mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-05 17:01:00 +01:00
183 lines
6.1 KiB
Diff
183 lines
6.1 KiB
Diff
shared.h is no longer shared with anything. Remove it, and put its
|
|
definitions in apparmor.h.
|
|
|
|
Remove AA_MAY_READ, AA_MAY_WRITE, AA_MAY_AXEC, AA_MAY_APPEND, and
|
|
use the in-kernel versions instead: we are doing that in some
|
|
places already anyway; redefining them only raises the question
|
|
if the AA_MAY_ constants are identical to the MAY_ constants.
|
|
|
|
Index: b/security/apparmor/lsm.c
|
|
===================================================================
|
|
--- a/security/apparmor/lsm.c
|
|
+++ b/security/apparmor/lsm.c
|
|
@@ -231,8 +231,7 @@ static int apparmor_inode_mkdir(struct i
|
|
active = get_active_aa_profile();
|
|
|
|
if (active)
|
|
- error = aa_perm_dir(active, dentry, mnt, "mkdir",
|
|
- AA_MAY_WRITE);
|
|
+ error = aa_perm_dir(active, dentry, mnt, "mkdir", MAY_WRITE);
|
|
|
|
put_aa_profile(active);
|
|
|
|
@@ -252,8 +251,7 @@ static int apparmor_inode_rmdir(struct i
|
|
active = get_active_aa_profile();
|
|
|
|
if (active)
|
|
- error = aa_perm_dir(active, dentry, mnt, "rmdir",
|
|
- AA_MAY_WRITE);
|
|
+ error = aa_perm_dir(active, dentry, mnt, "rmdir", MAY_WRITE);
|
|
|
|
put_aa_profile(active);
|
|
|
|
@@ -426,27 +424,25 @@ static int apparmor_inode_setxattr(struc
|
|
char *name, void *value, size_t size,
|
|
int flags)
|
|
{
|
|
- return aa_xattr_permission(dentry, mnt, name, "xattr set",
|
|
- AA_MAY_WRITE);
|
|
+ return aa_xattr_permission(dentry, mnt, name, "xattr set", MAY_WRITE);
|
|
}
|
|
|
|
static int apparmor_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
|
|
char *name)
|
|
{
|
|
- return aa_xattr_permission(dentry, mnt, name, "xattr get", AA_MAY_READ);
|
|
+ return aa_xattr_permission(dentry, mnt, name, "xattr get", MAY_READ);
|
|
}
|
|
|
|
static int apparmor_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt)
|
|
{
|
|
- return aa_xattr_permission(dentry, mnt, NULL, "xattr list",
|
|
- AA_MAY_READ);
|
|
+ return aa_xattr_permission(dentry, mnt, NULL, "xattr list", MAY_READ);
|
|
}
|
|
|
|
static int apparmor_inode_removexattr(struct dentry *dentry,
|
|
struct vfsmount *mnt, char *name)
|
|
{
|
|
return aa_xattr_permission(dentry, mnt, name, "xattr remove",
|
|
- AA_MAY_WRITE);
|
|
+ MAY_WRITE);
|
|
}
|
|
|
|
static inline int aa_mmap(struct file *file, unsigned long prot,
|
|
Index: b/security/apparmor/main.c
|
|
===================================================================
|
|
--- a/security/apparmor/main.c
|
|
+++ b/security/apparmor/main.c
|
|
@@ -404,9 +404,9 @@ int aa_audit(struct aa_profile *active,
|
|
|
|
audit_log_format(ab, "%s%s%s%s%s access to %s ",
|
|
perm & AA_EXEC_MMAP ? "m" : "",
|
|
- perm & AA_MAY_READ ? "r" : "",
|
|
- perm & AA_MAY_WRITE ? "w" : "",
|
|
- perm & AA_MAY_EXEC ? "x" : "",
|
|
+ perm & MAY_READ ? "r" : "",
|
|
+ perm & MAY_WRITE ? "w" : "",
|
|
+ perm & MAY_EXEC ? "x" : "",
|
|
perm & AA_MAY_LINK ? "l" : "",
|
|
sa->name);
|
|
|
|
@@ -839,13 +839,13 @@ int aa_register(struct linux_binprm *bpr
|
|
find_profile_mandatory = 1;
|
|
break;
|
|
|
|
- case AA_MAY_EXEC:
|
|
+ case MAY_EXEC:
|
|
/* this should not happen, entries
|
|
* with just EXEC only should be
|
|
* rejected at profile load time
|
|
*/
|
|
AA_ERROR("%s: Rejecting exec(2) of image '%s'. "
|
|
- "AA_MAY_EXEC without exec qualifier invalid "
|
|
+ "MAY_EXEC without exec qualifier invalid "
|
|
"(%s(%d) profile %s active %s\n",
|
|
__FUNCTION__,
|
|
filename,
|
|
Index: b/security/apparmor/shared.h
|
|
===================================================================
|
|
--- a/security/apparmor/shared.h
|
|
+++ /dev/null
|
|
@@ -1,51 +0,0 @@
|
|
-/*
|
|
- * Copyright (C) 2000, 2001, 2004, 2005 Novell/SUSE
|
|
- *
|
|
- * Immunix AppArmor LSM
|
|
- *
|
|
- * This program is free software; you can redistribute it and/or
|
|
- * modify it under the terms of the GNU General Public License as
|
|
- * published by the Free Software Foundation, version 2 of the
|
|
- * License.
