apparmor: update policy capable checks to use a label

Previously the policy capable checks assumed they were using the
current task. Make them take the task label so the query can be
made against an arbitrary task.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index d65324415980d2a530d4cc3d954ab5ee1ca9e4bf..3275e074e5f8282df4c1df75855334ff86efcffa 100644 (file)
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -1357,7 +1357,7 @@ static int rawdata_open(struct inode *inode, struct file *file)
        struct aa_loaddata *loaddata;
        struct rawdata_f_data *private;
 
-       if (!policy_view_capable(NULL))
+       if (!aa_current_policy_view_capable(NULL))
                return -EACCES;
 
        loaddata = __aa_get_loaddata(inode->i_private);
@@ -2266,7 +2266,7 @@ static const struct seq_operations aa_sfs_profiles_op = {
 
 static int profiles_open(struct inode *inode, struct file *file)
 {
-       if (!policy_view_capable(NULL))
+       if (!aa_current_policy_view_capable(NULL))
                return -EACCES;
 
        return seq_open(file, &aa_sfs_profiles_op);

diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
index 255764ab06e2f6ffb4d5f89ff560b85034afc2fd..f5b5485e20c9a91e1f308af9327e5716e6d31880 100644 (file)
--- a/security/apparmor/include/label.h
+++ b/security/apparmor/include/label.h
@@ -148,6 +148,7 @@ do {                                                        \
 #define __label_make_stale(X) ((X)->flags |= FLAG_STALE)
 #define labels_ns(X) (vec_ns(&((X)->vec[0]), (X)->size))
 #define labels_set(X) (&labels_ns(X)->labels)
+#define labels_view(X) labels_ns(X)
 #define labels_profile(X) ((X)->vec[(X)->size - 1])
 
 

diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index b5b4b8190e654ef77c88d0e752944c08595061db..cb5ef21991b72cc46b288d7680f77b6c705d3ab5 100644 (file)
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -301,9 +301,11 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
        return profile->audit;
 }
 
-bool policy_view_capable(struct aa_ns *ns);
-bool policy_admin_capable(struct aa_ns *ns);
+bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns);
+bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns);
 int aa_may_manage_policy(struct aa_label *label, struct aa_ns *ns,
                         u32 mask);
+bool aa_current_policy_view_capable(struct aa_ns *ns);
+bool aa_current_policy_admin_capable(struct aa_ns *ns);
 
 #endif /* __AA_POLICY_H */

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 66a8504c8bea94f719238310da7ab40f645a7e70..64d6020ffd509efdca5d67cf53b022bd529eb9d0 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1392,7 +1392,7 @@ static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp
 {
        if (!apparmor_enabled)
                return -EINVAL;
-       if (apparmor_initialized && !policy_admin_capable(NULL))
+       if (apparmor_initialized && !aa_current_policy_admin_capable(NULL))
                return -EPERM;
        return param_set_bool(val, kp);
 }
@@ -1401,7 +1401,7 @@ static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
 {
        if (!apparmor_enabled)
                return -EINVAL;
-       if (apparmor_initialized && !policy_view_capable(NULL))
+       if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
                return -EPERM;
        return param_get_bool(buffer, kp);
 }
@@ -1410,7 +1410,7 @@ static int param_set_aabool(const char *val, const struct kernel_param *kp)
 {
        if (!apparmor_enabled)
                return -EINVAL;
-       if (apparmor_initialized && !policy_admin_capable(NULL))
+       if (apparmor_initialized && !aa_current_policy_admin_capable(NULL))
                return -EPERM;
        return param_set_bool(val, kp);
 }
@@ -1419,7 +1419,7 @@ static int param_get_aabool(char *buffer, const struct kernel_param *kp)
 {
        if (!apparmor_enabled)
                return -EINVAL;
-       if (apparmor_initialized && !policy_view_capable(NULL))
+       if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
                return -EPERM;
        return param_get_bool(buffer, kp);
 }
@@ -1445,7 +1445,7 @@ static int param_get_aauint(char *buffer, const struct kernel_param *kp)
 {
        if (!apparmor_enabled)
                return -EINVAL;
-       if (apparmor_initialized && !policy_view_capable(NULL))
+       if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
                return -EPERM;
        return param_get_uint(buffer, kp);
 }
@@ -1516,7 +1516,7 @@ static int param_get_aacompressionlevel(char *buffer,
 {
        if (!apparmor_enabled)
                return -EINVAL;
-       if (apparmor_initialized && !policy_view_capable(NULL))
+       if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
                return -EPERM;
        return param_get_int(buffer, kp);
 }
@@ -1525,7 +1525,7 @@ static int param_get_audit(char *buffer, const struct kernel_param *kp)
 {
        if (!apparmor_enabled)
                return -EINVAL;
-       if (apparmor_initialized && !policy_view_capable(NULL))
+       if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
                return -EPERM;
        return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
 }
@@ -1538,7 +1538,7 @@ static int param_set_audit(const char *val, const struct kernel_param *kp)
                return -EINVAL;
        if (!val)
                return -EINVAL;
-       if (apparmor_initialized && !policy_admin_capable(NULL))
+       if (apparmor_initialized && !aa_current_policy_admin_capable(NULL))
                return -EPERM;
 
