Skip to content

Commit eac9312

Browse files
committed
apparmor: move ptrace mediation to more logical task.{h,c}
AppArmor split out task oriented controls to their own logical file a while ago. Ptrace mediation is better grouped with task than ipc, so move it. Signed-off-by: John Johansen <john.johansen@canonical.com>
1 parent f567e7f commit eac9312

File tree

5 files changed

+133
-128
lines changed

5 files changed

+133
-128
lines changed

security/apparmor/apparmorfs.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@
3636
#include "include/policy_ns.h"
3737
#include "include/resource.h"
3838
#include "include/policy_unpack.h"
39+
#include "include/task.h"
3940

4041
/*
4142
* The apparmor filesystem interface used for policy load and introspection

security/apparmor/include/ipc.h

Lines changed: 0 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -13,24 +13,6 @@
1313

1414
#include <linux/sched.h>
1515

16-
struct aa_profile;
17-
18-
#define AA_PTRACE_TRACE MAY_WRITE
19-
#define AA_PTRACE_READ MAY_READ
20-
#define AA_MAY_BE_TRACED AA_MAY_APPEND
21-
#define AA_MAY_BE_READ AA_MAY_CREATE
22-
#define PTRACE_PERM_SHIFT 2
23-
24-
#define AA_PTRACE_PERM_MASK (AA_PTRACE_READ | AA_PTRACE_TRACE | \
25-
AA_MAY_BE_READ | AA_MAY_BE_TRACED)
26-
#define AA_SIGNAL_PERM_MASK (MAY_READ | MAY_WRITE)
27-
28-
#define AA_SFS_SIG_MASK "hup int quit ill trap abrt bus fpe kill usr1 " \
29-
"segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg " \
30-
"xcpu xfsz vtalrm prof winch io pwr sys emt lost"
31-
32-
int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
33-
u32 request);
3416
int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig);
3517

3618
#endif /* __AA_IPC_H */

security/apparmor/include/task.h

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,4 +77,22 @@ static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx)
7777
ctx->token = 0;
7878
}
7979

80+
#define AA_PTRACE_TRACE MAY_WRITE
81+
#define AA_PTRACE_READ MAY_READ
82+
#define AA_MAY_BE_TRACED AA_MAY_APPEND
83+
#define AA_MAY_BE_READ AA_MAY_CREATE
84+
#define PTRACE_PERM_SHIFT 2
85+
86+
#define AA_PTRACE_PERM_MASK (AA_PTRACE_READ | AA_PTRACE_TRACE | \
87+
AA_MAY_BE_READ | AA_MAY_BE_TRACED)
88+
#define AA_SIGNAL_PERM_MASK (MAY_READ | MAY_WRITE)
89+
90+
#define AA_SFS_SIG_MASK "hup int quit ill trap abrt bus fpe kill usr1 " \
91+
"segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg " \
92+
"xcpu xfsz vtalrm prof winch io pwr sys emt lost"
93+
94+
int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
95+
u32 request);
96+
97+
8098
#endif /* __AA_TASK_H */

security/apparmor/ipc.c

Lines changed: 0 additions & 110 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,6 @@
99
*/
1010

1111
#include <linux/gfp.h>
12-
#include <linux/ptrace.h>
1312

1413
#include "include/audit.h"
1514
#include "include/capability.h"
@@ -18,115 +17,6 @@
1817
#include "include/ipc.h"
1918
#include "include/sig_names.h"
2019

