mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-06 09:21:00 +01:00
6f65e6e8f5
- rework how null transitions are done. M fix-profile-namespaces.diff - fix namespaces to use the :namespace: syntax A cap-set.diff - allow a profile to set a tasks capabilities similar to fscap A rlimits.diff - allow control of a tasks rlimits
92 lines
2.8 KiB
Diff
92 lines
2.8 KiB
Diff
---
|
|
security/apparmor/list.c | 2 +-
|
|
security/apparmor/main.c | 20 +++++++++++---------
|
|
security/apparmor/procattr.c | 13 +++++++------
|
|
3 files changed, 19 insertions(+), 16 deletions(-)
|
|
|
|
--- a/security/apparmor/list.c
|
|
+++ b/security/apparmor/list.c
|
|
@@ -142,7 +142,7 @@ static int seq_show_profile(struct seq_f
|
|
seq_printf(f, "%s (%s)\n", profile->name,
|
|
PROFILE_COMPLAIN(profile) ? "complain" : "enforce");
|
|
else
|
|
- seq_printf(f, "%s:%s (%s)\n", profile->ns->name, profile->name,
|
|
+ seq_printf(f, ":%s:%s (%s)\n", profile->ns->name, profile->name,
|
|
PROFILE_COMPLAIN(profile) ? "complain" : "enforce");
|
|
return 0;
|
|
}
|
|
--- a/security/apparmor/main.c
|
|
+++ b/security/apparmor/main.c
|
|
@@ -251,8 +251,10 @@ static int aa_audit_base(struct aa_profi
|
|
audit_log_format(ab, " profile=");
|
|
audit_log_untrustedstring(ab, profile->name);
|
|
|
|
- audit_log_format(ab, " namespace=");
|
|
- audit_log_untrustedstring(ab, profile->ns->name);
|
|
+ if (profile->ns != default_namespace) {
|
|
+ audit_log_format(ab, " namespace=");
|
|
+ audit_log_untrustedstring(ab, profile->ns->name);
|
|
+ }
|
|
}
|
|
|
|
audit_log_end(ab);
|
|
@@ -1364,15 +1366,15 @@ repeat:
|
|
|
|
if (hat_name) {
|
|
char *name, *profile_name;
|
|
- /* Not Yet. This perm check is currently done by searching
|
|
- for the hat profile. When hat style profile names
|
|
- become more generic then this will be needed.
|
|
- if (!(aa_match(profile->file_rules, hat_name) &
|
|
- AA_CHANGE_PROFILE)) {
|
|
- error = -EACCES;
|
|
+ if (!PROFILE_COMPLAIN(profile) &&
|
|
+ !(aa_match(profile->file_rules, hat_name, NULL)
|
|
+ & AA_CHANGE_HAT)) {
|
|
+ /* missing permission to change_hat is treated the
|
|
+ * same as a failed hat search */
|
|
+ error = -ENOENT;
|
|
goto out;
|
|
}
|
|
- */
|
|
+
|
|
if (previous_profile)
|
|
profile_name = previous_profile->name;
|
|
else
|
|
--- a/security/apparmor/procattr.c
|
|
+++ b/security/apparmor/procattr.c
|
|
@@ -24,15 +24,16 @@ int aa_getprocattr(struct aa_profile *pr
|
|
mode_len = strlen(mode_str);
|
|
name_len = strlen(profile->name);
|
|
if (profile->ns != default_namespace)
|
|
- ns_len = strlen(profile->ns->name) + 1;
|
|
+ ns_len = strlen(profile->ns->name) + 2;
|
|
*len = mode_len + ns_len + name_len + 1;
|
|
str = kmalloc(*len, GFP_ATOMIC);
|
|
if (!str)
|
|
return -ENOMEM;
|
|
|
|
if (ns_len) {
|
|
- memcpy(str, profile->ns->name, ns_len - 1);
|
|
- str += ns_len - 1;
|
|
+ *str++ = ':';
|
|
+ memcpy(str, profile->ns->name, ns_len - 2);
|
|
+ str += ns_len - 2;
|
|
*str++ = ':';
|
|
}
|
|
memcpy(str, profile->name, name_len);
|
|
@@ -96,11 +97,11 @@ int aa_setprocattr_changeprofile(char *a
|
|
{
|
|
char *name = args, *ns_name = NULL;
|
|
|
|
- if (name[0] != '/') {
|
|
- char *split = strchr(name, ':');
|
|
+ if (name[0] == ':') {
|
|
+ char *split = strchr(&name[1], ':');
|
|
if (split) {
|
|
*split = 0;
|
|
- ns_name = name;
|
|
+ ns_name = &name[1];
|
|
name = split + 1;
|
|
}
|
|
}
|