mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
459 lines
15 KiB
Diff
459 lines
15 KiB
Diff
Index: b/security/apparmor/apparmor.h
|
|
===================================================================
|
|
--- a/security/apparmor/apparmor.h
|
|
+++ b/security/apparmor/apparmor.h
|
|
@@ -37,7 +37,7 @@
|
|
|
|
/* Control parameters (0 or 1), settable thru module/boot flags or
|
|
* via /sys/kernel/security/apparmor/control */
|
|
-extern int apparmor_complain;
|
|
+extern int apparmor_learning;
|
|
extern int apparmor_debug;
|
|
extern int apparmor_audit;
|
|
extern int apparmor_logsyscall;
|
|
@@ -48,12 +48,12 @@ static inline int mediated_filesystem(st
|
|
return !(inode->i_sb->s_flags & MS_NOUSER);
|
|
}
|
|
|
|
-#define PROFILE_COMPLAIN(_profile) \
|
|
- (apparmor_complain == 1 || ((_profile) && (_profile)->flags.complain))
|
|
+#define PROFILE_LEARNING(_profile) \
|
|
+ (apparmor_learning == 1 || ((_profile) && (_profile)->flags.learning))
|
|
|
|
-#define APPARMOR_COMPLAIN(_cxt) \
|
|
- (apparmor_complain == 1 || \
|
|
- ((_cxt) && (_cxt)->profile && (_cxt)->profile->flags.complain))
|
|
+#define APPARMOR_LEARNING(_cxt) \
|
|
+ (apparmor_learning == 1 || \
|
|
+ ((_cxt) && (_cxt)->profile && (_cxt)->profile->flags.learning))
|
|
|
|
#define PROFILE_AUDIT(_profile) \
|
|
(apparmor_audit == 1 || ((_profile) && (_profile)->flags.audit))
|
|
@@ -116,7 +116,7 @@ struct aa_profile {
|
|
struct list_head list;
|
|
struct list_head sub;
|
|
struct {
|
|
- int complain;
|
|
+ int learning;
|
|
int audit;
|
|
} flags;
|
|
struct aa_profile *null_profile;
|
|
@@ -158,7 +158,7 @@ static inline struct aa_task_context *aa
|
|
return rcu_dereference((struct aa_task_context *)task->security);
|
|
}
|
|
|
|
-extern struct aa_profile *null_complain_profile;
|
|
+extern struct aa_profile *null_learning_profile;
|
|
|
|
/* aa_audit - AppArmor auditing structure
|
|
* Structure is populated by access control code and passed to aa_audit which
|
|
@@ -217,8 +217,8 @@ struct aa_audit {
|
|
|
|
/* main.c */
|
|
extern void free_aa_task_context_rcu_callback(struct rcu_head *head);
|
|
-extern int alloc_null_complain_profile(void);
|
|
-extern void free_null_complain_profile(void);
|
|
+extern int alloc_null_learning_profile(void);
|
|
+extern void free_null_learning_profile(void);
|
|
extern int attach_nullprofile(struct aa_profile *profile);
|
|
extern int aa_audit_message(struct aa_profile *profile, gfp_t gfp, int,
|
|
const char *, ...);
|
|
Index: b/security/apparmor/apparmorfs.c
|
|
===================================================================
|
|
--- a/security/apparmor/apparmorfs.c
|
|
+++ b/security/apparmor/apparmorfs.c
|
|
@@ -106,8 +106,8 @@ static struct root_entry {
|
|
|
|
/* interface for setting binary config values */
|
|
{"control", S_IFDIR, 0550},
|
|
- {"complain", S_IFREG, 0640, &apparmorfs_control_fops,
|
|
- &apparmor_complain},
|
|
+ {"learning", S_IFREG, 0640, &apparmorfs_control_fops,
|
|
+ &apparmor_learning},
|
|
{"audit", S_IFREG, 0640, &apparmorfs_control_fops,
|
|
&apparmor_audit},
|
|
{"debug", S_IFREG, 0640, &apparmorfs_control_fops,
|
|
Index: b/security/apparmor/list.c
|
|
===================================================================
|
|
--- a/security/apparmor/list.c
|
|
+++ b/security/apparmor/list.c
|
|
@@ -84,7 +84,7 @@ static int seq_show_profile(struct seq_f
|
|
{
|
|
struct aa_profile *profile = (struct aa_profile *)v;
|
|
seq_printf(f, "%s (%s)\n", profile->name,
|
|
- PROFILE_COMPLAIN(profile) ? "complain" : "enforce");
|
|
+ PROFILE_LEARNING(profile) ? "learning" : "enforce");
|
|
return 0;
|
|
}
|
|
|
|
Index: b/security/apparmor/lsm.c
|
|
===================================================================
|
|
--- a/security/apparmor/lsm.c
|
|
+++ b/security/apparmor/lsm.c
|
|
@@ -26,15 +26,15 @@
|
|
* /sys/modules/parameters, as we want to do additional mediation and
|
|
* don't want to add special path code. */
|
|
|
|
-/* Complain mode -- in complain mode access failures result in auditing only
|
|
+/* Learning mode -- in learning mode access failures result in auditing only
|
|
* and task is allowed access. audit events are processed by userspace to
|
|
* generate policy. Default is 'enforce' (0).
