Inter-revision diff: patch 25

Comparing v31 (message) to v26 (message) 

--- v31
+++ v26
@@ -1,158 +1,63 @@
-Create a new audit record AUDIT_MAC_TASK_CONTEXTS.
-An example of the MAC_TASK_CONTEXTS (1420) record is:
+With the inclusion of the interface LSM process attribute
+mechanism AppArmor no longer needs to be treated as an
+"exclusive" security module. Remove the flag that indicates
+it is exclusive. Remove the stub getpeersec_dgram AppArmor
+hook as it has no effect in the single LSM case and
+interferes in the multiple LSM case.
 
-    type=MAC_TASK_CONTEXTS[1420]
-    msg=audit(1600880931.832:113)
-    subj_apparmor=unconfined
-    subj_smack=_
-
-When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record
-the "subj=" field in other records in the event will be "subj=?".
-An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has
-multiple security modules that may make access decisions based
-on a subject security context.
-
+Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
+Acked-by: John Johansen <john.johansen@canonical.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
 Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
 ---
- include/linux/security.h   |  9 ++++++
- include/uapi/linux/audit.h |  1 +
- kernel/audit.c             | 58 ++++++++++++++++++++++++++++++++------
- 3 files changed, 60 insertions(+), 8 deletions(-)
+ security/apparmor/lsm.c | 20 +-------------------
+ 1 file changed, 1 insertion(+), 19 deletions(-)
 
-diff --git a/include/linux/security.h b/include/linux/security.h
-index bec8505f2ce5..a54179451410 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -231,6 +231,15 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb)
- extern int lsm_name_to_slot(char *name);
- extern const char *lsm_slot_to_name(int slot);
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 65a004597e53..15af5a5cb0c0 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -1138,22 +1138,6 @@ static int apparmor_socket_getpeersec_stream(struct socket *sock,
+ 	return error;
+ }
  
-+static inline bool lsm_multiple_contexts(void)
-+{
-+#ifdef CONFIG_SECURITY
-+	return lsm_slot_to_name(1) != NULL;
-+#else
-+	return false;
-+#endif
-+}
-+
+-/**
+- * apparmor_socket_getpeersec_dgram - get security label of packet
+- * @sock: the peer socket
+- * @skb: packet data
+- * @secid: pointer to where to put the secid of the packet
+- *
+- * Sets the netlabel socket state on sk from parent
+- */
+-static int apparmor_socket_getpeersec_dgram(struct socket *sock,
+-					    struct sk_buff *skb, u32 *secid)
+-
+-{
+-	/* TODO: requires secid support */
+-	return -ENOPROTOOPT;
+-}
+-
  /**
-  * lsmblob_value - find the first non-zero value in an lsmblob structure.
-  * @blob: Pointer to the data
-diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
-index 9176a095fefc..86ad3da4f0d4 100644
---- a/include/uapi/linux/audit.h
-+++ b/include/uapi/linux/audit.h
-@@ -143,6 +143,7 @@
- #define AUDIT_MAC_UNLBL_STCDEL	1417	/* NetLabel: del a static label */
- #define AUDIT_MAC_CALIPSO_ADD	1418	/* NetLabel: add CALIPSO DOI entry */
- #define AUDIT_MAC_CALIPSO_DEL	1419	/* NetLabel: del CALIPSO DOI entry */
-+#define AUDIT_MAC_TASK_CONTEXTS	1420	/* Multiple LSM task contexts */
+  * apparmor_sock_graft - Initialize newly created socket
+  * @sk: child sock
+@@ -1257,8 +1241,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
+ #endif
+ 	LSM_HOOK_INIT(socket_getpeersec_stream,
+ 		      apparmor_socket_getpeersec_stream),
+-	LSM_HOOK_INIT(socket_getpeersec_dgram,
+-		      apparmor_socket_getpeersec_dgram),
+ 	LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
+ #ifdef CONFIG_NETWORK_SECMARK
+ 	LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request),
+@@ -1928,7 +1910,7 @@ static int __init apparmor_init(void)
  
