← Back to branch summary

~apparmor-dev/apparmor/master

« back to all changes in this revision

Viewing changes to kernel-patches/3.6/0004-apparmor-Ensure-apparmor-does-not-mediate-kernel-bas.patch

  • Committer: Steve Beattie
  • Date: 2019-02-19 09:38:13 UTC
  • Revision ID: sbeattie@ubuntu.com-20190219093813-ud526ee6hwn8nljz
The AppArmor project has been converted to git and is now hosted on
gitlab.

To get the converted repository, please do
  git clone https://gitlab.com/apparmor/apparmor

Show diffs side-by-side

added added

removed removed

Lines of Context:
kernel-patches/3.6/0004-apparmor-Ensure-apparmor-does-not-mediate-kernel-bas.patch
1
 
From f284c9554341aded2d599e9355574cac36c2dd23 Mon Sep 17 00:00:00 2001
2
 
From: John Johansen <john.johansen@canonical.com>
3
 
Date: Fri, 29 Jun 2012 17:34:01 -0700
4
 
Subject: [PATCH 4/6] apparmor: Ensure apparmor does not mediate kernel based
5
 
 sockets
6
 
 
7
 
Currently apparmor makes the assumption that kernel sockets are unmediated
8
 
because mediation is only done against tasks that have a profile attached.
9
 
Ensure we never get in a situation where a kernel socket is being mediated
10
 
by tagging the sk_security field for kernel sockets.
11
 
 
12
 
Signed-off-by: John Johansen <john.johansen@canonical.com>
13
 
---
14
 
 security/apparmor/include/net.h |    2 ++
15
 
 security/apparmor/lsm.c         |   18 ++++++++++++++++++
16
 
 security/apparmor/net.c         |    3 +++
17
 
 3 files changed, 23 insertions(+)
18
 
 
19
 
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
20
 
index cb8a121..bc8198b 100644
21
 
--- a/security/apparmor/include/net.h
22
 
+++ b/security/apparmor/include/net.h
23
 
@@ -19,6 +19,8 @@
24
 
 
25
 
 #include "apparmorfs.h"
26
 
 
27
 
+#define AA_SOCK_KERN 0xAA
28
 
+
29
 
 /* struct aa_net - network confinement data
30
 
  * @allowed: basic network families permissions
31
 
  * @audit_network: which network permissions to force audit
32
 
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
33
 
index f628734..a172d01 100644
34
 
--- a/security/apparmor/lsm.c
35
 
+++ b/security/apparmor/lsm.c
36
 
@@ -630,6 +630,16 @@ static int apparmor_socket_create(int family, int type, int protocol, int kern)
37
 
        return error;
38
 
 }
39
 
 
40
 
+static int apparmor_socket_post_create(struct socket *sock, int family,
41
 
+                                      int type, int protocol, int kern)
42
 
+{
43
 
+       if (kern)
44
 
+               /* tag kernel sockets so we don't mediate them later */
45
 
+               sock->sk->sk_security = (void *) AA_SOCK_KERN;
46
 
+
47
 
+       return 0;
48
 
+}
49
 
+
50
 
 static int apparmor_socket_bind(struct socket *sock,
51
 
                                struct sockaddr *address, int addrlen)
52
 
 {
53
 
@@ -713,6 +723,12 @@ static int apparmor_socket_shutdown(struct socket *sock, int how)
54
 
        return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
55
 
 }
56
 
 
57
 
+static void apparmor_sk_clone_security(const struct sock *sk,
58
 
+                                      struct sock *newsk)
59
 
+{
60
 
+       newsk->sk_security = sk->sk_security;
61
 
+}
62
 
+
63
 
 static struct security_operations apparmor_ops = {
64
 
        .name =                         "apparmor",
65
 
 
66
 
@@ -746,6 +762,7 @@ static struct security_operations apparmor_ops = {
67
 
        .setprocattr =                  apparmor_setprocattr,
68
 
 
69
 
        .socket_create =                apparmor_socket_create,
70
 
+       .socket_post_create =           apparmor_socket_post_create,
71
 
        .socket_bind =                  apparmor_socket_bind,
72
 
        .socket_connect =               apparmor_socket_connect,
73
 
        .socket_listen =                apparmor_socket_listen,
74
 
@@ -757,6 +774,7 @@ static struct security_operations apparmor_ops = {
75
 
        .socket_getsockopt =            apparmor_socket_getsockopt,
76
 
        .socket_setsockopt =            apparmor_socket_setsockopt,
77
 
        .socket_shutdown =              apparmor_socket_shutdown,
78
 
+       .sk_clone_security =            apparmor_sk_clone_security,
79
 
 
80
 
        .cred_alloc_blank =             apparmor_cred_alloc_blank,
81
 
        .cred_free =                    apparmor_cred_free,
82
 
diff --git a/security/apparmor/net.c b/security/apparmor/net.c
83
 
index 6e6e5c9..baa4df1 100644
84
 
--- a/security/apparmor/net.c
85
 
+++ b/security/apparmor/net.c
86
 
@@ -153,6 +153,9 @@ int aa_revalidate_sk(int op, struct sock *sk)
87
 
        if (in_interrupt())
88
 
                return 0;
89
 
 
90
 
+       if (sk->sk_security == (void *) AA_SOCK_KERN)
91
 
+               return 0;
92
 
+
93
 
        profile = __aa_current_profile();
94
 
        if (!unconfined(profile))
95
 
                error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
96
 
1.7.10.4
97