mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-06 09:21:00 +01:00
923fc92c7a
- fix split init so that apparmor can be enabled at the boot command line. The init was broken so that apparmor couldn't be enabled unless enabled by default. M apparmor-fix-lock-letter.diff - fix the lock letter being reported (z -> k) and update some comments A apparmor-create-append.diff - fix semanitc bug where full write perms were needed to create a new file, where only append is needed. M fix-link-subset.diff - partial fix of link subset A no-safex-link-subset.diff - more link subset fixes A audit-log-type-in-syslog.diff - fix audit type being missing when messages go to syslog. This patch is needed for apparmor to work when messages go to syslog instead of auditd. This patch can be dropped when upstream includes the patch to report audit number when reporting to syslog A audit-uid.diff - report the fsuid to the log A hat_perm.diff - setup to use hat permissions instead of just profile search for 2.3 A apparmor-failed-name-error.diff - fix a bug where on failed name resolution no error or information is output. It now reports info in the status field and includes an error_code A extend-x-mods.diff - extend the x-mods in preparation of audit ctl A apparmor-secondary-accept.diff - extend the dfa to have a second accept table used for audit ctl A apparmor-audit-flags2.diff - extend apparmor to support audit ctl of individual permissions. - finish fixing link-subset A fix-change_profile-namespace.diff - Not applied, ignore
73 lines
2.5 KiB
Diff
73 lines
2.5 KiB
Diff
---
|
|
security/apparmor/apparmor.h | 1 +
|
|
security/apparmor/match.c | 9 +++++++--
|
|
security/apparmor/match.h | 2 ++
|
|
3 files changed, 10 insertions(+), 2 deletions(-)
|
|
|
|
--- a/security/apparmor/apparmor.h
|
|
+++ b/security/apparmor/apparmor.h
|
|
@@ -87,6 +87,7 @@
|
|
AA_AUDIT_FIELD)
|
|
|
|
#define AA_VALID_PERM_MASK (AA_FILE_PERMS | AA_SHARED_PERMS)
|
|
+#define AA_VALID_PERM2_MASK 0x0fffffff
|
|
|
|
#define AA_SECURE_EXEC_NEEDED 1
|
|
|
|
--- a/security/apparmor/match.c
|
|
+++ b/security/apparmor/match.c
|
|
@@ -83,6 +83,7 @@ int unpack_dfa(struct aa_dfa *dfa, void
|
|
|
|
switch(table->td_id) {
|
|
case YYTD_ID_ACCEPT:
|
|
+ case YYTD_ID_ACCEPT2:
|
|
case YYTD_ID_BASE:
|
|
dfa->tables[table->td_id - 1] = table;
|
|
if (table->td_flags != YYTD_DATA32)
|
|
@@ -134,7 +135,8 @@ int verify_dfa(struct aa_dfa *dfa)
|
|
int error = -EPROTO;
|
|
|
|
/* check that required tables exist */
|
|
- if (!(dfa->tables[YYTD_ID_ACCEPT -1 ] &&
|
|
+ if (!(dfa->tables[YYTD_ID_ACCEPT - 1] &&
|
|
+ dfa->tables[YYTD_ID_ACCEPT2 - 1] &&
|
|
dfa->tables[YYTD_ID_DEF - 1] &&
|
|
dfa->tables[YYTD_ID_BASE - 1] &&
|
|
dfa->tables[YYTD_ID_NXT - 1] &&
|
|
@@ -144,7 +146,8 @@ int verify_dfa(struct aa_dfa *dfa)
|
|
/* accept.size == default.size == base.size */
|
|
state_count = dfa->tables[YYTD_ID_BASE - 1]->td_lolen;
|
|
if (!(state_count == dfa->tables[YYTD_ID_DEF - 1]->td_lolen &&
|
|
- state_count == dfa->tables[YYTD_ID_ACCEPT - 1]->td_lolen))
|
|
+ state_count == dfa->tables[YYTD_ID_ACCEPT - 1]->td_lolen &&
|
|
+ state_count == dfa->tables[YYTD_ID_ACCEPT2 - 1]->td_lolen))
|
|
goto out;
|
|
|
|
/* next.size == chk.size */
|
|
@@ -177,6 +180,8 @@ int verify_dfa(struct aa_dfa *dfa)
|
|
|
|
if (mode & ~AA_VALID_PERM_MASK)
|
|
goto out;
|
|
+ if (ACCEPT_TABLE2(dfa)[i] & ~AA_VALID_PERM2_MASK)
|
|
+ goto out;
|
|
|
|
/* if any exec modifier is set MAY_EXEC must be set */
|
|
if ((mode & AA_USER_EXEC_TYPE) && !(mode & AA_USER_EXEC))
|
|
--- a/security/apparmor/match.h
|
|
+++ b/security/apparmor/match.h
|
|
@@ -39,6 +39,7 @@ struct table_set_header {
|
|
#define YYTD_ID_DEF 4
|
|
#define YYTD_ID_EC 5
|
|
#define YYTD_ID_META 6
|
|
+#define YYTD_ID_ACCEPT2 7
|
|
#define YYTD_ID_NXT 8
|
|
|
|
|
|
@@ -60,6 +61,7 @@ struct table_header {
|
|
#define CHECK_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_CHK - 1]->td_data))
|
|
#define EQUIV_TABLE(DFA) ((u8 *)((DFA)->tables[YYTD_ID_EC - 1]->td_data))
|
|
#define ACCEPT_TABLE(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT - 1]->td_data))
|
|
+#define ACCEPT_TABLE2(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT2 -1]->td_data))
|
|
|
|
struct aa_dfa {
|
|
struct table_header *tables[YYTD_ID_NXT];
|