- #define AUDIT_FIRST_KERN_ANOM_MSG   1700
- #define AUDIT_LAST_KERN_ANOM_MSG    1799
-diff --git a/kernel/audit.c b/kernel/audit.c
-index fc3662ff126e..4ee2bf620df7 100644
---- a/kernel/audit.c
-+++ b/kernel/audit.c
-@@ -197,6 +197,9 @@ static struct audit_ctl_mutex {
- struct audit_context_entry {
- 	struct list_head	list;
- 	int			type;	/* Audit record type */
-+	union {
-+		struct lsmblob	lsm_subjs;
-+	};
- };
- 
- /* The audit_buffer is used when formatting an audit record.  The caller
-@@ -2149,15 +2152,30 @@ int audit_log_task_context(struct audit_buffer *ab)
- 	if (!lsmblob_is_set(&blob))
- 		return 0;
- 
--	error = security_secid_to_secctx(&blob, &context, LSMBLOB_FIRST);
--	if (error) {
--		if (error != -EINVAL)
-+	if (!lsm_multiple_contexts()) {
-+		error = security_secid_to_secctx(&blob, &context,
-+						 LSMBLOB_FIRST);
-+		if (error) {
-+			if (error != -EINVAL)
-+				goto error_path;
-+			return 0;
-+		}
-+		audit_log_format(ab, " subj=%s", context.context);
-+		security_release_secctx(&context);
-+	} else {
-+		struct audit_context_entry *ace;
-+
-+		audit_log_format(ab, " subj=?");
-+		ace = kzalloc(sizeof(*ace), ab->gfp_mask);
-+		if (!ace) {
-+			error = -ENOMEM;
- 			goto error_path;
--		return 0;
-+		}
-+		INIT_LIST_HEAD(&ace->list);
-+		ace->type = AUDIT_MAC_TASK_CONTEXTS;
-+		ace->lsm_subjs = blob;
-+		list_add(&ace->list, &ab->aux_records);
- 	}
--
--	audit_log_format(ab, " subj=%s", context.context);
--	security_release_secctx(&context);
- 	return 0;
- 
- error_path:
-@@ -2419,9 +2437,12 @@ void audit_log_end(struct audit_buffer *ab)
- 	struct audit_context_entry *entry;
- 	struct audit_context mcontext;
- 	struct audit_context *mctx;
-+	struct lsmcontext lcontext;
- 	struct audit_buffer *mab;
- 	struct list_head *l;
- 	struct list_head *n;
-+	int rc;
-+	int i;
- 
- 	if (!ab)
- 		return;
-@@ -2434,6 +2455,7 @@ void audit_log_end(struct audit_buffer *ab)
- 	}
- 
- 	if (ab->ctx == NULL) {
-+		mcontext.context = AUDIT_CTX_SYSCALL;
- 		mcontext.stamp = ab->stamp;
- 		mctx = &mcontext;
- 	} else
-@@ -2447,7 +2469,27 @@ void audit_log_end(struct audit_buffer *ab)
- 			continue;
- 		}
- 		switch (entry->type) {
--		/* Don't know of any quite yet. */
-+		case AUDIT_MAC_TASK_CONTEXTS:
-+			for (i = 0; i < LSMBLOB_ENTRIES; i++) {
-+				if (entry->lsm_subjs.secid[i] == 0)
-+					continue;
-+				rc = security_secid_to_secctx(&entry->lsm_subjs,
-+							      &lcontext, i);
-+				if (rc) {
-+					if (rc != -EINVAL)
-+						audit_panic("error in audit_log_end");
-+					audit_log_format(mab, "%ssubj_%s=?",
-+							 i ? " " : "",
-+							 lsm_slot_to_name(i));
-+				} else {
-+					audit_log_format(mab, "%ssubj_%s=%s",
-+							 i ? " " : "",
-+							 lsm_slot_to_name(i),
-+							 lcontext.context);
-+					security_release_secctx(&lcontext);
-+				}
-+			}
-+			break;
- 		default:
- 			audit_panic("Unknown type in audit_log_end");
- 			break;
+ DEFINE_LSM(apparmor) = {
+ 	.name = "apparmor",
+-	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
++	.flags = LSM_FLAG_LEGACY_MAJOR,
+ 	.enabled = &apparmor_enabled,
+ 	.blobs = &apparmor_blob_sizes,
+ 	.init = apparmor_init,
 -- 
-2.31.1
+2.29.2
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help