summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2022-09-06 10:38:20 +0300
committerJohn Johansen <john.johansen@canonical.com>2022-10-04 00:49:04 +0300
commit3bf3d728a58d7dcf2bbf179e3263fb8651f6097b (patch)
treedf69e5bb641129014e487a9cf3ae607bb327d025 /security
parent3dfd16ab697ff23973b6fbb89808372bcd008dd1 (diff)
downloadlinux-3bf3d728a58d7dcf2bbf179e3263fb8651f6097b.tar.xz
apparmor: verify loaded permission bits masks don't overlap
Add an additional verification that loaded permission sets don't overlap in ways that are not intended. This will help ensure that permission accumulation can't result in an invalid permission set. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/policy_unpack.c34
1 files changed, 30 insertions, 4 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 312bd632a472..5a78aaa0eea4 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -1150,11 +1150,37 @@ static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size)
return true;
}
-static bool verify_perm_indexes(struct aa_policydb *pdb)
+static bool verify_perm(struct aa_perms *perm)
+{
+ /* TODO: allow option to just force the perms into a valid state */
+ if (perm->allow & perm->deny)
+ return false;
+ if (perm->subtree & ~perm->allow)
+ return false;
+ if (perm->cond & (perm->allow | perm->deny))
+ return false;
+ if (perm->kill & perm->allow)
+ return false;
+ if (perm->complain & (perm->allow | perm->deny))
+ return false;
+ if (perm->prompt & (perm->allow | perm->deny))
+ return false;
+ if (perm->complain & perm->prompt)
+ return false;
+ if (perm->hide & perm->allow)
+ return false;
+
+ return true;
+}
+
+static bool verify_perms(struct aa_policydb *pdb)
{
int i;
for (i = 0; i < pdb->size; i++) {
+ if (!verify_perm(&pdb->perms[i]))
+ return false;
+ /* verify indexes into str table */
if (pdb->perms[i].xindex >= pdb->trans.size)
return false;
if (pdb->perms[i].tag >= pdb->trans.size)
@@ -1187,17 +1213,17 @@ static int verify_profile(struct aa_profile *profile)
return -EPROTO;
}
- if (!verify_perm_indexes(&profile->file)) {
+ if (!verify_perms(&profile->file)) {
audit_iface(profile, NULL, NULL,
"Unpack: Invalid perm index", NULL, -EPROTO);
return -EPROTO;
}
- if (!verify_perm_indexes(&profile->policy)) {
+ if (!verify_perms(&profile->policy)) {
audit_iface(profile, NULL, NULL,
"Unpack: Invalid perm index", NULL, -EPROTO);
return -EPROTO;
}
- if (!verify_perm_indexes(&profile->xmatch)) {
+ if (!verify_perms(&profile->xmatch)) {
audit_iface(profile, NULL, NULL,
"Unpack: Invalid perm index", NULL, -EPROTO);
return -EPROTO;