21-
/**
22-
* audit_ptrace_mask - convert mask to permission string
23-
* @mask: permission mask to convert
24-
*
25-
* Returns: pointer to static string
26-
*/
27-
static const char *audit_ptrace_mask(u32 mask)
28-
{
29-
switch (mask) {
30-
case MAY_READ:
31-
return "read";
32-
case MAY_WRITE:
33-
return "trace";
34-
case AA_MAY_BE_READ:
35-
return "readby";
36-
case AA_MAY_BE_TRACED:
37-
return "tracedby";
38-
}
39-
return "";
40-
}
41-
42-
/* call back to audit ptrace fields */
43-
static void audit_ptrace_cb(struct audit_buffer *ab, void *va)
44-
{
45-
struct common_audit_data *sa = va;
46-
47-
if (aad(sa)->request & AA_PTRACE_PERM_MASK) {
48-
audit_log_format(ab, " requested_mask=\"%s\"",
49-
audit_ptrace_mask(aad(sa)->request));
50-
51-
if (aad(sa)->denied & AA_PTRACE_PERM_MASK) {
52-
audit_log_format(ab, " denied_mask=\"%s\"",
53-
audit_ptrace_mask(aad(sa)->denied));
54-
}
55-
}
56-
audit_log_format(ab, " peer=");
57-
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
58-
FLAGS_NONE, GFP_ATOMIC);
59-
}
60-
61-
/* assumes check for PROFILE_MEDIATES is already done */
62-
/* TODO: conditionals */
63-
static int profile_ptrace_perm(struct aa_profile *profile,
64-
struct aa_label *peer, u32 request,
65-
struct common_audit_data *sa)
66-
{
67-
struct aa_perms perms = { };
68-
69-
aad(sa)->peer = peer;
70-
aa_profile_match_label(profile, peer, AA_CLASS_PTRACE, request,
71-
&perms);
72-
aa_apply_modes_to_perms(profile, &perms);
73-
return aa_check_perms(profile, &perms, request, sa, audit_ptrace_cb);
74-
}
75-
76-
static int profile_tracee_perm(struct aa_profile *tracee,
77-
struct aa_label *tracer, u32 request,
78-
struct common_audit_data *sa)
79-
{
80-
if (profile_unconfined(tracee) || unconfined(tracer) ||
81-
!PROFILE_MEDIATES(tracee, AA_CLASS_PTRACE))
82-
return 0;
83-
84-
return profile_ptrace_perm(tracee, tracer, request, sa);
85-
}
86-
87-
static int profile_tracer_perm(struct aa_profile *tracer,
88-
struct aa_label *tracee, u32 request,
89-
struct common_audit_data *sa)
90-
{
91-
if (profile_unconfined(tracer))
92-
return 0;
93-
94-
if (PROFILE_MEDIATES(tracer, AA_CLASS_PTRACE))
95-
return profile_ptrace_perm(tracer, tracee, request, sa);
96-
97-
/* profile uses the old style capability check for ptrace */
98-
if (&tracer->label == tracee)
99-
return 0;
100-
101-
aad(sa)->label = &tracer->label;
102-
aad(sa)->peer = tracee;
103-
aad(sa)->request = 0;
104-
aad(sa)->error = aa_capable(&tracer->label, CAP_SYS_PTRACE,
105-
CAP_OPT_NONE);
106-
107-
return aa_audit(AUDIT_APPARMOR_AUTO, tracer, sa, audit_ptrace_cb);
108-
}
109-
110-
/**
111-
* aa_may_ptrace - test if tracer task can trace the tracee
112-
* @tracer: label of the task doing the tracing (NOT NULL)
113-
* @tracee: task label to be traced
114-
* @request: permission request
115-
*
116-
* Returns: %0 else error code if permission denied or error
117-
*/
118-
int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
119-
u32 request)
120-
{
121-
struct aa_profile *profile;
122-
u32 xrequest = request << PTRACE_PERM_SHIFT;
123-
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_PTRACE);
124-
125-
return xcheck_labels(tracer, tracee, profile,
126-
profile_tracer_perm(profile, tracee, request, &sa),
127-
profile_tracee_perm(profile, tracer, xrequest, &sa));
128-
}
129-
13020

13121
static inline int map_signal_num(int sig)
13222
{

security/apparmor/task.c

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,12 @@
1212
* should return to the previous cred if it has not been modified.
1313
*/
1414

15+
#include <linux/gfp.h>
16+
#include <linux/ptrace.h>
17+
18+
#include "include/audit.h"
1519
#include "include/cred.h"
20+
#include "include/policy.h"
1621
#include "include/task.h"
1722

