmor pam module. The default behavior is to use the user's
primary groupname, and to fall back to the DEFAULT hat. You can change
this behavior by appending order=type1[,type2,type3] to the pam_apparmor
session line in the pam config for the application you're applying
pam_apparmor to. The available types are 'user' for username, 'group'
for groupname, and 'default' for DEFAULT. Thus, adding a configuration
entry like:
session optional pam_apparmor.so order=group,default
is equivalent to the default behavior for pam_apparmor.
The parse_option code got a little more complicated than I'd hoped
it would be; I could have just had types by space delimited options to
module, but I thought I'd leave open the possibility of adding additional
options to the module ('debug' immediately comes to mind).
I disabled the short-circuit that occurs if EPERM is returned by
change_hat, as we can't detect that this is because there's no hats or
that the application is entirely undefined; if ECHILD makes it in then
we can re-enable this.
I am less convinced now that pam_apparmor needs to be 'optional' than
'required'; killing the session if none of the change_hats succeeds is
starting to feel like reasonable behavior.
---
changehat/pam_apparmor/Makefile | 11 +
changehat/pam_apparmor/README | 74 +++++++++++++
changehat/pam_apparmor/get_options.c | 157 ++++++++++++++++++++++++++++
changehat/pam_apparmor/pam_apparmor.c | 155 +++++++++++++++++++--------
changehat/pam_apparmor/pam_apparmor.h | 56 +++++++++
changehat/pam_apparmor/pam_apparmor.spec.in | 2
6 files changed, 406 insertions(+), 49 deletions(-)
creates a tarball i(and specfile) similar to 'make tarball' except that
it uses svn export to pull the latest committed version rather than the
currently contents of the tree (as make tarball does). This is to make
pristine checkins to SUSE's autobuild system and the openSUSE
buildservice easier.
It turns out that audit and selinux were modified to slightly change the
behavior of getprocattr.
The changes are:
1. when the audit subsystem calls security_getprocattr it only allows
for a return code of EINVAL
2. when the audit subsystem calls security_getprocattr with the size
paramter set to 0. It expects the returned size to be the size
that would be put in the buffer.
This behavior is undocumented in LSM but the changes showed up in
audit and selinux.
This patch fixes AA so that when 0 is passed it will return the size
that would have been read. This in turn fixes the problem where the
audit system spits out a ton of
error in audit_log_task_context messages
the AA getprocattr handling can still return error messages that are
not EINVAL but these should not happen in the audit log context unless
audit makes an error.
The possible places are:
- audit passes a buffer that is to small - this shouldn't happen since
audit uses the return value from a prob with parameter size == 0
- audit task context is trying to read a /proc/<pid>/attr/current that is
the current tasks context.
This shouldn't happen since the task context is for the current task.
- memory allocation fails
This one will generate the message but the audit code its self will
generate the message if its allocation fails.
of EACCESS when an unconfined process calls changehat. This enables
applications using the changehat api to detect that the application
is not confined so probing for a matching hat can be aborted.