|
|
* Value is also togglable per profile and referenced when global value is
|
|
* enforce.
|
|
*/
|
|
-int apparmor_complain = 0;
|
|
-module_param_named(complain, apparmor_complain, int, S_IRUSR);
|
|
-MODULE_PARM_DESC(apparmor_complain, "Toggle AppArmor complain mode");
|
|
+int apparmor_learning = 0;
|
|
+module_param_named(learning, apparmor_learning, int, S_IRUSR);
|
|
+MODULE_PARM_DESC(apparmor_learning, "Toggle AppArmor learning mode");
|
|
|
|
/* Debug mode */
|
|
int apparmor_debug = 0;
|
|
@@ -767,15 +767,15 @@ struct security_operations apparmor_ops
|
|
static int __init apparmor_init(void)
|
|
{
|
|
int error;
|
|
- const char *complainmsg = ": complainmode enabled";
|
|
+ const char *learningmsg = ": learningmode enabled";
|
|
|
|
if ((error = create_apparmorfs())) {
|
|
AA_ERROR("Unable to activate AppArmor filesystem\n");
|
|
goto createfs_out;
|
|
}
|
|
|
|
- if ((error = alloc_null_complain_profile())){
|
|
- AA_ERROR("Unable to allocate null complain profile\n");
|
|
+ if ((error = alloc_null_learning_profile())){
|
|
+ AA_ERROR("Unable to allocate null learning profile\n");
|
|
goto alloc_out;
|
|
}
|
|
|
|
@@ -785,15 +785,15 @@ static int __init apparmor_init(void)
|
|
}
|
|
|
|
AA_INFO(GFP_KERNEL, "AppArmor initialized%s\n",
|
|
- apparmor_complain ? complainmsg : "");
|
|
+ apparmor_learning ? learningmsg : "");
|
|
aa_audit_message(NULL, GFP_KERNEL, 0,
|
|
"AppArmor initialized%s\n",
|
|
- apparmor_complain ? complainmsg : "");
|
|
+ apparmor_learning ? learningmsg : "");
|
|
|
|
return error;
|
|
|
|
register_security_out:
|
|
- free_null_complain_profile();
|
|
+ free_null_learning_profile();
|
|
|
|
alloc_out:
|
|
(void)destroy_apparmorfs();
|
|
@@ -825,7 +825,7 @@ static void __exit apparmor_exit(void)
|
|
|
|
/* FIXME: cleanup profiles references on files */
|
|
|
|
- free_null_complain_profile();
|
|
+ free_null_learning_profile();
|
|
|
|
/**
|
|
* Delay for an rcu cycle to make sure that all active task
|
|
Index: b/security/apparmor/main.c
|
|
===================================================================
|
|
--- a/security/apparmor/main.c
|
|
+++ b/security/apparmor/main.c
|
|
@@ -25,17 +25,17 @@ static const char *capability_names[] =
|
|
#include "capability_names.h"
|
|
};
|
|
|
|
-/* NULL complain profile
|
|
+/* NULL learning profile
|
|
*
|
|
- * Used when in complain mode, to emit Permitting messages for non-existant
|
|
+ * Used when in learning mode, to emit Permitting messages for non-existant
|
|
* profiles and hats. This is necessary because of selective mode, in which
|
|
- * case we need a complain null_profile and enforce null_profile
|
|
+ * case we need a learning null_profile and enforce null_profile
|
|
*
|
|
- * The null_complain_profile cannot be statically allocated, because it
|
|
+ * The null_learning_profile cannot be statically allocated, because it
|
|
* can be associated to files which keep their reference even if apparmor is
|
|
* unloaded
|
|
*/
|
|
-struct aa_profile *null_complain_profile;
