1
From aa4b6bded85552bc5f9f22d2e18ce86c5c17947c Mon Sep 17 00:00:00 2001
2
From: John Johansen <john.johansen@canonical.com>
3
Date: Tue, 18 Jul 2017 23:37:18 -0700
4
Subject: [PATCH 10/17] apparmor: make policy_unpack able to audit different
7
Switch unpack auditing to using the generic name field in the audit
8
struct and make it so we can start adding new info messages about
11
Signed-off-by: John Johansen <john.johansen@canonical.com>
12
Acked-by: Seth Arnold <seth.arnold@canonical.com>
13
(cherry picked from commit 1489d896c5649e9ce1b6000b4857f8baa7a6ab63)
15
security/apparmor/include/audit.h | 4 +--
16
security/apparmor/policy_unpack.c | 52 ++++++++++++++++++++++++++++-----------
17
2 files changed, 40 insertions(+), 16 deletions(-)
19
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
20
index c3fe1c5ef3bc..620e81169659 100644
21
--- a/security/apparmor/include/audit.h
22
+++ b/security/apparmor/include/audit.h
23
@@ -127,9 +127,9 @@ struct apparmor_audit_data {
29
+ struct aa_profile *profile;
35
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
36
index bda0dce3b582..4ede87c30f8b 100644
37
--- a/security/apparmor/policy_unpack.c
38
+++ b/security/apparmor/policy_unpack.c
39
@@ -85,9 +85,9 @@ static void audit_cb(struct audit_buffer *ab, void *va)
40
audit_log_format(ab, " ns=");
41
audit_log_untrustedstring(ab, aad(sa)->iface.ns);
43
- if (aad(sa)->iface.name) {
44
+ if (aad(sa)->name) {
45
audit_log_format(ab, " name=");
46
- audit_log_untrustedstring(ab, aad(sa)->iface.name);
47
+ audit_log_untrustedstring(ab, aad(sa)->name);
49
if (aad(sa)->iface.pos)
50
audit_log_format(ab, " offset=%ld", aad(sa)->iface.pos);
51
@@ -114,9 +114,9 @@ static int audit_iface(struct aa_profile *new, const char *ns_name,
52
aad(&sa)->iface.pos = e->pos - e->start;
53
aad(&sa)->iface.ns = ns_name;
55
- aad(&sa)->iface.name = new->base.hname;
56
+ aad(&sa)->name = new->base.hname;
58
- aad(&sa)->iface.name = name;
59
+ aad(&sa)->name = name;
60
aad(&sa)->info = info;
61
aad(&sa)->error = error;
63
@@ -583,6 +583,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
65
struct aa_profile *profile = NULL;
66
const char *tmpname, *tmpns = NULL, *name = NULL;
67
+ const char *info = "failed to unpack profile";
69
struct rhashtable_params params = { 0 };
71
@@ -604,8 +605,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
72
tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len);
74
*ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL);
77
+ info = "out of memory";
83
@@ -624,12 +627,15 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
84
if (IS_ERR(profile->xmatch)) {
85
error = PTR_ERR(profile->xmatch);
86
profile->xmatch = NULL;
87
+ info = "bad xmatch";
90
/* xmatch_len is not optional if xmatch is set */
91
if (profile->xmatch) {
92
- if (!unpack_u32(e, &tmp, NULL))
93
+ if (!unpack_u32(e, &tmp, NULL)) {
94
+ info = "missing xmatch len";
97
profile->xmatch_len = tmp;
100
@@ -637,8 +643,11 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
101
(void) unpack_str(e, &profile->disconnected, "disconnected");
103
/* per profile debug flags (complain, audit) */
104
- if (!unpack_nameX(e, AA_STRUCT, "flags"))
105
+ if (!unpack_nameX(e, AA_STRUCT, "flags")) {
106
+ info = "profile missing flags";
109
+ info = "failed to unpack profile flags";
110
if (!unpack_u32(e, &tmp, NULL))
112
if (tmp & PACKED_FLAG_HAT)
113
@@ -667,6 +676,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
114
/* set a default value if path_flags field is not present */
115
profile->path_flags = PATH_MEDIATE_DELETED;
117
+ info = "failed to unpack profile capabilities";
118
if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))
120
if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL))
121
@@ -676,6 +686,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
122
if (!unpack_u32(e, &tmpcap.cap[0], NULL))
125
+ info = "failed to unpack upper profile capabilities";
126
if (unpack_nameX(e, AA_STRUCT, "caps64")) {
127
/* optional upper half of 64 bit caps */
128
if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL))
129
@@ -690,6 +701,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
133
+ info = "failed to unpack extended profile capabilities";
134
if (unpack_nameX(e, AA_STRUCT, "capsx")) {
135
/* optional extended caps mediation mask */
136
if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL))
137
@@ -700,11 +712,14 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
141
- if (!unpack_rlimits(e, profile))
142
+ if (!unpack_rlimits(e, profile)) {
143
+ info = "failed to unpack profile rlimits";
147
if (unpack_nameX(e, AA_STRUCT, "policydb")) {
148
/* generic policy dfa - optional and may be NULL */
149
+ info = "failed to unpack policydb";
150
profile->policy.dfa = unpack_dfa(e);
151
if (IS_ERR(profile->policy.dfa)) {
152
error = PTR_ERR(profile->policy.dfa);
153
@@ -734,6 +749,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
154
if (IS_ERR(profile->file.dfa)) {
155
error = PTR_ERR(profile->file.dfa);
156
profile->file.dfa = NULL;
157
+ info = "failed to unpack profile file rules";
159
} else if (profile->file.dfa) {
160
if (!unpack_u32(e, &profile->file.start, "dfa_start"))
161
@@ -746,10 +762,13 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
163
profile->file.dfa = aa_get_dfa(nulldfa);
165
- if (!unpack_trans_table(e, profile))
166
+ if (!unpack_trans_table(e, profile)) {
167
+ info = "failed to unpack profile transition table";
171
if (unpack_nameX(e, AA_STRUCT, "data")) {
172
+ info = "out of memory";
173
profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL);
176
@@ -761,8 +780,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
177
params.hashfn = strhash;
178
params.obj_cmpfn = datacmp;
180
- if (rhashtable_init(profile->data, ¶ms))
181
+ if (rhashtable_init(profile->data, ¶ms)) {
182
+ info = "failed to init key, value hash table";
186
while (unpack_strdup(e, &key, NULL)) {
187
data = kzalloc(sizeof(*data), GFP_KERNEL);
188
@@ -784,12 +805,16 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
192
- if (!unpack_nameX(e, AA_STRUCTEND, NULL))
193
+ if (!unpack_nameX(e, AA_STRUCTEND, NULL)) {
194
+ info = "failed to unpack end of key, value data table";
199
- if (!unpack_nameX(e, AA_STRUCTEND, NULL))
200
+ if (!unpack_nameX(e, AA_STRUCTEND, NULL)) {
201
+ info = "failed to unpack end of profile";
207
@@ -798,8 +823,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
211
- audit_iface(profile, NULL, name, "failed to unpack profile", e,
213
+ audit_iface(profile, NULL, name, info, e, error);
214
aa_free_profile(profile);
216
return ERR_PTR(error);