| lsm.c (6b4f3d01052a479c7ebbe99d52a663558dc1be2a) | lsm.c (56974a6fcfef69ee0825bd66ed13e92070ac5224) |
|---|---|
| 1/* 2 * AppArmor security module 3 * 4 * This file contains AppArmor LSM hooks. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * --- 16 unchanged lines hidden (view full) --- 25#include <linux/user_namespace.h> 26#include <linux/kmemleak.h> 27#include <net/sock.h> 28 29#include "include/apparmor.h" 30#include "include/apparmorfs.h" 31#include "include/audit.h" 32#include "include/capability.h" | 1/* 2 * AppArmor security module 3 * 4 * This file contains AppArmor LSM hooks. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * --- 16 unchanged lines hidden (view full) --- 25#include <linux/user_namespace.h> 26#include <linux/kmemleak.h> 27#include <net/sock.h> 28 29#include "include/apparmor.h" 30#include "include/apparmorfs.h" 31#include "include/audit.h" 32#include "include/capability.h" |
| 33#include "include/context.h" | 33#include "include/cred.h" |
| 34#include "include/file.h" 35#include "include/ipc.h" | 34#include "include/file.h" 35#include "include/ipc.h" |
| 36#include "include/net.h" |
|
| 36#include "include/path.h" 37#include "include/label.h" 38#include "include/policy.h" 39#include "include/policy_ns.h" 40#include "include/procattr.h" 41#include "include/mount.h" 42 43/* Flag indicating whether initialization completed */ 44int apparmor_initialized; 45 46DEFINE_PER_CPU(struct aa_buffers, aa_buffers); 47 48 49/* 50 * LSM hook functions 51 */ 52 53/* | 37#include "include/path.h" 38#include "include/label.h" 39#include "include/policy.h" 40#include "include/policy_ns.h" 41#include "include/procattr.h" 42#include "include/mount.h" 43 44/* Flag indicating whether initialization completed */ 45int apparmor_initialized; 46 47DEFINE_PER_CPU(struct aa_buffers, aa_buffers); 48 49 50/* 51 * LSM hook functions 52 */ 53 54/* |
| 54 * free the associated aa_task_ctx and put its labels | 55 * put the associated labels |
| 55 */ 56static void apparmor_cred_free(struct cred *cred) 57{ | 56 */ 57static void apparmor_cred_free(struct cred *cred) 58{ |
| 58 aa_free_task_context(cred_ctx(cred)); 59 cred_ctx(cred) = NULL; | 59 aa_put_label(cred_label(cred)); 60 cred_label(cred) = NULL; |
| 60} 61 62/* 63 * allocate the apparmor part of blank credentials 64 */ 65static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 66{ | 61} 62 63/* 64 * allocate the apparmor part of blank credentials 65 */ 66static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 67{ |
| 67 /* freed by apparmor_cred_free */ 68 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 69 70 if (!ctx) 71 return -ENOMEM; 72 73 cred_ctx(cred) = ctx; | 68 cred_label(cred) = NULL; |
| 74 return 0; 75} 76 77/* | 69 return 0; 70} 71 72/* |
| 78 * prepare new aa_task_ctx for modification by prepare_cred block | 73 * prepare new cred label for modification by prepare_cred block |
| 79 */ 80static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 81 gfp_t gfp) 82{ | 74 */ 75static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 76 gfp_t gfp) 77{ |
| 83 /* freed by apparmor_cred_free */ 84 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 85 86 if (!ctx) 87 return -ENOMEM; 88 89 aa_dup_task_context(ctx, cred_ctx(old)); 90 cred_ctx(new) = ctx; | 78 cred_label(new) = aa_get_newest_label(cred_label(old)); |
| 91 return 0; 92} 93 94/* 95 * transfer the apparmor data to a blank set of creds 96 */ 97static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 98{ | 79 return 0; 80} 81 82/* 83 * transfer the apparmor data to a blank set of creds 84 */ 85static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 86{ |
| 99 const struct aa_task_ctx *old_ctx = cred_ctx(old); 100 struct aa_task_ctx *new_ctx = cred_ctx(new); | 87 cred_label(new) = aa_get_newest_label(cred_label(old)); 88} |
| 101 | 89 |
| 102 aa_dup_task_context(new_ctx, old_ctx); | 90static void apparmor_task_free(struct task_struct *task) 91{ 92 93 aa_free_task_ctx(task_ctx(task)); 94 task_ctx(task) = NULL; |
| 103} 104 | 95} 96 |
| 97static int apparmor_task_alloc(struct task_struct *task, 98 unsigned long clone_flags) 99{ 100 struct aa_task_ctx *new = aa_alloc_task_ctx(GFP_KERNEL); 101 102 if (!new) 103 return -ENOMEM; 104 105 aa_dup_task_ctx(new, task_ctx(current)); 106 task_ctx(task) = new; 107 108 return 0; 109} 110 |
