diff options
| author | John Johansen <john.johansen@canonical.com> | 2017-10-09 04:26:19 +0300 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2018-02-09 22:30:01 +0300 |
| commit | 9fcf78cca198600b27c44b4e50f00f8af3927f17 (patch) | |
| tree | 7399172a2190db01668808fe8d6782c29145428b /security/apparmor/include | |
| parent | d8889d49e414b371eb235c08c3a759ab3e0cfa51 (diff) | |
| download | linux-9fcf78cca198600b27c44b4e50f00f8af3927f17.tar.xz | |
apparmor: update domain transitions that are subsets of confinement at nnp
Domain transition so far have been largely blocked by no new privs,
unless the transition has been provably a subset of the previous
confinement. There was a couple problems with the previous
implementations,
- transitions that weren't explicitly a stack but resulted in a subset
of confinement were disallowed
- confinement subsets were only calculated from the previous
confinement instead of the confinement being enforced at the time of
no new privs, so transitions would have to get progressively
tighter.
Fix this by detecting and storing a reference to the task's
confinement at the "time" no new privs is set. This reference is then
used to determine whether a transition is a subsystem of the
confinement at the time no new privs was set.
Unfortunately the implementation is less than ideal in that we have to
detect no new privs after the fact when a task attempts a domain
transition. This is adequate for the currently but will not work in a
stacking situation where no new privs could be conceivably be set in
both the "host" and in the container.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/include')
| -rw-r--r-- | security/apparmor/include/task.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/security/apparmor/include/task.h b/security/apparmor/include/task.h index d222197db299..55edaa1d83f8 100644 --- a/security/apparmor/include/task.h +++ b/security/apparmor/include/task.h @@ -18,11 +18,13 @@ /* * struct aa_task_ctx - information for current task label change + * @nnp: snapshot of label at time of no_new_privs * @onexec: profile to transition to on next exec (MAY BE NULL) * @previous: profile the task may return to (MAY BE NULL) * @token: magic value the task must know for returning to @previous_profile */ struct aa_task_ctx { + struct aa_label *nnp; struct aa_label *onexec; struct aa_label *previous; u64 token; @@ -52,6 +54,7 @@ static inline struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags) static inline void aa_free_task_ctx(struct aa_task_ctx *ctx) { if (ctx) { + aa_put_label(ctx->nnp); aa_put_label(ctx->previous); aa_put_label(ctx->onexec); @@ -68,6 +71,7 @@ static inline void aa_dup_task_ctx(struct aa_task_ctx *new, const struct aa_task_ctx *old) { *new = *old; + aa_get_label(new->nnp); aa_get_label(new->previous); aa_get_label(new->onexec); } |