1
From f284c9554341aded2d599e9355574cac36c2dd23 Mon Sep 17 00:00:00 2001
2
From: John Johansen <john.johansen@canonical.com>
3
Date: Fri, 29 Jun 2012 17:34:01 -0700
4
Subject: [PATCH 4/6] apparmor: Ensure apparmor does not mediate kernel based
7
Currently apparmor makes the assumption that kernel sockets are unmediated
8
because mediation is only done against tasks that have a profile attached.
9
Ensure we never get in a situation where a kernel socket is being mediated
10
by tagging the sk_security field for kernel sockets.
12
Signed-off-by: John Johansen <john.johansen@canonical.com>
14
security/apparmor/include/net.h | 2 ++
15
security/apparmor/lsm.c | 18 ++++++++++++++++++
16
security/apparmor/net.c | 3 +++
17
3 files changed, 23 insertions(+)
19
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
20
index cb8a121..bc8198b 100644
21
--- a/security/apparmor/include/net.h
22
+++ b/security/apparmor/include/net.h
25
#include "apparmorfs.h"
27
+#define AA_SOCK_KERN 0xAA
29
/* struct aa_net - network confinement data
30
* @allowed: basic network families permissions
31
* @audit_network: which network permissions to force audit
32
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
33
index f628734..a172d01 100644
34
--- a/security/apparmor/lsm.c
35
+++ b/security/apparmor/lsm.c
36
@@ -630,6 +630,16 @@ static int apparmor_socket_create(int family, int type, int protocol, int kern)
40
+static int apparmor_socket_post_create(struct socket *sock, int family,
41
+ int type, int protocol, int kern)
44
+ /* tag kernel sockets so we don't mediate them later */
45
+ sock->sk->sk_security = (void *) AA_SOCK_KERN;
50
static int apparmor_socket_bind(struct socket *sock,
51
struct sockaddr *address, int addrlen)
53
@@ -713,6 +723,12 @@ static int apparmor_socket_shutdown(struct socket *sock, int how)
54
return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
57
+static void apparmor_sk_clone_security(const struct sock *sk,
60
+ newsk->sk_security = sk->sk_security;
63
static struct security_operations apparmor_ops = {
66
@@ -746,6 +762,7 @@ static struct security_operations apparmor_ops = {
67
.setprocattr = apparmor_setprocattr,
69
.socket_create = apparmor_socket_create,
70
+ .socket_post_create = apparmor_socket_post_create,
71
.socket_bind = apparmor_socket_bind,
72
.socket_connect = apparmor_socket_connect,
73
.socket_listen = apparmor_socket_listen,
74
@@ -757,6 +774,7 @@ static struct security_operations apparmor_ops = {
75
.socket_getsockopt = apparmor_socket_getsockopt,
76
.socket_setsockopt = apparmor_socket_setsockopt,
77
.socket_shutdown = apparmor_socket_shutdown,
78
+ .sk_clone_security = apparmor_sk_clone_security,
80
.cred_alloc_blank = apparmor_cred_alloc_blank,
81
.cred_free = apparmor_cred_free,
82
diff --git a/security/apparmor/net.c b/security/apparmor/net.c
83
index 6e6e5c9..baa4df1 100644
84
--- a/security/apparmor/net.c
85
+++ b/security/apparmor/net.c
86
@@ -153,6 +153,9 @@ int aa_revalidate_sk(int op, struct sock *sk)
90
+ if (sk->sk_security == (void *) AA_SOCK_KERN)
93
profile = __aa_current_profile();
94
if (!unconfined(profile))
95
error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,