summaryrefslogtreecommitdiffstats
path: root/security/apparmor/ipc.c
AgeCommit message (Collapse)AuthorFilesLines
2019-06-05treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441Thomas Gleixner1-5/+1
Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 315 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Armijn Hemel <armijn@tjaldur.nl> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190531190115.503150771@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-10LSM: generalize flag passing to security_capableMicah Morton1-1/+2
This patch provides a general mechanism for passing flags to the security_capable LSM hook. It replaces the specific 'audit' flag that is used to tell security_capable whether it should log an audit message for the given capability check. The reason for generalizing this flag passing is so we can add an additional flag that signifies whether security_capable is being called by a setid syscall (which is needed by the proposed SafeSetID LSM). Signed-off-by: Micah Morton <mortonm@chromium.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
2018-02-09apparmor: move context.h to cred.hJohn Johansen1-1/+1
Now that file contexts have been moved into file, and task context fns() and data have been split from the context, only the cred context remains in context.h so rename to cred.h to better reflect what it deals with. Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09apparmor: audit unknown signal numbersJohn Johansen1-3/+7
Allow apparmor to audit the number of a signal that it does not provide a mapping for and is currently being reported only as unknown. Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09apparmor: make signal label match work when matching stacked labelsJohn Johansen1-28/+12
Given a label with a profile stack of A//&B or A//&C ... A ptrace rule should be able to specify a generic trace pattern with a rule like signal send A//&**, however this is failing because while the correct label match routine is called, it is being done post label decomposition so it is always being done against a profile instead of the stacked label. To fix this refactor the cross check to pass the full peer label in to the label_match. Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09apparmor: fix logging of the existence test for signalsJohn Johansen1-1/+1
The existence test is not being properly logged as the signal mapping maps it to the last entry in the named signal table. This is done to help catch bugs by making the 0 mapped signal value invalid so that we can catch the signal value not being filled in. When fixing the off-by-one comparision logic the reporting of the existence test was broken, because the logic behind the mapped named table was hidden. Fix this by adding a define for the name lookup and using it. Cc: Stable <stable@vger.kernel.org> Fixes: f7dc4c9a855a1 ("apparmor: fix off-by-one comparison on MAXMAPPED_SIG") Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-01-12apparmor: fix ptrace label match when matching stacked labelsJohn Johansen1-21/+32
Given a label with a profile stack of A//&B or A//&C ... A ptrace rule should be able to specify a generic trace pattern with a rule like ptrace trace A//&**, however this is failing because while the correct label match routine is called, it is being done post label decomposition so it is always being done against a profile instead of the stacked label. To fix this refactor the cross check to pass the full peer label in to the label_match. Fixes: 290f458a4f16 ("apparmor: allow ptrace checks to be finer grained than just capability") Cc: Stable <stable@vger.kernel.org> Reported-by: Matthew Garrett <mjg59@google.com> Tested-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-11-08apparmor: fix off-by-one comparison on MAXMAPPED_SIGJohn Johansen1-2/+2
This came in yesterday, and I have verified our regression tests were missing this and it can cause an oops. Please apply. There is a an off-by-one comparision on sig against MAXMAPPED_SIG that can lead to a read outside the sig_map array if sig is MAXMAPPED_SIG. Fix this. Verified that the check is an out of bounds case that can cause an oops. Revised: add comparison fix to second case Fixes: cd1dbf76b23d ("apparmor: add the ability to mediate signals") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-09-22apparmor: add the ability to mediate signalsJohn Johansen1-0/+99
