~ubuntu-branches/ubuntu/raring/apparmor/raring

« back to all changes in this revision

Viewing changes to kernel-patches/for-mainline/reintroduce-revalidation.diff

• browse files at revision 1
• compare with another revision
• download diff
• download tarball
• view history from revision 1

Show diffs side-by-side

added

removed

kernel-patches/for-mainline/reintroduce-revalidation.diff

 

1

Reintroduce revalidation.

 

2

 

 

3

Index: b/security/apparmor/lsm.c

 

4

===================================================================

 

5

--- a/security/apparmor/lsm.c

 

6

+++ b/security/apparmor/lsm.c

 

7

@@ -421,6 +421,55 @@ static int apparmor_inode_removexattr(st

 

8

                                   MAY_WRITE);

 

9

 }

 

10

 

 

11

+static int apparmor_file_permission(struct file *file, int mask)

 

12

+{

 

13

+       struct aa_profile *profile;

 

14

+       struct aa_profile *file_profile = (struct aa_profile*)file->f_security;

 

15

+       int error = 0;

 

16

+

 

17

+       if (!file_profile)

 

18

+               goto out;

 

19

+

 

20

+       /*

 

21

+        * If this file was opened under a different profile, we

 

22

+        * revalidate the access against the current profile.

 

23

+        */

 

24

+       profile = aa_get_profile(current);

 

25

+       if (profile && file_profile != profile) {

 

26

+               struct dentry *dentry = file->f_dentry;

 

27

+               struct vfsmount *mnt = file->f_vfsmnt;

 

28

+

 

29

+               /*

 

30

+                * FIXME: We should remember which profiles we revalidated

 

31

+                *        against.

 

32

+                */

 

33

+               mask &= (MAY_READ | MAY_WRITE | MAY_EXEC);

 

34

+               error = aa_permission(dentry->d_inode, dentry, mnt, mask, 1);

 

35

+       }

 

36

+       aa_put_profile(profile);

 

37

+

 

38

+out:

 

39

+       return error;

 

40

+}

 

41

+

 

42

+static int apparmor_file_alloc_security(struct file *file)

 

43

+{

 

44

+       struct aa_profile *profile;

 

45

+

 

46

+       profile = aa_get_profile(current);

 

47

+       if (profile)

 

48

+               file->f_security = profile;

 

49

+

 

50

+       return 0;

 

51

+}

 

52

+

 

53

+static void apparmor_file_free_security(struct file *file)

 

54

+{

 

55

+       struct aa_profile *file_profile = (struct aa_profile*)file->f_security;

 

56

+

 

57

+       aa_put_profile(file_profile);

 

58

+}

 

59

+

 

60

 static inline int aa_mmap(struct file *file, unsigned long prot,

 

61

                          unsigned long flags)

 

62

 {

 

63

@@ -644,6 +693,9 @@ struct security_operations apparmor_ops 

 

64

        .inode_getxattr =               apparmor_inode_getxattr,

 

65

        .inode_listxattr =              apparmor_inode_listxattr,

 

66

        .inode_removexattr =            apparmor_inode_removexattr,

 

67

+       .file_permission =              apparmor_file_permission,

 

68

+       .file_alloc_security =          apparmor_file_alloc_security,

 

69

+       .file_free_security =           apparmor_file_free_security,

 

70

        .file_mmap =                    apparmor_file_mmap,

 

71

        .file_mprotect =                apparmor_file_mprotect,

 

72

 

• Older »

Loggerhead is a web-based interface for Breezy
Version: 2.0.1