apparmor: make sure perm indexes are accumulated

accumulate permission indexes on a first encountered basis. This
favors original rulesets so that new ones can not override without
profile replacement.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index 521c8568f6d49d1be5e92d5b50e613c63778dd45..1a1c0f0c50710154010fb33714ea0a2e9ff562e4 100644 (file)
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -88,10 +88,10 @@ static inline struct aa_label *aa_get_file_label(struct aa_file_ctx *ctx)
  * - exec type - which determines how the executable name and index are used
  * - flags - which modify how the destination name is applied
  */
-#define AA_X_INDEX_MASK                0x00ffffff
+#define AA_X_INDEX_MASK                AA_INDEX_MASK
 
 #define AA_X_TYPE_MASK         0x0c000000
-#define AA_X_NONE              0x00000000
+#define AA_X_NONE              AA_INDEX_NONE
 #define AA_X_NAME              0x04000000 /* use executable name px */
 #define AA_X_TABLE             0x08000000 /* use a specified name ->n# */
 

diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h
index d66059fcebb45946255e4782420a0d8552cb60a3..0de8c3fb090dc0c75ba25370e77f7caa2728bd24 100644 (file)
--- a/security/apparmor/include/perms.h
+++ b/security/apparmor/include/perms.h
@@ -78,11 +78,20 @@ struct aa_perms {
        u32 quiet;      /* set only when ~allow | deny */
        u32 hide;       /* set only when  ~allow | deny */
 
+
        u32 xindex;
        u32 tag;        /* tag string index, if present */
        u32 label;      /* label string index, if present */
 };
 
+/*
+ * Indexes are broken into a 24 bit index and 8 bit flag.
+ * For the index to be valid there must be a value in the flag
+ */
+#define AA_INDEX_MASK                  0x00ffffff
+#define AA_INDEX_FLAG_MASK             0xff000000
+#define AA_INDEX_NONE                  0
+
 #define ALL_PERMS_MASK 0xffffffff
 extern struct aa_perms nullperms;
 extern struct aa_perms allperms;

diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index b0fcec89327457702e65aa3f00f3b849ac95b59f..d6a8c361025b4846c7b31656dd1095acbc84cb89 100644 (file)
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -348,6 +348,13 @@ void aa_perms_accum_raw(struct aa_perms *accum, struct aa_perms *addend)
        accum->hide &= addend->hide & ~addend->allow;
        accum->prompt |= addend->prompt & ~addend->allow & ~addend->deny;
        accum->subtree |= addend->subtree & ~addend->deny;
+
+       if (!accum->xindex)
+               accum->xindex = addend->xindex;
+       if (!accum->tag)
+               accum->tag = addend->tag;
+       if (!accum->label)
+               accum->label = addend->label;
 }
 
 /**
@@ -367,6 +374,13 @@ void aa_perms_accum(struct aa_perms *accum, struct aa_perms *addend)
        accum->hide &= addend->hide & ~accum->allow;
        accum->prompt |= addend->prompt & ~accum->allow & ~accum->deny;
        accum->subtree &= addend->subtree & ~accum->deny;
+
+       if (!accum->xindex)
+               accum->xindex = addend->xindex;
+       if (!accum->tag)
+               accum->tag = addend->tag;
+       if (!accum->label)
+               accum->label = addend->label;
 }
 
 void aa_profile_match_label(struct aa_profile *profile, struct aa_label *label,