|
| 105static int apparmor_ptrace_access_check(struct task_struct *child, 106 unsigned int mode) 107{ 108 struct aa_label *tracer, *tracee; 109 int error; 110 111 tracer = begin_current_label_crit_section(); 112 tracee = aa_get_task_label(child); --- 459 unchanged lines hidden (view full) --- 572} 573 574static int apparmor_getprocattr(struct task_struct *task, char *name, 575 char **value) 576{ 577 int error = -ENOENT; 578 /* released below */ 579 const struct cred *cred = get_task_cred(task); | 111static int apparmor_ptrace_access_check(struct task_struct *child, 112 unsigned int mode) 113{ 114 struct aa_label *tracer, *tracee; 115 int error; 116 117 tracer = begin_current_label_crit_section(); 118 tracee = aa_get_task_label(child); --- 459 unchanged lines hidden (view full) --- 578} 579 580static int apparmor_getprocattr(struct task_struct *task, char *name, 581 char **value) 582{ 583 int error = -ENOENT; 584 /* released below */ 585 const struct cred *cred = get_task_cred(task); |
| 580 struct aa_task_ctx *ctx = cred_ctx(cred); | 586 struct aa_task_ctx *ctx = task_ctx(current); |
| 581 struct aa_label *label = NULL; 582 583 if (strcmp(name, "current") == 0) | 587 struct aa_label *label = NULL; 588 589 if (strcmp(name, "current") == 0) |
| 584 label = aa_get_newest_label(ctx->label); | 590 label = aa_get_newest_label(cred_label(cred)); |
| 585 else if (strcmp(name, "prev") == 0 && ctx->previous) 586 label = aa_get_newest_label(ctx->previous); 587 else if (strcmp(name, "exec") == 0 && ctx->onexec) 588 label = aa_get_newest_label(ctx->onexec); 589 else 590 error = -EINVAL; 591 592 if (label) --- 80 unchanged lines hidden (view full) --- 673 674/** 675 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 676 * @bprm: binprm for the exec (NOT NULL) 677 */ 678static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 679{ 680 struct aa_label *label = aa_current_raw_label(); | 591 else if (strcmp(name, "prev") == 0 && ctx->previous) 592 label = aa_get_newest_label(ctx->previous); 593 else if (strcmp(name, "exec") == 0 && ctx->onexec) 594 label = aa_get_newest_label(ctx->onexec); 595 else 596 error = -EINVAL; 597 598 if (label) --- 80 unchanged lines hidden (view full) --- 679 680/** 681 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 682 * @bprm: binprm for the exec (NOT NULL) 683 */ 684static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 685{ 686 struct aa_label *label = aa_current_raw_label(); |
| 681 struct aa_task_ctx *new_ctx = cred_ctx(bprm->cred); | 687 struct aa_label *new_label = cred_label(bprm->cred); |
| 682 683 /* bail out if unconfined or not changing profile */ | 688 689 /* bail out if unconfined or not changing profile */ |
| 684 if ((new_ctx->label->proxy == label->proxy) || 685 (unconfined(new_ctx->label))) | 690 if ((new_label->proxy == label->proxy) || 691 (unconfined(new_label))) |
| 686 return; 687 688 aa_inherit_files(bprm->cred, current->files); 689 690 current->pdeath_signal = 0; 691 692 /* reset soft limits and set hard limits for the new label */ | 692 return; 693 694 aa_inherit_files(bprm->cred, current->files); 695 696 current->pdeath_signal = 0; 697 698 /* reset soft limits and set hard limits for the new label */ |
| 693 __aa_transition_rlimits(label, new_ctx->label); | 699 __aa_transition_rlimits(label, new_label); |
| 694} 695 696/** 697 * apparmor_bprm_committed_cred - do cleanup after new creds committed 698 * @bprm: binprm for the exec (NOT NULL) 699 */ 700static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 701{ | 700} 701 702/** 703 * apparmor_bprm_committed_cred - do cleanup after new creds committed 704 * @bprm: binprm for the exec (NOT NULL) 705 */ 706static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 707{ |
| 702 /* TODO: cleanup signals - ipc mediation */ | 708 /* clear out temporary/transitional state from the context */ 709 aa_clear_task_ctx_trans(task_ctx(current)); 710 |