|
|
+struct aa_profile *null_learning_profile;
|
|
|
|
/***************************
|
|
* Private utility functions
|
|
@@ -237,14 +237,14 @@ int attach_nullprofile(struct aa_profile
|
|
hat = alloc_aa_profile();
|
|
if (!hat)
|
|
goto fail;
|
|
- if (profile->flags.complain)
|
|
- hatname = kstrdup("null-complain-profile", GFP_KERNEL);
|
|
+ if (profile->flags.learning)
|
|
+ hatname = kstrdup("null-learning-profile", GFP_KERNEL);
|
|
else
|
|
hatname = kstrdup("null-profile", GFP_KERNEL);
|
|
if (!hatname)
|
|
goto fail;
|
|
|
|
- hat->flags.complain = profile->flags.complain;
|
|
+ hat->flags.learning = profile->flags.learning;
|
|
hat->name = hatname;
|
|
hat->parent = profile;
|
|
|
|
@@ -261,43 +261,43 @@ fail:
|
|
|
|
|
|
/**
|
|
- * alloc_null_complain_profile - Allocate the global null_complain_profile.
|
|
+ * alloc_null_learning_profile - Allocate the global null_learning_profile.
|
|
*
|
|
* Return %0 (success) or error (-%ENOMEM)
|
|
*/
|
|
-int alloc_null_complain_profile(void)
|
|
+int alloc_null_learning_profile(void)
|
|
{
|
|
- null_complain_profile = alloc_aa_profile();
|
|
- if (!null_complain_profile)
|
|
+ null_learning_profile = alloc_aa_profile();
|
|
+ if (!null_learning_profile)
|
|
goto fail;
|
|
|
|
- null_complain_profile->name =
|
|
- kstrdup("null-complain-profile", GFP_KERNEL);
|
|
+ null_learning_profile->name =
|
|
+ kstrdup("null-learning-profile", GFP_KERNEL);
|
|
|
|
- if (!null_complain_profile->name)
|
|
+ if (!null_learning_profile->name)
|
|
goto fail;
|
|
|
|
- null_complain_profile->flags.complain = 1;
|
|
- if (attach_nullprofile(null_complain_profile))
|
|
+ null_learning_profile->flags.learning = 1;
|
|
+ if (attach_nullprofile(null_learning_profile))
|
|
goto fail;
|
|
|
|
return 0;
|
|
|
|
fail:
|
|
/* free_aa_profile is safe for freeing partially constructed objects */
|
|
- free_aa_profile(null_complain_profile);
|
|
- null_complain_profile = NULL;
|
|
+ free_aa_profile(null_learning_profile);
|
|
+ null_learning_profile = NULL;
|
|
|
|
return -ENOMEM;
|
|
}
|
|
|
|
/**
|
|
- * free_null_complain_profile - Free null profiles
|
|
+ * free_null_learning_profile - Free null profiles
|
|
*/
|
|
-void free_null_complain_profile(void)
|
|
+void free_null_learning_profile(void)
|
|
{
|
|
- aa_put_profile(null_complain_profile);
|
|
- null_complain_profile = NULL;
|
|
+ aa_put_profile(null_learning_profile);
|
|
+ null_learning_profile = NULL;
|
|
}
|
|
|
|
/**
|
|
@@ -362,7 +362,7 @@ int aa_audit(struct aa_profile *profile,
|
|
const char *logcls;
|
|
unsigned int flags;
|
|
int audit = 0,
|
|
- complain = 0,
|
|
+ learning = 0,
|
|
error = -EINVAL,
|
|
opspec_error = -EACCES;
|
|
|
|
@@ -400,8 +400,8 @@ int aa_audit(struct aa_profile *profile,
|
|
*/
|
|
logcls = "REJECTING";
|
|
} else {
|
|
- complain = PROFILE_COMPLAIN(profile);
|
|
- logcls = complain ? "PERMITTING" : "REJECTING";
|
|
+ learning = PROFILE_LEARNING(profile);
|
|
+ logcls = learning ? "PERMITTING" : "REJECTING";
|
|
}
|
|
|
|
