]>
Commit | Line | Data |
---|---|---|
8f69975d BS |
1 | From: John Johansen <jjohansen@suse.de> |
2 | Subject: fix log messages to enable tools profile learning | |
3 | Patch-mainline: no | |
4 | References: bnc#447564 | |
5 | ||
6 | The allocation of the child pid is done after the LSM clone hook, which | |
7 | breaks the AppArmor tools fork tracking, for profiles learning. Output | |
8 | the parent pid with each log message to enable the tools to handle fork | |
9 | tracking. | |
10 | ||
11 | Signed-off-by: John Johansen <jjohansen@suse.de> | |
12 | ||
13 | --- | |
14 | security/apparmor/lsm.c | 28 ---------------------------- | |
15 | security/apparmor/main.c | 10 +++++----- | |
16 | security/apparmor/module_interface.c | 2 +- | |
17 | 3 files changed, 6 insertions(+), 34 deletions(-) | |
18 | ||
19 | --- a/security/apparmor/lsm.c | |
20 | +++ b/security/apparmor/lsm.c | |
21 | @@ -143,20 +143,6 @@ static int param_set_aa_enabled(const ch | |
22 | return 0; | |
23 | } | |
24 | ||
25 | -static int aa_reject_syscall(struct task_struct *task, gfp_t flags, | |
26 | - const char *name) | |
27 | -{ | |
28 | - struct aa_profile *profile = aa_get_profile(task); | |
29 | - int error = 0; | |
30 | - | |
31 | - if (profile) { | |
32 | - error = aa_audit_syscallreject(profile, flags, name); | |
33 | - aa_put_profile(profile); | |
34 | - } | |
35 | - | |
36 | - return error; | |
37 | -} | |
38 | - | |
39 | static int apparmor_ptrace(struct task_struct *parent, | |
40 | struct task_struct *child) | |
41 | { | |
42 | @@ -292,17 +278,6 @@ static int apparmor_bprm_secureexec(stru | |
43 | return ret; | |
44 | } | |
45 | ||
46 | -static int apparmor_sb_mount(char *dev_name, struct path *path, char *type, | |
47 | - unsigned long flags, void *data) | |
48 | -{ | |
49 | - return aa_reject_syscall(current, GFP_KERNEL, "mount"); | |
50 | -} | |
51 | - | |
52 | -static int apparmor_umount(struct vfsmount *mnt, int flags) | |
53 | -{ | |
54 | - return aa_reject_syscall(current, GFP_KERNEL, "umount"); | |
55 | -} | |
56 | - | |
57 | static int apparmor_inode_mkdir(struct inode *dir, struct dentry *dentry, | |
58 | struct vfsmount *mnt, int mask) | |
59 | { | |
60 | @@ -925,9 +900,6 @@ struct security_operations apparmor_ops | |
61 | .bprm_set_security = apparmor_bprm_set_security, | |
62 | .bprm_secureexec = apparmor_bprm_secureexec, | |
63 | ||
64 | - .sb_mount = apparmor_sb_mount, | |
65 | - .sb_umount = apparmor_umount, | |
66 | - | |
67 | .inode_mkdir = apparmor_inode_mkdir, | |
68 | .inode_rmdir = apparmor_inode_rmdir, | |
69 | .inode_create = apparmor_inode_create, | |
70 | --- a/security/apparmor/main.c | |
71 | +++ b/security/apparmor/main.c | |
72 | @@ -229,9 +229,13 @@ static int aa_audit_base(struct aa_profi | |
73 | audit_log_format(ab, " protocol=%d", sa->protocol); | |
74 | } | |
75 | ||
76 | - audit_log_format(ab, " pid=%d", current->pid); | |
77 | + audit_log_format(ab, " pid=%d", current->pid); | |
78 | ||
79 | if (profile) { | |
80 | + if (!sa->parent) | |
81 | + audit_log_format(ab, " parent=%d", | |
82 | + current->real_parent->pid); | |
83 | + | |
84 | audit_log_format(ab, " profile="); | |
85 | audit_log_untrustedstring(ab, profile->name); | |
86 | ||
87 | @@ -1006,10 +1010,6 @@ repeat: | |
88 | ||
89 | unlock_profile(profile); | |
90 | ||
91 | - if (APPARMOR_COMPLAIN(child_cxt) && | |
92 | - profile == profile->ns->null_complain_profile) { | |
93 | - aa_audit_hint(profile, &sa); | |
94 | - } | |
95 | aa_put_profile(profile); | |
96 | } else | |
97 | aa_free_task_context(child_cxt); | |
98 | --- a/security/apparmor/module_interface.c | |
99 | +++ b/security/apparmor/module_interface.c | |
100 | @@ -126,7 +126,7 @@ static int aa_is_nameX(struct aa_ext *e, | |
101 | * AA_NAME tag value is a u16. | |
102 | */ | |
103 | if (aa_is_X(e, AA_NAME)) { | |
104 | - char *tag; | |
105 | + char *tag = NULL; | |
106 | size_t size = aa_is_u16_chunk(e, &tag); | |
107 | /* if a name is specified it must match. otherwise skip tag */ | |
108 | if (name && (!size || strcmp(name, tag))) |