Merge tag 'apparmor-pr-2018-11-01' of git://git.kernel.org/pub/scm/linux/kernel/git...

author Linus Torvalds <[email protected]>

Fri, 2 Nov 2018 17:04:26 +0000 (10:04 -0700)

committer Linus Torvalds <[email protected]>

Fri, 2 Nov 2018 17:04:26 +0000 (10:04 -0700)
author Linus Torvalds <[email protected]>
Fri, 2 Nov 2018 17:04:26 +0000 (10:04 -0700)
committer Linus Torvalds <[email protected]>
Fri, 2 Nov 2018 17:04:26 +0000 (10:04 -0700)
diff --combined security/apparmor/lsm.c

index aa35939443c47799afc720d6119427389dc0bea2,656a143ce8fe29cc0b44e3d140e7e3dcc2cca521..42446a216f3bcfccfe2b0f099f4fa044c1efe6da
--- 1/security/apparmor/lsm.c
--- 2/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@@ -23,6 -23,8 +23,8 @@@
   #include <linux/sysctl.h>
   #include <linux/audit.h>
   #include <linux/user_namespace.h>
+ #include <linux/netfilter_ipv4.h>
+ #include <linux/netfilter_ipv6.h>
   #include <net/sock.h>
   
   #include "include/apparmor.h"
@@@ -114,13 -116,13 +116,13 @@@ static int apparmor_ptrace_access_check
         struct aa_label *tracer, *tracee;
         int error;
   
-       tracer = begin_current_label_crit_section();
+       tracer = __begin_current_label_crit_section();
         tracee = aa_get_task_label(child);
         error = aa_may_ptrace(tracer, tracee,
                         (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
                                                   : AA_PTRACE_TRACE);
         aa_put_label(tracee);
-       end_current_label_crit_section(tracer);
+       __end_current_label_crit_section(tracer);
   
         return error;
   }
@@@ -130,11 -132,11 +132,11 @@@ static int apparmor_ptrace_traceme(stru
         struct aa_label *tracer, *tracee;
         int error;
   
-       tracee = begin_current_label_crit_section();
+       tracee = __begin_current_label_crit_section();
         tracer = aa_get_task_label(parent);
         error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
         aa_put_label(tracer);
-       end_current_label_crit_section(tracee);
+       __end_current_label_crit_section(tracee);
   
         return error;
   }
@@@ -395,7 -397,7 +397,7 @@@ static int apparmor_inode_getattr(cons
         return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
   }
   
- -static int apparmor_file_open(struct file *file, const struct cred *cred)
+ +static int apparmor_file_open(struct file *file)
   {
         struct aa_file_ctx *fctx = file_ctx(file);
         struct aa_label *label;
@@@ -414,7 -416,7 +416,7 @@@
                 return 0;
         }
   
- -      label = aa_get_newest_cred_label(cred);
+ +      label = aa_get_newest_cred_label(file->f_cred);
         if (!unconfined(label)) {
                 struct inode *inode = file_inode(file);
                 struct path_cond cond = { inode->i_uid, inode->i_mode };
@@@ -732,7 -734,7 +734,7 @@@ static int apparmor_task_setrlimit(stru
         return error;
   }
   
- -static int apparmor_task_kill(struct task_struct *target, struct siginfo *info,
+ +static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo *info,
                               int sig, const struct cred *cred)
   {
         struct aa_label *cl, *tl;
@@@ -1020,6 -1022,7 +1022,7 @@@ static int apparmor_socket_shutdown(str
         return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock);
   }
   
+ #ifdef CONFIG_NETWORK_SECMARK
   /**
    * apparmor_socket_sock_recv_skb - check perms before associating skb to sk
    *
@@@ -1030,8 -1033,15 +1033,15 @@@
    */
   static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
   {
-       return 0;
+       struct aa_sk_ctx *ctx = SK_CTX(sk);
+ 
+       if (!skb->secmark)
+               return 0;
+ 
+       return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE,
+                                     skb->secmark, sk);
   }
+ #endif
   
   
   static struct aa_label *sk_peer_label(struct sock *sk)
@@@ -1126,6 -1136,20 +1136,20 @@@ static void apparmor_sock_graft(struct 
                 ctx->label = aa_get_current_label();
   }
   
+ #ifdef CONFIG_NETWORK_SECMARK
+ static int apparmor_inet_conn_request(struct sock *sk, struct sk_buff *skb,
+                                     struct request_sock *req)
+ {
+       struct aa_sk_ctx *ctx = SK_CTX(sk);
+ 
+       if (!skb->secmark)
+               return 0;
+ 
+       return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT,
+                                     skb->secmark, sk);
+ }
+ #endif
+ 
   static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
         LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
         LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
@@@ -1177,12 -1201,17 +1201,17 @@@
         LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt),
         LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt),
         LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown),
+ #ifdef CONFIG_NETWORK_SECMARK
         LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb),
+ #endif
         LSM_HOOK_INIT(socket_getpeersec_stream,
                       apparmor_socket_getpeersec_stream),
         LSM_HOOK_INIT(socket_getpeersec_dgram,
                       apparmor_socket_getpeersec_dgram),
         LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
+ #ifdef CONFIG_NETWORK_SECMARK
+       LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request),
+ #endif
   
         LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
         LSM_HOOK_INIT(cred_free, apparmor_cred_free),
@@@ -1538,6 -1567,97 +1567,97 @@@ static inline int apparmor_init_sysctl(
   }
   #endif /* CONFIG_SYSCTL */
   
+ #if defined(CONFIG_NETFILTER) && defined(CONFIG_NETWORK_SECMARK)
+ static unsigned int apparmor_ip_postroute(void *priv,
+                                         struct sk_buff *skb,
+                                         const struct nf_hook_state *state)
+ {
+       struct aa_sk_ctx *ctx;
+       struct sock *sk;
+ 
+       if (!skb->secmark)
+               return NF_ACCEPT;
+ 
+       sk = skb_to_full_sk(skb);
+       if (sk == NULL)
+               return NF_ACCEPT;
+ 
+       ctx = SK_CTX(sk);
+       if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND,
+                                   skb->secmark, sk))
+               return NF_ACCEPT;
+ 
+       return NF_DROP_ERR(-ECONNREFUSED);
+ 
+ }
+ 
+ static unsigned int apparmor_ipv4_postroute(void *priv,
+                                           struct sk_buff *skb,
+                                           const struct nf_hook_state *state)
+ {
+       return apparmor_ip_postroute(priv, skb, state);
+ }
+ 
+ static unsigned int apparmor_ipv6_postroute(void *priv,
+                                           struct sk_buff *skb,
+                                           const struct nf_hook_state *state)
+ {
+       return apparmor_ip_postroute(priv, skb, state);
+ }
+ 
+ static const struct nf_hook_ops apparmor_nf_ops[] = {
+       {
+               .hook =         apparmor_ipv4_postroute,
+               .pf =           NFPROTO_IPV4,
+               .hooknum =      NF_INET_POST_ROUTING,
+               .priority =     NF_IP_PRI_SELINUX_FIRST,
+       },
+ #if IS_ENABLED(CONFIG_IPV6)
+       {
+               .hook =         apparmor_ipv6_postroute,
+               .pf =           NFPROTO_IPV6,
+               .hooknum =      NF_INET_POST_ROUTING,
+               .priority =     NF_IP6_PRI_SELINUX_FIRST,
+       },
+ #endif
+ };
+ 
+ static int __net_init apparmor_nf_register(struct net *net)
+ {
+       int ret;
+ 
+       ret = nf_register_net_hooks(net, apparmor_nf_ops,
+                                   ARRAY_SIZE(apparmor_nf_ops));
+       return ret;
+ }
+ 
+ static void __net_exit apparmor_nf_unregister(struct net *net)
+ {
+       nf_unregister_net_hooks(net, apparmor_nf_ops,
+                               ARRAY_SIZE(apparmor_nf_ops));
+ }
+ 
+ static struct pernet_operations apparmor_net_ops = {
+       .init = apparmor_nf_register,
+       .exit = apparmor_nf_unregister,
+ };
+ 
+ static int __init apparmor_nf_ip_init(void)
+ {
+       int err;
+ 
+       if (!apparmor_enabled)
+               return 0;
+ 
+       err = register_pernet_subsys(&apparmor_net_ops);
+       if (err)
+               panic("Apparmor: register_pernet_subsys: error %d\n", err);
+ 
+       return 0;
+ }
+ __initcall(apparmor_nf_ip_init);
+ #endif
+ 
   static int __init apparmor_init(void)
   {
         int error;
@@@ -1606,7 -1726,4 +1726,7 @@@ alloc_out
         return error;
   }
   
- -security_initcall(apparmor_init);
+ +DEFINE_LSM(apparmor) = {
+ +      .name = "apparmor",
+ +      .init = apparmor_init,
+ +};
diff --combined security/apparmor/secid.c

index 4ccec1bcf6f54f261542a546458cab77c6af9e52,8c951c493beb31214f45372b95dcdf135ccec003..05373d9a3d6af10643050e7a825c04b3aef30c96
--- 1/security/apparmor/secid.c
--- 2/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@@ -32,8 -32,7 +32,7 @@@
    * secids - do not pin labels with a refcount. They rely on the label
    * properly updating/freeing them
    */
- 
- #define AA_FIRST_SECID 1
+ #define AA_FIRST_SECID 2
   
   static DEFINE_IDR(aa_secids);
   static DEFINE_SPINLOCK(secid_lock);
@@@ -79,6 -78,7 +78,6 @@@ int apparmor_secid_to_secctx(u32 secid
         struct aa_label *label = aa_secid_to_label(secid);
         int len;
   
- -      AA_BUG(!secdata);
         AA_BUG(!seclen);
   
         if (!label)
author	Linus Torvalds <[email protected]>
	Fri, 2 Nov 2018 17:04:26 +0000 (10:04 -0700)
committer	Linus Torvalds <[email protected]>
	Fri, 2 Nov 2018 17:04:26 +0000 (10:04 -0700)
		1	2
security/apparmor/lsm.c	patch \|	diff1 \|	diff2 \|	blob \| history
security/apparmor/secid.c	patch \|	diff1 \|	diff2 \|	blob \| history