        i = match_string(audit_mode_names, AUDIT_MAX_INDEX, val);
@@ -1553,7 +1553,7 @@ static int param_get_mode(char *buffer, const struct kernel_param *kp)
 {
        if (!apparmor_enabled)
                return -EINVAL;
-       if (apparmor_initialized && !policy_view_capable(NULL))
+       if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
                return -EPERM;
 
        return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
@@ -1567,7 +1567,7 @@ static int param_set_mode(const char *val, const struct kernel_param *kp)
                return -EINVAL;
        if (!val)
                return -EINVAL;
-       if (apparmor_initialized && !policy_admin_capable(NULL))
+       if (apparmor_initialized && !aa_current_policy_admin_capable(NULL))
                return -EPERM;
 
        i = match_string(aa_profile_mode_names, APPARMOR_MODE_NAMES_MAX_INDEX,
@@ -1703,7 +1703,7 @@ static int __init alloc_buffers(void)
 static int apparmor_dointvec(struct ctl_table *table, int write,
                             void __user *buffer, size_t *lenp, loff_t *ppos)
 {
-       if (!policy_admin_capable(NULL))
+       if (!aa_current_policy_admin_capable(NULL))
                return -EPERM;
        if (!apparmor_enabled)
                return -EINVAL;

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 269f2f53c0b115405eda0046249151b605d1d116..e680121e013ee7f4f8d126b8fa02009bd16f829b 100644 (file)
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -632,17 +632,18 @@ static int audit_policy(struct aa_label *label, const char *op,
 }
 
 /**
- * policy_view_capable - check if viewing policy in at @ns is allowed
- * ns: namespace being viewed by current task (may be NULL)
+ * aa_policy_view_capable - check if viewing policy in at @ns is allowed
+ * label: label that is trying to view policy in ns
+ * ns: namespace being viewed by @label (may be NULL if @label's ns)
  * Returns: true if viewing policy is allowed
  *
  * If @ns is NULL then the namespace being viewed is assumed to be the
  * tasks current namespace.
  */
-bool policy_view_capable(struct aa_ns *ns)
+bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns)
 {
        struct user_namespace *user_ns = current_user_ns();
-       struct aa_ns *view_ns = aa_get_current_ns();
+       struct aa_ns *view_ns = labels_view(label);
        bool root_in_user_ns = uid_eq(current_euid(), make_kuid(user_ns, 0)) ||
                               in_egroup_p(make_kgid(user_ns, 0));
        bool response = false;
@@ -654,12 +655,11 @@ bool policy_view_capable(struct aa_ns *ns)
             (unprivileged_userns_apparmor_policy != 0 &&
              user_ns->level == view_ns->level)))
                response = true;
-       aa_put_ns(view_ns);
 
        return response;
 }
 
-bool policy_admin_capable(struct aa_ns *ns)
+bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns)
 {
        struct user_namespace *user_ns = current_user_ns();
        bool capable = ns_capable(user_ns, CAP_MAC_ADMIN);
@@ -667,7 +667,32 @@ bool policy_admin_capable(struct aa_ns *ns)
        AA_DEBUG("cap_mac_admin? %d\n", capable);
        AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);
 
-       return policy_view_capable(ns) && capable && !aa_g_lock_policy;
+       return aa_policy_view_capable(label, ns) && capable &&
+               !aa_g_lock_policy;
+}
+
+bool aa_current_policy_view_capable(struct aa_ns *ns)
+{
+       struct aa_label *label;
+       bool res;
+
+       label = __begin_current_label_crit_section();
+       res = aa_policy_view_capable(label, ns);
+       __end_current_label_crit_section(label);
+
+       return res;
+}
+
+bool aa_current_policy_admin_capable(struct aa_ns *ns)
+{
+       struct aa_label *label;
+       bool res;
+
+       label = __begin_current_label_crit_section();
+       res = aa_policy_admin_capable(label, ns);
+       __end_current_label_crit_section(label);
+
+       return res;
 }
 
 /**
@@ -693,7 +718,7 @@ int aa_may_manage_policy(struct aa_label *label, struct aa_ns *ns, u32 mask)
                return audit_policy(label, op, NULL, NULL, "policy_locked",
                                    -EACCES);
 
-       if (!policy_admin_capable(ns))
+       if (!aa_policy_admin_capable(label, ns))
                return audit_policy(label, op, NULL, NULL, "not policy admin",
                                    -EACCES);