mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
260 lines
8.4 KiB
Diff
260 lines
8.4 KiB
Diff
security/apparmor/Kconfig | 1 +
|
|
security/apparmor/apparmor.h | 7 +++----
|
|
security/apparmor/inline.h | 4 ++--
|
|
security/apparmor/list.c | 2 ++
|
|
security/apparmor/lsm.c | 22 ++++++----------------
|
|
security/apparmor/main.c | 5 +++--
|
|
security/apparmor/match.c | 5 +++--
|
|
security/apparmor/module_interface.c | 13 ++++++-------
|
|
8 files changed, 26 insertions(+), 33 deletions(-)
|
|
|
|
--- a/security/apparmor/Kconfig
|
|
+++ b/security/apparmor/Kconfig
|
|
@@ -3,6 +3,7 @@ config SECURITY_APPARMOR
|
|
depends on SECURITY
|
|
depends on SECURITY_NETWORK
|
|
select AUDIT
|
|
+ default n
|
|
help
|
|
This enables the AppArmor security module.
|
|
Required userspace tools (if they are not included in your
|
|
--- a/security/apparmor/apparmor.h
|
|
+++ b/security/apparmor/apparmor.h
|
|
@@ -214,9 +214,9 @@ struct aa_profile {
|
|
char **exec_table;
|
|
struct aa_dfa *file_rules;
|
|
struct {
|
|
- int hat;
|
|
- int complain;
|
|
- int audit;
|
|
+ u32 hat;
|
|
+ u32 complain;
|
|
+ u32 audit;
|
|
} flags;
|
|
int isstale;
|
|
|
|
@@ -310,7 +310,6 @@ void aa_audit_status(struct aa_profile *
|
|
int aa_audit_reject(struct aa_profile *profile, struct aa_audit *sa);
|
|
extern int aa_audit_syscallreject(struct aa_profile *profile, gfp_t gfp,
|
|
const char *);
|
|
-extern int aa_audit(struct aa_profile *profile, struct aa_audit *);
|
|
|
|
extern int aa_attr(struct aa_profile *profile, struct dentry *dentry,
|
|
struct vfsmount *mnt, struct iattr *iattr);
|
|
--- a/security/apparmor/inline.h
|
|
+++ b/security/apparmor/inline.h
|
|
@@ -21,7 +21,7 @@ static inline int mediated_filesystem(st
|
|
|
|
static inline struct aa_task_context *aa_task_context(struct task_struct *task)
|
|
{
|
|
- return (struct aa_task_context *) rcu_dereference(task->security);
|
|
+ return rcu_dereference(task->security);
|
|
}
|
|
|
|
static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns)
|
|
@@ -91,7 +91,7 @@ static inline struct aa_profile *aa_get_
|
|
static inline struct aa_profile *aa_find_profile(struct aa_namespace *ns,
|
|
const char *name)
|
|
{
|
|
- struct aa_profile *profile = NULL;
|
|
+ struct aa_profile *profile;
|
|
|
|
read_lock(&ns->lock);
|
|
profile = aa_dup_profile(__aa_find_profile(name, &ns->profiles));
|
|
--- a/security/apparmor/list.c
|
|
+++ b/security/apparmor/list.c
|
|
@@ -112,6 +112,7 @@ static struct aa_profile *next_profile(s
|
|
}
|
|
|
|
static void *p_start(struct seq_file *f, loff_t *pos)
|
|
+ __acquires(profile_ns_list_lock)
|
|
{
|
|
struct aa_namespace *ns;
|
|
loff_t l = *pos;
|
|
@@ -144,6 +145,7 @@ static void *p_next(struct seq_file *f,
|
|
}
|
|
|
|
static void p_stop(struct seq_file *f, void *p)
|
|
+ __releases(profile_ns_list_lock)
|
|
{
|
|
struct aa_profile *profile = (struct aa_profile *) p;
|
|
|
|
--- a/security/apparmor/lsm.c
|
|
+++ b/security/apparmor/lsm.c
|
|
@@ -10,7 +10,7 @@
|
|
*/
|
|
|
|
#include <linux/security.h>
|
|
-#include <linux/module.h>
|
|
