mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
44 lines
1.2 KiB
Diff
44 lines
1.2 KiB
Diff
Add missing inode_symlink hook
|
|
|
|
The lsm is missing the inode_symlink hook. Symlinks should be
|
|
treated like file creates, i.e., check for profile write access.
|
|
|
|
Index: b/security/apparmor/lsm.c
|
|
===================================================================
|
|
--- a/security/apparmor/lsm.c
|
|
+++ b/security/apparmor/lsm.c
|
|
@@ -341,6 +341,26 @@ out:
|
|
return error;
|
|
}
|
|
|
|
+static int apparmor_inode_symlink(struct inode *dir, struct dentry *dentry,
|
|
+ struct vfsmount *mnt, const char *old_name)
|
|
+{
|
|
+ struct aa_profile *active;
|
|
+ int error = 0;
|
|
+
|
|
+ if (!mnt || !mediated_filesystem(dir))
|
|
+ goto out;
|
|
+
|
|
+ active = get_active_aa_profile();
|
|
+
|
|
+ if (active)
|
|
+ error = aa_perm(active, dentry, mnt, MAY_WRITE);
|
|
+
|
|
+ put_aa_profile(active);
|
|
+
|
|
+out:
|
|
+ return error;
|
|
+}
|
|
+
|
|
static int apparmor_inode_mknod(struct inode *dir, struct dentry *dentry,
|
|
struct vfsmount *mnt, int mode, dev_t dev)
|
|
{
|
|
@@ -791,6 +811,7 @@ struct security_operations apparmor_ops
|
|
.inode_create = apparmor_inode_create,
|
|
.inode_link = apparmor_inode_link,
|
|
.inode_unlink = apparmor_inode_unlink,
|
|
+ .inode_symlink = apparmor_inode_symlink,
|
|
.inode_mknod = apparmor_inode_mknod,
|
|
.inode_rename = apparmor_inode_rename,
|
|
.inode_permission = apparmor_inode_permission,
|