|
|
- */
|
|
-
|
|
-#ifndef _SHARED_H
|
|
-#define _SHARED_H
|
|
-
|
|
-/* start of system offsets */
|
|
-#define POS_AA_FILE_MIN 0
|
|
-#define POS_AA_MAY_EXEC POS_AA_FILE_MIN
|
|
-#define POS_AA_MAY_WRITE (POS_AA_MAY_EXEC + 1)
|
|
-#define POS_AA_MAY_READ (POS_AA_MAY_WRITE + 1)
|
|
-#define POS_AA_MAY_APPEND (POS_AA_MAY_READ + 1)
|
|
-/* end of system offsets */
|
|
-
|
|
-#define POS_AA_MAY_LINK (POS_AA_MAY_APPEND + 1)
|
|
-#define POS_AA_EXEC_INHERIT (POS_AA_MAY_LINK + 1)
|
|
-#define POS_AA_EXEC_UNCONSTRAINED (POS_AA_EXEC_INHERIT + 1)
|
|
-#define POS_AA_EXEC_PROFILE (POS_AA_EXEC_UNCONSTRAINED + 1)
|
|
-#define POS_AA_EXEC_MMAP (POS_AA_EXEC_PROFILE + 1)
|
|
-#define POS_AA_EXEC_UNSAFE (POS_AA_EXEC_MMAP + 1)
|
|
-#define POS_AA_FILE_MAX POS_AA_EXEC_UNSAFE
|
|
-
|
|
-/* Invalid perm permission */
|
|
-#define POS_AA_INVALID_POS 31
|
|
-
|
|
-/* Modeled after MAY_READ, MAY_WRITE, MAY_EXEC def'ns */
|
|
-#define AA_MAY_EXEC (0x01 << POS_AA_MAY_EXEC)
|
|
-#define AA_MAY_WRITE (0x01 << POS_AA_MAY_WRITE)
|
|
-#define AA_MAY_READ (0x01 << POS_AA_MAY_READ)
|
|
-#define AA_MAY_LINK (0x01 << POS_AA_MAY_LINK)
|
|
-#define AA_EXEC_INHERIT (0x01 << POS_AA_EXEC_INHERIT)
|
|
-#define AA_EXEC_UNCONSTRAINED (0x01 << POS_AA_EXEC_UNCONSTRAINED)
|
|
-#define AA_EXEC_PROFILE (0x01 << POS_AA_EXEC_PROFILE)
|
|
-#define AA_EXEC_MMAP (0x01 << POS_AA_EXEC_MMAP)
|
|
-#define AA_EXEC_UNSAFE (0x01 << POS_AA_EXEC_UNSAFE)
|
|
-#define AA_INVALID_PERM (0x01 << POS_AA_INVALID_POS)
|
|
-
|
|
-#define AA_EXEC_MODIFIERS (AA_EXEC_INHERIT | \
|
|
- AA_EXEC_UNCONSTRAINED | \
|
|
- AA_EXEC_PROFILE)
|
|
-#define AA_VALID_PERM_MASK ((1 << (POS_AA_FILE_MAX + 1)) - 1)
|
|
-
|
|
-#endif /* _SHARED_H */
|
|
Index: b/security/apparmor/apparmor.h
|
|
===================================================================
|
|
--- a/security/apparmor/apparmor.h
|
|
+++ b/security/apparmor/apparmor.h
|
|
@@ -16,9 +16,24 @@
|
|
#include <linux/binfmts.h> /* defn of linux_binprm */
|
|
#include <linux/rcupdate.h>
|
|
|
|
-#include "shared.h"
|
|
#include "match.h"
|
|
|
|
+/*
|
|
+ * We use MAY_READ, MAY_WRITE, MAY_EXEC, and the following flags for
|
|
+ * profile permissions (we don't use MAY_APPEND):
|
|
+ */
|
|
+#define AA_MAY_LINK 0x0010
|
|
+#define AA_EXEC_INHERIT 0x0020
|
|
+#define AA_EXEC_UNCONSTRAINED 0x0040
|
|
+#define AA_EXEC_PROFILE 0x0080
|
|
+#define AA_EXEC_MMAP 0x0100
|
|
+#define AA_EXEC_UNSAFE 0x0200
|
|
+#define AA_INVALID_PERM 0x0400
|
|
+
|
|
+#define AA_EXEC_MODIFIERS (AA_EXEC_INHERIT | \
|
|
+ AA_EXEC_UNCONSTRAINED | \
|
|
+ AA_EXEC_PROFILE)
|
|
+
|
|
/* Control parameters (0 or 1), settable thru module/boot flags or
|
|
* via /sys/kernel/security/apparmor/control */
|
|
extern int apparmor_complain;
|