1823
/**
@@ -177,3 +182,112 @@ int aa_restore_previous_label(u64 token)
177182

178183
return 0;
179184
}
185+
186+
/**
187+
* audit_ptrace_mask - convert mask to permission string
188+
* @mask: permission mask to convert
189+
*
190+
* Returns: pointer to static string
191+
*/
192+
static const char *audit_ptrace_mask(u32 mask)
193+
{
194+
switch (mask) {
195+
case MAY_READ:
196+
return "read";
197+
case MAY_WRITE:
198+
return "trace";
199+
case AA_MAY_BE_READ:
200+
return "readby";
201+
case AA_MAY_BE_TRACED:
202+
return "tracedby";
203+
}
204+
return "";
205+
}
206+
207+
/* call back to audit ptrace fields */
208+
static void audit_ptrace_cb(struct audit_buffer *ab, void *va)
209+
{
210+
struct common_audit_data *sa = va;
211+
212+
if (aad(sa)->request & AA_PTRACE_PERM_MASK) {
213+
audit_log_format(ab, " requested_mask=\"%s\"",
214+
audit_ptrace_mask(aad(sa)->request));
215+
216+
if (aad(sa)->denied & AA_PTRACE_PERM_MASK) {
217+
audit_log_format(ab, " denied_mask=\"%s\"",
218+
audit_ptrace_mask(aad(sa)->denied));
219+
}
220+
}
221+
audit_log_format(ab, " peer=");
222+
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
223+
FLAGS_NONE, GFP_ATOMIC);
224+
}
225+
226+
/* assumes check for PROFILE_MEDIATES is already done */
227+
/* TODO: conditionals */
228+
static int profile_ptrace_perm(struct aa_profile *profile,
229+
struct aa_label *peer, u32 request,
230+
struct common_audit_data *sa)
231+
{
232+
struct aa_perms perms = { };
233+
234+
aad(sa)->peer = peer;
235+
aa_profile_match_label(profile, peer, AA_CLASS_PTRACE, request,
236+
&perms);
237+
aa_apply_modes_to_perms(profile, &perms);
238+
return aa_check_perms(profile, &perms, request, sa, audit_ptrace_cb);
239+
}
240+
241+
static int profile_tracee_perm(struct aa_profile *tracee,
242+
struct aa_label *tracer, u32 request,
243+
struct common_audit_data *sa)
244+
{
245+
if (profile_unconfined(tracee) || unconfined(tracer) ||
246+
!PROFILE_MEDIATES(tracee, AA_CLASS_PTRACE))
247+
return 0;
248+
249+
return profile_ptrace_perm(tracee, tracer, request, sa);
250+
}
251+
252+
static int profile_tracer_perm(struct aa_profile *tracer,
253+
struct aa_label *tracee, u32 request,
254+
struct common_audit_data *sa)
255+
{
256+
if (profile_unconfined(tracer))
257+
return 0;
258+
259+
if (PROFILE_MEDIATES(tracer, AA_CLASS_PTRACE))
260+
return profile_ptrace_perm(tracer, tracee, request, sa);
261+
262+
/* profile uses the old style capability check for ptrace */
263+
if (&tracer->label == tracee)
264+
return 0;
265+
266+
aad(sa)->label = &tracer->label;
267+
aad(sa)->peer = tracee;
268+
aad(sa)->request = 0;
269+
aad(sa)->error = aa_capable(&tracer->label, CAP_SYS_PTRACE,
270+
CAP_OPT_NONE);
271+
272+
return aa_audit(AUDIT_APPARMOR_AUTO, tracer, sa, audit_ptrace_cb);
273+
}
274+
275+
/**
276+
* aa_may_ptrace - test if tracer task can trace the tracee
277+
* @tracer: label of the task doing the tracing (NOT NULL)
278+
* @tracee: task label to be traced
279+
* @request: permission request
280+
*
281+
* Returns: %0 else error code if permission denied or error
282+
*/
283+
int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
284+
u32 request)
285+
{
286+
struct aa_profile *profile;
287+
u32 xrequest = request << PTRACE_PERM_SHIFT;
288+
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_PTRACE);
289+
290+
return xcheck_labels(tracer, tracee, profile,
291+
profile_tracer_perm(profile, tracee, request, &sa),
292+
profile_tracee_perm(profile, tracer, xrequest, &sa));
293+
}

0 commit comments

Comments
 (0)