/* In future extend w/ per-profile flags
|
|
@@ -427,7 +427,7 @@ int aa_audit(struct aa_profile *profile,
|
|
if (!ab) {
|
|
AA_ERROR("Unable to log event (%d) to audit subsys\n",
|
|
sa->type);
|
|
- if (complain)
|
|
+ if (learning)
|
|
error = 0;
|
|
goto out;
|
|
}
|
|
@@ -509,7 +509,7 @@ int aa_audit(struct aa_profile *profile,
|
|
|
|
audit_log_end(ab);
|
|
|
|
- if (complain)
|
|
+ if (learning)
|
|
error = 0;
|
|
else
|
|
error = sa->result ? 0 : opspec_error;
|
|
@@ -664,7 +664,7 @@ int aa_capability(struct aa_task_context
|
|
|
|
/* test if cap has alread been logged */
|
|
if (cap_raised(cxt->caps_logged, cap)) {
|
|
- if (PROFILE_COMPLAIN(cxt->profile))
|
|
+ if (PROFILE_LEARNING(cxt->profile))
|
|
error = 0;
|
|
return error;
|
|
} else
|
|
@@ -773,8 +773,8 @@ repeat:
|
|
cxt->hat_magic);
|
|
unlock_profile(profile);
|
|
|
|
- if (APPARMOR_COMPLAIN(child_cxt) &&
|
|
- profile == null_complain_profile) {
|
|
+ if (APPARMOR_LEARNING(child_cxt) &&
|
|
+ profile == null_learning_profile) {
|
|
LOG_HINT(profile, GFP_KERNEL, HINT_FORK,
|
|
"pid=%d child=%d\n",
|
|
current->pid, child->pid);
|
|
@@ -788,7 +788,7 @@ repeat:
|
|
|
|
static struct aa_profile *
|
|
aa_register_find(struct aa_profile *profile, const char *name, int mandatory,
|
|
- int complain)
|
|
+ int learning)
|
|
{
|
|
struct aa_profile *new_profile;
|
|
|
|
@@ -798,14 +798,14 @@ aa_register_find(struct aa_profile *prof
|
|
AA_DEBUG("%s: setting profile %s\n",
|
|
__FUNCTION__, new_profile->name);
|
|
} else if (mandatory && profile) {
|
|
- if (complain) {
|
|
+ if (learning) {
|
|
LOG_HINT(profile, GFP_KERNEL, HINT_MANDPROF,
|
|
"image=%s pid=%d profile=%s active=%s\n",
|
|
name,
|
|
current->pid,
|
|
profile->parent->name, profile->name);
|
|
|
|
- profile = aa_dup_profile(null_complain_profile);
|
|
+ profile = aa_dup_profile(null_learning_profile);
|
|
} else {
|
|
AA_WARN(GFP_KERNEL, "REJECTING exec(2) of image '%s'. "
|
|
"Profile mandatory and not found "
|
|
@@ -838,7 +838,7 @@ int aa_register(struct linux_binprm *bpr
|
|
char *filename, *buffer = NULL;
|
|
struct file *filp = bprm->file;
|
|
struct aa_profile *profile, *old_profile, *new_profile = NULL;
|
|
- int exec_mode = AA_EXEC_UNSAFE, complain = 0;
|
|
+ int exec_mode = AA_EXEC_UNSAFE, learning = 0;
|
|
|
|
AA_DEBUG("%s\n", __FUNCTION__);
|
|
|
|
@@ -852,7 +852,7 @@ int aa_register(struct linux_binprm *bpr
|
|
repeat:
|
|
profile = aa_get_profile(current);
|
|
if (profile) {
|
|
- complain = PROFILE_COMPLAIN(profile);
|
|
+ learning = PROFILE_LEARNING(profile);
|
|
|
|
/* Confined task, determine what mode inherit, unconfined or
|
|
* mandatory to load new profile
|
|
@@ -883,7 +883,7 @@ repeat:
|
|
filename);
|
|
new_profile = aa_register_find(profile,
|
|
filename, 1,
|
|
- complain);
|
|
+ learning);
|
|
break;
|
|
|
|
default:
|
|
@@ -900,12 +900,12 @@ repeat:
|
|
break;
|
|
}
|
|
|
|
- } else if (complain) {
|
|
+ } else if (learning) {
|
|
/* There was no entry in calling profile
|
|
* describing mode to execute image in.