+#include <linux/moduleparam.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/mman.h>
|
|
#include <linux/mount.h>
|
|
@@ -59,27 +59,21 @@ static int param_get_aauint(char *buffer
|
|
*/
|
|
int apparmor_complain;
|
|
module_param_named(complain, apparmor_complain, aabool, S_IRUSR | S_IWUSR);
|
|
-MODULE_PARM_DESC(apparmor_complain, "Toggle AppArmor complain mode");
|
|
|
|
/* Debug mode */
|
|
int apparmor_debug;
|
|
module_param_named(debug, apparmor_debug, aabool, S_IRUSR | S_IWUSR);
|
|
-MODULE_PARM_DESC(apparmor_debug, "Toggle AppArmor debug mode");
|
|
|
|
/* Audit mode */
|
|
int apparmor_audit;
|
|
module_param_named(audit, apparmor_audit, aabool, S_IRUSR | S_IWUSR);
|
|
-MODULE_PARM_DESC(apparmor_audit, "Toggle AppArmor audit mode");
|
|
-
|
|
/* Syscall logging mode */
|
|
int apparmor_logsyscall;
|
|
module_param_named(logsyscall, apparmor_logsyscall, aabool, S_IRUSR | S_IWUSR);
|
|
-MODULE_PARM_DESC(apparmor_logsyscall, "Toggle AppArmor logsyscall mode");
|
|
|
|
/* Maximum pathname length before accesses will start getting rejected */
|
|
unsigned int apparmor_path_max = 2 * PATH_MAX;
|
|
module_param_named(path_max, apparmor_path_max, aauint, S_IRUSR | S_IWUSR);
|
|
-MODULE_PARM_DESC(apparmor_path_max, "Maximum pathname length allowed");
|
|
|
|
/* Boot time disable flag */
|
|
#ifdef CONFIG_SECURITY_APPARMOR_DISABLE
|
|
@@ -88,10 +82,9 @@ MODULE_PARM_DESC(apparmor_path_max, "Max
|
|
#define AA_ENABLED_PERMS 0400
|
|
#endif
|
|
static int param_set_aa_enabled(const char *val, struct kernel_param *kp);
|
|
-unsigned int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
|
|
+static unsigned int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
|
|
module_param_call(enabled, param_set_aa_enabled, param_get_aauint,
|
|
&apparmor_enabled, AA_ENABLED_PERMS);
|
|
-MODULE_PARM_DESC(apparmor_enabled, "Enable/Disable Apparmor on boot");
|
|
|
|
static int __init apparmor_enabled_setup(char *str)
|
|
{
|
|
@@ -578,7 +571,7 @@ static int apparmor_file_permission(stru
|
|
aa_mask_permissions(mask));
|
|
}
|
|
|
|
-static inline int apparmor_file_lock(struct file *file, unsigned int cmd)
|
|
+static int apparmor_file_lock(struct file *file, unsigned int cmd)
|
|
{
|
|
int mask = AA_MAY_LOCK;
|
|
if (cmd == F_WRLCK)
|
|
@@ -604,8 +597,8 @@ static void apparmor_file_free_security(
|
|
aa_put_profile(file_profile);
|
|
}
|
|
|
|
-static inline int aa_mmap(struct file *file, const char *operation,
|
|
- unsigned long prot, unsigned long flags)
|
|
+static int aa_mmap(struct file *file, const char *operation,
|
|
+ unsigned long prot, unsigned long flags)
|
|
{
|
|
struct dentry *dentry;
|
|
int mask = 0;
|
|
@@ -936,7 +929,7 @@ int apparmor_unregister_subsecurity(cons
|
|
return error;
|
|
}
|
|
|
|
-struct security_operations apparmor_ops = {
|
|
+static struct security_operations apparmor_ops = {
|
|
.name = "apparmor",
|
|
.ptrace = apparmor_ptrace,
|
|
.capget = cap_capget,
|
|
@@ -1083,6 +1076,3 @@ void apparmor_disable(void)
|
|
info_message("AppArmor protection removed", NULL);
|
|
}
|
|
|
|
