diff options
| -rw-r--r-- | security/apparmor/af_unix.c | 14 | ||||
| -rw-r--r-- | security/apparmor/apparmorfs.c | 2 | ||||
| -rw-r--r-- | security/apparmor/file.c | 2 | ||||
| -rw-r--r-- | security/apparmor/include/policy.h | 18 |
4 files changed, 26 insertions, 10 deletions
diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c index ce7dc9d98fb1..ed4b34b88e38 100644 --- a/security/apparmor/af_unix.c +++ b/security/apparmor/af_unix.c @@ -197,7 +197,7 @@ static int profile_create_perm(struct aa_profile *profile, int family, AA_BUG(!profile); AA_BUG(profile_unconfined(profile)); - state = RULE_MEDIATES_NET(rules); + state = RULE_MEDIATES_v9NET(rules); if (state) { state = aa_match_to_prot(rules->policy, state, AA_MAY_CREATE, PF_UNIX, type, protocol, NULL, @@ -226,7 +226,7 @@ static int profile_sk_perm(struct aa_profile *profile, AA_BUG(is_unix_fs(sk)); AA_BUG(profile_unconfined(profile)); - state = RULE_MEDIATES_NET(rules); + state = RULE_MEDIATES_v9NET(rules); if (state) { state = match_to_sk(rules->policy, state, request, unix_sk(sk), &p, &ad->info); @@ -251,7 +251,7 @@ static int profile_bind_perm(struct aa_profile *profile, struct sock *sk, AA_BUG(!ad); AA_BUG(profile_unconfined(profile)); - state = RULE_MEDIATES_NET(rules); + state = RULE_MEDIATES_v9NET(rules); if (state) { /* bind for abstract socket */ state = match_to_local(rules->policy, state, AA_MAY_BIND, @@ -281,7 +281,7 @@ static int profile_listen_perm(struct aa_profile *profile, struct sock *sk, AA_BUG(!ad); AA_BUG(profile_unconfined(profile)); - state = RULE_MEDIATES_NET(rules); + state = RULE_MEDIATES_v9NET(rules); if (state) { __be16 b = cpu_to_be16(backlog); @@ -315,7 +315,7 @@ static int profile_accept_perm(struct aa_profile *profile, AA_BUG(!ad); AA_BUG(profile_unconfined(profile)); - state = RULE_MEDIATES_NET(rules); + state = RULE_MEDIATES_v9NET(rules); if (state) { state = match_to_sk(rules->policy, state, AA_MAY_ACCEPT, unix_sk(sk), &p, &ad->info); @@ -342,7 +342,7 @@ static int profile_opt_perm(struct aa_profile *profile, u32 request, AA_BUG(!ad); AA_BUG(profile_unconfined(profile)); - state = RULE_MEDIATES_NET(rules); + state = RULE_MEDIATES_v9NET(rules); if (state) { __be16 b = cpu_to_be16(optname); @@ -379,7 +379,7 @@ static int profile_peer_perm(struct aa_profile *profile, u32 request, AA_BUG(!ad); AA_BUG(is_unix_fs(peer_sk)); /* currently always calls unix_fs_perm */ - state = RULE_MEDIATES_NET(rules); + state = RULE_MEDIATES_v9NET(rules); if (state) { struct aa_sk_ctx *peer_ctx = aa_sock(peer_sk); struct aa_profile *peerp; diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 45afd585b52b..c5c756dda5cf 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -2414,7 +2414,7 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = { AA_SFS_DIR("domain", aa_sfs_entry_domain), AA_SFS_DIR("file", aa_sfs_entry_file), AA_SFS_DIR("network_v8", aa_sfs_entry_network), - AA_SFS_DIR("network", aa_sfs_entry_networkv9), + AA_SFS_DIR("network_v9", aa_sfs_entry_networkv9), AA_SFS_DIR("mount", aa_sfs_entry_mount), AA_SFS_DIR("namespaces", aa_sfs_entry_ns), AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), diff --git a/security/apparmor/file.c b/security/apparmor/file.c index d918b5dc6f59..85f89814af1e 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -228,7 +228,7 @@ int __aa_path_perm(const char *op, const struct cred *subj_cred, int e = 0; if (profile_unconfined(profile) || - ((flags & PATH_SOCK_COND) && !RULE_MEDIATES_NET(rules))) + ((flags & PATH_SOCK_COND) && !RULE_MEDIATES_v9NET(rules))) return 0; aa_str_perms(rules->file, rules->file->start[AA_CLASS_FILE], name, cond, perms); diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index 5128c5414f04..a6ddf3b7478e 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -304,11 +304,27 @@ static inline aa_state_t RULE_MEDIATES(struct aa_ruleset *rules, rules->policy->start[0], &class, 1); } +static inline aa_state_t RULE_MEDIATES_v9NET(struct aa_ruleset *rules) +{ + return RULE_MEDIATES(rules, AA_CLASS_NETV9); +} + static inline aa_state_t RULE_MEDIATES_NET(struct aa_ruleset *rules) { - return RULE_MEDIATES(rules, AA_CLASS_NET); + /* can not use RULE_MEDIATE_v9AF here, because AF match fail + * can not be distiguished from class match fail, and we only + * fallback to checking older class on class match failure + */ + aa_state_t state = RULE_MEDIATES(rules, AA_CLASS_NETV9); + + /* fallback and check v7/8 if v9 is NOT mediated */ + if (!state) + state = RULE_MEDIATES(rules, AA_CLASS_NET); + + return state; } + static inline aa_state_t ANY_RULE_MEDIATES(struct list_head *head, unsigned char class) { |