| 703 return; 704} 705 706static int apparmor_task_setrlimit(struct task_struct *task, 707 unsigned int resource, struct rlimit *new_rlim) 708{ 709 struct aa_label *label = __begin_current_label_crit_section(); 710 int error = 0; 711 712 if (!unconfined(label)) 713 error = aa_task_setrlimit(label, task, resource, new_rlim); 714 __end_current_label_crit_section(label); 715 716 return error; 717} 718 719static int apparmor_task_kill(struct task_struct *target, struct siginfo *info, | 711 return; 712} 713 714static int apparmor_task_setrlimit(struct task_struct *task, 715 unsigned int resource, struct rlimit *new_rlim) 716{ 717 struct aa_label *label = __begin_current_label_crit_section(); 718 int error = 0; 719 720 if (!unconfined(label)) 721 error = aa_task_setrlimit(label, task, resource, new_rlim); 722 __end_current_label_crit_section(label); 723 724 return error; 725} 726 727static int apparmor_task_kill(struct task_struct *target, struct siginfo *info, |
| 720 int sig, const struct cred *cred) | 728 int sig, u32 secid) |
| 721{ 722 struct aa_label *cl, *tl; 723 int error; 724 | 729{ 730 struct aa_label *cl, *tl; 731 int error; 732 |
| 725 if (cred) { 726 /* 727 * Dealing with USB IO specific behavior | 733 if (secid) 734 /* TODO: after secid to label mapping is done. 735 * Dealing with USB IO specific behavior |
| 728 */ | 736 */ |
| 729 cl = aa_get_newest_cred_label(cred); 730 tl = aa_get_task_label(target); 731 error = aa_may_signal(cl, tl, sig); 732 aa_put_label(cl); 733 aa_put_label(tl); 734 return error; 735 } 736 | 737 return 0; |
| 737 cl = __begin_current_label_crit_section(); 738 tl = aa_get_task_label(target); 739 error = aa_may_signal(cl, tl, sig); 740 aa_put_label(tl); 741 __end_current_label_crit_section(cl); 742 743 return error; 744} 745 | 738 cl = __begin_current_label_crit_section(); 739 tl = aa_get_task_label(target); 740 error = aa_may_signal(cl, tl, sig); 741 aa_put_label(tl); 742 __end_current_label_crit_section(cl); 743 744 return error; 745} 746 |
| 747/** 748 * apparmor_sk_alloc_security - allocate and attach the sk_security field 749 */ 750static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) 751{ 752 struct aa_sk_ctx *ctx; 753 754 ctx = kzalloc(sizeof(*ctx), flags); 755 if (!ctx) 756 return -ENOMEM; 757 758 SK_CTX(sk) = ctx; 759 760 return 0; 761} 762 763/** 764 * apparmor_sk_free_security - free the sk_security field 765 */ 766static void apparmor_sk_free_security(struct sock *sk) 767{ 768 struct aa_sk_ctx *ctx = SK_CTX(sk); 769 770 SK_CTX(sk) = NULL; 771 aa_put_label(ctx->label); 772 aa_put_label(ctx->peer); 773 kfree(ctx); 774} 775 776/** 777 * apparmor_clone_security - clone the sk_security field 778 */ 779static void apparmor_sk_clone_security(const struct sock *sk, 780 struct sock *newsk) 781{ 782 struct aa_sk_ctx *ctx = SK_CTX(sk); 783 struct aa_sk_ctx *new = SK_CTX(newsk); 784 785 new->label = aa_get_label(ctx->label); 786 new->peer = aa_get_label(ctx->peer); 787} 788 789/** 790 * apparmor_socket_create - check perms before creating a new socket 791 */ 792static int apparmor_socket_create(int family, int type, int protocol, int kern) 793{ 794 struct aa_label *label; 795 int error = 0; 796 797 AA_BUG(in_interrupt()); 798 799 label = begin_current_label_crit_section(); 800 if (!(kern || unconfined(label))) 801 error = af_select(family, 802 create_perm(label, family, type, protocol), 803 aa_af_perm(label, OP_CREATE, AA_MAY_CREATE, 804 family, type, protocol)); 805 end_current_label_crit_section(label); 806 807 return error; 808} 809 810/** 811 * apparmor_socket_post_create - setup the per-socket security struct 812 * 813 * Note: 814 * - kernel sockets currently labeled unconfined but we may want to 815 * move to a special kernel label 816 * - socket may not have sk here if created with sock_create_lite or 817 * sock_alloc. These should be accept cases which will be handled in 818 * sock_graft. 819 */ 820static int apparmor_socket_post_create(struct socket *sock, int family, 821 int type, int protocol, int kern) 822{ 823 struct aa_label *label; 824 825 if (kern) { 826 struct aa_ns *ns = aa_get_current_ns(); 827 828 label = aa_get_label(ns_unconfined(ns)); 829 aa_put_ns(ns); 830 } else 831 label = aa_get_current_label(); 832 833 if (sock->sk) { 834 struct aa_sk_ctx *ctx = SK_CTX(sock->sk); 835 836 aa_put_label(ctx->label); 837 ctx->label = aa_get_label(label); 838 } 839 aa_put_label(label); 840 841 return 0; 842} 843 844/** 845 * apparmor_socket_bind - check perms before bind addr to socket 846 */ 847static int apparmor_socket_bind(struct