-MODULE_DESCRIPTION("AppArmor process confinement");
|
|
-MODULE_AUTHOR("Novell/Immunix, http://bugs.opensuse.org");
|
|
-MODULE_LICENSE("GPL");
|
|
--- a/security/apparmor/main.c
|
|
+++ b/security/apparmor/main.c
|
|
@@ -299,7 +299,7 @@ int aa_audit_reject(struct aa_profile *p
|
|
* @profile: profile to check against
|
|
* @sa: audit event
|
|
*/
|
|
-int aa_audit(struct aa_profile *profile, struct aa_audit *sa)
|
|
+static int aa_audit(struct aa_profile *profile, struct aa_audit *sa)
|
|
{
|
|
int type = AUDIT_APPARMOR_DENIED;
|
|
struct audit_context *audit_cxt;
|
|
@@ -520,7 +520,8 @@ static char *new_compound_name(const cha
|
|
sprintf(name, "%s//%s", n1, n2);
|
|
return name;
|
|
}
|
|
-static inline void aa_put_name_buffer(char *buffer)
|
|
+
|
|
+static void aa_put_name_buffer(char *buffer)
|
|
{
|
|
kfree(buffer);
|
|
}
|
|
--- a/security/apparmor/match.c
|
|
+++ b/security/apparmor/match.c
|
|
@@ -226,8 +226,9 @@ void aa_match_free(struct aa_dfa *dfa)
|
|
* but that would require traversing the string twice and be slightly
|
|
* slower.
|
|
*/
|
|
-unsigned int aa_dfa_next_state_len(struct aa_dfa *dfa, unsigned int start,
|
|
- const char *str, int len)
|
|
+static unsigned int aa_dfa_next_state_len(struct aa_dfa *dfa,
|
|
+ unsigned int start,
|
|
+ const char *str, int len)
|
|
{
|
|
u16 *def = DEFAULT_TABLE(dfa);
|
|
u32 *base = BASE_TABLE(dfa);
|
|
--- a/security/apparmor/module_interface.c
|
|
+++ b/security/apparmor/module_interface.c
|
|
@@ -61,7 +61,7 @@ struct aa_ext {
|
|
char *ns_name;
|
|
};
|
|
|
|
-static inline int aa_inbounds(struct aa_ext *e, size_t size)
|
|
+static int aa_inbounds(struct aa_ext *e, size_t size)
|
|
{
|
|
return (size <= e->end - e->pos);
|
|
}
|
|
@@ -94,7 +94,7 @@ fail:
|
|
return 0;
|
|
}
|
|
|
|
-static inline int aa_is_X(struct aa_ext *e, enum aa_code code)
|
|
+static int aa_is_X(struct aa_ext *e, enum aa_code code)
|
|
{
|
|
if (!aa_inbounds(e, 1))
|
|
return 0;
|
|
@@ -369,7 +369,7 @@ fail:
|
|
static struct aa_profile *aa_unpack_profile(struct aa_ext *e,
|
|
struct aa_audit *sa)
|
|
{
|
|
- struct aa_profile *profile = NULL;
|
|
+ struct aa_profile *profile;
|
|
size_t size = 0;
|
|
int i, error = -EPROTO;
|
|
|
|
@@ -465,8 +465,7 @@ fail:
|
|
sa->info = "failed to unpack profile";
|
|
aa_audit_status(NULL, sa);
|
|
|
|
- if (profile)
|
|
- free_aa_profile(profile);
|
|
+ free_aa_profile(profile);
|
|
|
|
return ERR_PTR(error);
|
|
}
|
|
@@ -508,7 +507,7 @@ static int aa_verify_header(struct aa_ex
|
|
*/
|
|
ssize_t aa_add_profile(void *data, size_t size)
|
|
{
|
|
- struct aa_profile *profile = NULL;
|
|
+ struct aa_profile *profile;
|
|
struct aa_namespace *ns = NULL;
|
|
struct aa_ext e = {
|
|
.start = data,
|
|
@@ -585,7 +584,7 @@ ssize_t aa_add_profile(void *data, size_
|
|
* @new_cxt: new aa_task_context to do replacement with
|
|
* @new_profile: new profile
|
|
*/
|
|
-static inline void task_replace(struct task_struct *task,
|
|
+static void task_replace(struct task_struct *task,
|
|
struct aa_task_context *new_cxt,
|
|
struct aa_profile *new_profile)
|
|
{
|