|
|
* Drop into null-profile (disabling secure exec).
|
|
*/
|
|
- new_profile = aa_dup_profile(null_complain_profile);
|
|
+ new_profile = aa_dup_profile(null_learning_profile);
|
|
exec_mode |= AA_EXEC_UNSAFE;
|
|
} else {
|
|
AA_WARN(GFP_KERNEL,
|
|
@@ -957,7 +957,7 @@ repeat:
|
|
((unsigned long)bprm->security | bprm_flags);
|
|
}
|
|
|
|
- if (complain && new_profile == null_complain_profile) {
|
|
+ if (learning && new_profile == null_learning_profile) {
|
|
LOG_HINT(new_profile, GFP_ATOMIC, HINT_CHGPROF,
|
|
"pid=%d\n",
|
|
current->pid);
|
|
@@ -1044,7 +1044,7 @@ static inline int do_change_hat(const ch
|
|
} else {
|
|
struct aa_profile *profile = cxt->profile;
|
|
|
|
- if (APPARMOR_COMPLAIN(cxt)) {
|
|
+ if (APPARMOR_LEARNING(cxt)) {
|
|
LOG_HINT(profile, GFP_ATOMIC, HINT_UNKNOWN_HAT,
|
|
"%s pid=%d "
|
|
"profile=%s active=%s\n",
|
|
@@ -1116,7 +1116,7 @@ int aa_change_hat(const char *hat_name,
|
|
profile = cxt->profile;
|
|
|
|
/* check to see if the confined process has any hats. */
|
|
- if (list_empty(&profile->parent->sub) && !PROFILE_COMPLAIN(profile)) {
|
|
+ if (list_empty(&profile->parent->sub) && !PROFILE_LEARNING(profile)) {
|
|
error = -ECHILD;
|
|
goto out;
|
|
}
|
|
Index: b/security/apparmor/module_interface.c
|
|
===================================================================
|
|
--- a/security/apparmor/module_interface.c
|
|
+++ b/security/apparmor/module_interface.c
|
|
@@ -245,12 +245,12 @@ static struct aa_profile *aa_unpack_prof
|
|
if (!aa_is_dynstring(e, &profile->name, NULL))
|
|
goto fail;
|
|
|
|
- /* per profile debug flags (complain, audit) */
|
|
+ /* per profile debug flags (learning, audit) */
|
|
if (!aa_is_nameX(e, AA_STRUCT, "flags"))
|
|
goto fail;
|
|
if (!aa_is_u32(e, NULL, NULL))
|
|
goto fail;
|
|
- if (!aa_is_u32(e, &(profile->flags.complain), NULL))
|
|
+ if (!aa_is_u32(e, &(profile->flags.learning), NULL))
|
|
goto fail;
|
|
if (!aa_is_u32(e, &(profile->flags.audit), NULL))
|
|
goto fail;
|
|
@@ -308,7 +308,7 @@ static struct aa_profile *aa_unpack_prof
|
|
{
|
|
struct aa_profile *profile = aa_unpack_profile(e);
|
|
if (!IS_ERR(profile) &&
|
|
- (!list_empty(&profile->sub) || profile->flags.complain)) {
|
|
+ (!list_empty(&profile->sub) || profile->flags.learning)) {
|
|
int error;
|
|
if ((error = attach_nullprofile(profile))) {
|
|
aa_put_profile(profile);
|
|
Index: b/security/apparmor/procattr.c
|
|
===================================================================
|
|
--- a/security/apparmor/procattr.c
|
|
+++ b/security/apparmor/procattr.c
|
|
@@ -19,8 +19,8 @@ int aa_getprocattr(struct aa_profile *pr
|
|
char *str;
|
|
|
|
if (profile) {
|
|
- const char *mode_str = PROFILE_COMPLAIN(profile) ?
|
|
- " (complain)" : " (enforce)";
|
|
+ const char *mode_str = PROFILE_LEARNING(profile) ?
|
|
+ " (learning)" : " (enforce)";
|
|
|
|
*len = ((profile != profile->parent) ?
|
|
strlen(profile->parent->name) + 1 : 0) +
|