socket *sock, 848 struct sockaddr *address, int addrlen) 849{ 850 AA_BUG(!sock); 851 AA_BUG(!sock->sk); 852 AA_BUG(!address); 853 AA_BUG(in_interrupt()); 854 855 return af_select(sock->sk->sk_family, 856 bind_perm(sock, address, addrlen), 857 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk)); 858} 859 860/** 861 * apparmor_socket_connect - check perms before connecting @sock to @address 862 */ 863static int apparmor_socket_connect(struct socket *sock, 864 struct sockaddr *address, int addrlen) 865{ 866 AA_BUG(!sock); 867 AA_BUG(!sock->sk); 868 AA_BUG(!address); 869 AA_BUG(in_interrupt()); 870 871 return af_select(sock->sk->sk_family, 872 connect_perm(sock, address, addrlen), 873 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk)); 874} 875 876/** 877 * apparmor_socket_list - check perms before allowing listen 878 */ 879static int apparmor_socket_listen(struct socket *sock, int backlog) 880{ 881 AA_BUG(!sock); 882 AA_BUG(!sock->sk); 883 AA_BUG(in_interrupt()); 884 885 return af_select(sock->sk->sk_family, 886 listen_perm(sock, backlog), 887 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk)); 888} 889 890/** 891 * apparmor_socket_accept - check perms before accepting a new connection. 892 * 893 * Note: while @newsock is created and has some information, the accept 894 * has not been done. 895 */ 896static int apparmor_socket_accept(struct socket *sock, struct socket *newsock) 897{ 898 AA_BUG(!sock); 899 AA_BUG(!sock->sk); 900 AA_BUG(!newsock); 901 AA_BUG(in_interrupt()); 902 903 return af_select(sock->sk->sk_family, 904 accept_perm(sock, newsock), 905 aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk)); 906} 907 908static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock, 909 struct msghdr *msg, int size) 910{ 911 AA_BUG(!sock); 912 AA_BUG(!sock->sk); 913 AA_BUG(!msg); 914 AA_BUG(in_interrupt()); 915 916 return af_select(sock->sk->sk_family, 917 msg_perm(op, request, sock, msg, size), 918 aa_sk_perm(op, request, sock->sk)); 919} 920 921/** 922 * apparmor_socket_sendmsg - check perms before sending msg to another socket 923 */ 924static int apparmor_socket_sendmsg(struct socket *sock, 925 struct msghdr *msg, int size) 926{ 927 return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size); 928} 929 930/** 931 * apparmor_socket_recvmsg - check perms before receiving a message 932 */ 933static int apparmor_socket_recvmsg(struct socket *sock, 934 struct msghdr *msg, int size, int flags) 935{ 936 return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size); 937} 938 939/* revaliation, get/set attr, shutdown */ 940static int aa_sock_perm(const char *op, u32 request, struct socket *sock) 941{ 942 AA_BUG(!sock); 943 AA_BUG(!sock->sk); 944 AA_BUG(in_interrupt()); 945 946 return af_select(sock->sk->sk_family, 947 sock_perm(op, request, sock), 948 aa_sk_perm(op, request, sock->sk)); 949} 950 951/** 952 * apparmor_socket_getsockname - check perms before getting the local address 953 */ 954static int apparmor_socket_getsockname(struct socket *sock) 955{ 956 return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock); 957} 958 959/** 960 * apparmor_socket_getpeername - check perms before getting remote address 961 */ 962static int apparmor_socket_getpeername(struct socket *sock) 963{ 964 return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock); 965} 966 967/* revaliation, get/set attr, opt */ 968static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, 969 int level, int optname) 970{ 971 AA_BUG(!sock); 972 AA_BUG(!sock->sk); 973 AA_BUG(in_interrupt()); 974 975 return af_select(sock->sk->sk_family, 976 opt_perm(op, request, sock, level, optname), 977 aa_sk_perm(op, request, sock->sk)); 978} 979 980/** 981 * apparmor_getsockopt - check perms before getting socket options 982 */ 983static int apparmor_socket_getsockopt(struct socket *sock, int level, 984 int optname) 985{ 986 return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock, 987 level, optname); 988} 989 990/** 991 * apparmor_setsockopt - check perms before setting socket options 992 */ 993static int apparmor_socket_setsockopt(struct socket *sock, int level, 994 int optname) 995{ 996 return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock, 997 level, optname); 998} 999 1000/** 1001 * apparmor_socket_shutdown - check perms before shutting down @sock conn 1002 */ 1003static int apparmor_socket_shutdown(struct socket *sock, int how) 1004{ 1005 return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock); 1006} 1007 1008/** 1009 * apparmor_socket_sock_recv_skb - check perms before associating skb to sk 1010 * 1011 * Note: can not sleep may be called with locks held 1012 * 1013 * dont want protocol specific in __skb_recv_datagram() 1014 * to deny an incoming connection socket_sock_rcv_skb() 1015 */ 1016static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 1017{ 1018 return 0; 1019} 1020 1021 1022static struct aa_label *sk_peer_label(struct sock *sk) 1023{ 1024 struct aa_sk_ctx *ctx = SK_CTX(sk); 1025 1026 if (ctx->peer) 1027 return ctx->peer; 1028 1029 return ERR_PTR(-ENOPROTOOPT); 1030} 1031 1032/** 1033 * apparmor_socket_getpeersec_stream - get security context of peer 1034 * 1035 * Note: for tcp only valid if using ipsec or cipso on lan 1036 */ 1037static int apparmor_socket_getpeersec_stream(struct socket *sock, 1038 char __user *optval, 1039 int __user *optlen, 1040 unsigned int len) 1041{ 1042 char *name; 1043 int slen, error = 0; 1044 struct aa_label *label; 1045 struct aa_label *peer; 1046 1047 label = begin_current_label_crit_section(); 1048 peer = sk_peer_label(sock->sk); 1049 if (IS_ERR(peer)) { 1050 error = PTR_ERR(peer); 1051 goto done; 1052 } 1053 slen = aa_label_asxprint(&name, labels_ns(label), peer, 1054 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | 1055 FLAG_HIDDEN_UNCONFINED, GFP_KERNEL); 1056 /* don't include terminating \0 in slen, it breaks some apps */ 1057 if (slen < 0) { 1058 error = -ENOMEM; 1059 } else { 1060 if (slen > len) { 1061 error = -ERANGE; 1062 } else if (copy_to_user(optval, name, slen)) { 1063 error = -EFAULT; 1064 goto out; 1065 } 1066 if (put_user(slen, optlen)) 1067 error = -EFAULT; 1068out: 1069 kfree(name); 1070 1071 } 1072 1073done: 1074 end_current_label_crit_section(label); 1075 1076 return error; 1077} 1078 1079/** 1080 * apparmor_socket_getpeersec_dgram - get security label of packet 1081 * @sock: the peer socket 1082 * @skb: packet data 1083 * @secid: pointer to where to put the secid of the packet 1084 * 1085 * Sets the netlabel socket state on sk from parent 1086 */ 1087static int apparmor_socket_getpeersec_dgram(struct socket *sock, 1088 struct sk_buff *skb, u32 *secid) 1089 1090{ 1091 /* TODO: requires secid support */ 1092 return -ENOPROTOOPT; 1093} 1094 1095/** 1096 * apparmor_sock_graft - Initialize newly created socket 1097 * @sk: child sock 1098 * @parent: parent socket 1099 * 1100 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can 1101 * just set sk security information off of current creating process label 1102 * Labeling of sk for accept case - probably should be sock based 1103 * instead of task, because of the case where an implicitly labeled 1104 * socket is shared by different tasks. 1105 */ 1106static void apparmor_sock_graft(struct sock *sk, struct socket *parent) 1107{ 1108 struct aa_sk_ctx *ctx = SK_CTX(sk); 1109 1110 if (!ctx->label) 1111 ctx->label = aa_get_current_label(); 1112} 1113 |
|
| 746static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { 747 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 748 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 749 LSM_HOOK_INIT(capget, apparmor_capget), 750 LSM_HOOK_INIT(capable, apparmor_capable), 751 752 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), 753 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), --- 18 unchanged lines hidden (view full) --- 772 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 773 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 774 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 775 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 776 777 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 778 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 779 | 1114static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { 1115 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 1116 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 1117 LSM_HOOK_INIT(capget, apparmor_capget), 1118 LSM_HOOK_INIT(capable, apparmor_capable), 1119 1120 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), 1121 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), --- 18 unchanged lines hidden (view full) --- 1140 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 1141 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 1142 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 1143 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 1144 1145 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 1146 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 1147 |