Add signal mediation where the signal can be mediated based on the signal, direction, or the label or the peer/target. The signal perms are verified on a cross check to ensure policy consistency in the case of incremental policy load/replacement. The optimization of skipping the cross check when policy is guaranteed to be consistent (single compile unit) remains to be done. policy rules have the form of SIGNAL_RULE = [ QUALIFIERS ] 'signal' [ SIGNAL ACCESS PERMISSIONS ] [ SIGNAL SET ] [ SIGNAL PEER ] SIGNAL ACCESS PERMISSIONS = SIGNAL ACCESS | SIGNAL ACCESS LIST SIGNAL ACCESS LIST = '(' Comma or space separated list of SIGNAL ACCESS ')' SIGNAL ACCESS = ( 'r' | 'w' | 'rw' | 'read' | 'write' | 'send' | 'receive' ) SIGNAL SET = 'set' '=' '(' SIGNAL LIST ')' SIGNAL LIST = Comma or space separated list of SIGNALS SIGNALS = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' | 'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' | 'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' | 'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' | 'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' | 'sys' | 'emt' | 'exists' | 'rtmin+0' ... 'rtmin+32' ) SIGNAL PEER = 'peer' '=' AARE eg. signal, # allow all signals signal send set=(hup, kill) peer=foo, Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2017-06-10apparmor: allow ptrace checks to be finer grained than just capabilityJohn Johansen1-0/+56
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: move ptrace checks to using labelsJohn Johansen1-66/+21
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: move capability checks to using labelsJohn Johansen1-1/+1
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: switch from profiles to using labels on contextsJohn Johansen1-12/+17
Begin the actual switch to using domain labels by storing them on the context and converting the label to a singular profile where possible. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: change aad apparmor_audit_data macro to a fn macroJohn Johansen1-11/+7
The aad macro can replace aad strings when it is not intended to. Switch to a fn macro so it is only applied when intended. Also at the same time cleanup audit_data initialization by putting common boiler plate behind a macro, and dropping the gfp_t parameter which will become useless. Signed-off-by: John Johansen <john.johansen@canonical.com>
2013-10-29apparmor: fix capability to not use the current task, during reportingJohn Johansen1-5/+4
Mediation is based off of the cred but auditing includes the current task which may not be related to the actual request. Signed-off-by: John Johansen <john.johansen@canonical.com>
2013-04-28apparmor: add utility function to get an arbitrary tasks profile.John Johansen1-9/+4
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>
2012-04-09LSM: do not initialize common_audit_data to 0Eric Paris1-1/+1
It isn't needed. If you don't set the type of the data associated with that type it is a pretty obvious programming bug. So why waste the cycles? Signed-off-by: Eric Paris <eparis@redhat.com>
2012-04-09LSM: remove the COMMON_AUDIT_DATA_INIT type expansionEric Paris1-1/+1
Just open code it so grep on the source code works better. Signed-off-by: Eric Paris <eparis@redhat.com>
2012-04-03LSM: shrink sizeof LSM specific portion of common_audit_dataEric Paris1-4/+6
Linus found that the gigantic size of the common audit data caused a big perf hit on something as simple as running stat() in a loop. This patch requires LSMs to declare the LSM specific portion separately rather than doing it in a union. Thus each LSM can be responsible for shrinking their portion and don't have to pay a penalty just because other LSMs have a bigger space requirement. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-09-09apparmor: sparse fix: include ipc.hJames Morris1-0/+1
Include ipc.h to eliminate sparse warnings. security/apparmor/ipc.c:61:5: warning: symbol 'aa_may_ptrace' was not declared. Should it be static? security/apparmor/ipc.c:83:5: warning: symbol 'aa_ptrace' was not declared. Should it be static Signed-off-by: James Morris <jmorris@namei.org> Acked-by: John Johansen <john.johansen@canonical.com>
2010-08-02AppArmor: fix build warnings for non-const use of get_task_credJames Morris1-1/+1
Fix build warnings for non-const use of get_task_cred. Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02AppArmor: mediation of non file objectsJohn Johansen1-0/+114
ipc: AppArmor ipc is currently limited to mediation done by file mediation and basic ptrace tests. Improved mediation is a wip. rlimits: AppArmor provides basic abilities to set and control rlimits at a per profile level. Only resources specified in a profile are controled or set. AppArmor rules set the hard limit to a value <= to the current hard limit (ie. they can not currently raise hard limits), and if necessary will lower the soft limit to the new hard limit value. AppArmor does not track resource limits to reset them when a profile is left so that children processes inherit the limits set by the parent even if they are not confined by the same profile. Capabilities: AppArmor provides a per profile mask of capabilities, that will further restrict. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>