| 1148 LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), 1149 LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), 1150 LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), 1151 1152 LSM_HOOK_INIT(socket_create, apparmor_socket_create), 1153 LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create), 1154 LSM_HOOK_INIT(socket_bind, apparmor_socket_bind), 1155 LSM_HOOK_INIT(socket_connect, apparmor_socket_connect), 1156 LSM_HOOK_INIT(socket_listen, apparmor_socket_listen), 1157 LSM_HOOK_INIT(socket_accept, apparmor_socket_accept), 1158 LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg), 1159 LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg), 1160 LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname), 1161 LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername), 1162 LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt), 1163 LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt), 1164 LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown), 1165 LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb), 1166 LSM_HOOK_INIT(socket_getpeersec_stream, 1167 apparmor_socket_getpeersec_stream), 1168 LSM_HOOK_INIT(socket_getpeersec_dgram, 1169 apparmor_socket_getpeersec_dgram), 1170 LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), 1171 |
|
| 780 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 781 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 782 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 783 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 784 785 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds), 786 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 787 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 788 | 1172 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 1173 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 1174 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 1175 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 1176 1177 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds), 1178 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 1179 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 1180 |
| 1181 LSM_HOOK_INIT(task_free, apparmor_task_free), 1182 LSM_HOOK_INIT(task_alloc, apparmor_task_alloc), |
|
| 789 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 790 LSM_HOOK_INIT(task_kill, apparmor_task_kill), 791}; 792 793/* 794 * AppArmor sysfs module parameters 795 */ 796 --- 231 unchanged lines hidden (view full) --- 1028 * 1029 * TODO: allow setting an alternate profile than unconfined 1030 */ 1031static int __init set_init_ctx(void) 1032{ 1033 struct cred *cred = (struct cred *)current->real_cred; 1034 struct aa_task_ctx *ctx; 1035 | 1183 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 1184 LSM_HOOK_INIT(task_kill, apparmor_task_kill), 1185}; 1186 1187/* 1188 * AppArmor sysfs module parameters 1189 */ 1190 --- 231 unchanged lines hidden (view full) --- 1422 * 1423 * TODO: allow setting an alternate profile than unconfined 1424 */ 1425static int __init set_init_ctx(void) 1426{ 1427 struct cred *cred = (struct cred *)current->real_cred; 1428 struct aa_task_ctx *ctx; 1429 |
| 1036 ctx = aa_alloc_task_context(GFP_KERNEL); | 1430 ctx = aa_alloc_task_ctx(GFP_KERNEL); |
| 1037 if (!ctx) 1038 return -ENOMEM; 1039 | 1431 if (!ctx) 1432 return -ENOMEM; 1433 |
| 1040 ctx->label = aa_get_label(ns_unconfined(root_ns)); 1041 cred_ctx(cred) = ctx; | 1434 cred_label(cred) = aa_get_label(ns_unconfined(root_ns)); 1435 task_ctx(current) = ctx; |
| 1042 1043 return 0; 1044} 1045 1046static void destroy_buffers(void) 1047{ 1048 u32 i, j; 1049 --- 140 unchanged lines hidden --- | 1436 1437 return 0; 1438} 1439 1440static void destroy_buffers(void) 1441{ 1442 u32 i, j; 1443 --- 140 unchanged lines hidden --- |