Skip to content

Commit 2410aa9

Browse files
jrjohansenjrjohansen
committed
apparmor: make policy_unpack able to audit different info messages
Switch unpack auditing to using the generic name field in the audit struct and make it so we can start adding new info messages about why an unpack failed. Signed-off-by: John Johansen <[email protected]> Acked-by: Seth Arnold <[email protected]>
1 parent 26b7899 commit 2410aa9

File tree

2 files changed

+40
-16
lines changed

2 files changed

+40
-16
lines changed

security/apparmor/include/audit.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -127,9 +127,9 @@ struct apparmor_audit_data {
127127
} fs;
128128
};
129129
struct {
130-
const char *name;
131-
long pos;
130+
struct aa_profile *profile;
132131
const char *ns;
132+
long pos;
133133
} iface;
134134
int signal;
135135
struct {

security/apparmor/policy_unpack.c

Lines changed: 38 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -85,9 +85,9 @@ static void audit_cb(struct audit_buffer *ab, void *va)
8585
audit_log_format(ab, " ns=");
8686
audit_log_untrustedstring(ab, aad(sa)->iface.ns);
8787
}
88-
if (aad(sa)->iface.name) {
88+
if (aad(sa)->name) {
8989
audit_log_format(ab, " name=");
90-
audit_log_untrustedstring(ab, aad(sa)->iface.name);
90+
audit_log_untrustedstring(ab, aad(sa)->name);
9191
}
9292
if (aad(sa)->iface.pos)
9393
audit_log_format(ab, " offset=%ld", aad(sa)->iface.pos);
@@ -114,9 +114,9 @@ static int audit_iface(struct aa_profile *new, const char *ns_name,
114114
aad(&sa)->iface.pos = e->pos - e->start;
115115
aad(&sa)->iface.ns = ns_name;
116116
if (new)
117-
aad(&sa)->iface.name = new->base.hname;
117+
aad(&sa)->name = new->base.hname;
118118
else
119-
aad(&sa)->iface.name = name;
119+
aad(&sa)->name = name;
120120
aad(&sa)->info = info;
121121
aad(&sa)->error = error;
122122

@@ -583,6 +583,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
583583
{
584584
struct aa_profile *profile = NULL;
585585
const char *tmpname, *tmpns = NULL, *name = NULL;
586+
const char *info = "failed to unpack profile";
586587
size_t ns_len;
587588
struct rhashtable_params params = { 0 };
588589
char *key = NULL;
@@ -604,8 +605,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
604605
tmpname = aa_splitn_fqname(name, strlen(name), &tmpns, &ns_len);
605606
if (tmpns) {
606607
*ns_name = kstrndup(tmpns, ns_len, GFP_KERNEL);
607-
if (!*ns_name)
608+
if (!*ns_name) {
609+
info = "out of memory";
608610
goto fail;
611+
}
609612
name = tmpname;
610613
}
611614

@@ -624,21 +627,27 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
624627
if (IS_ERR(profile->xmatch)) {
625628
error = PTR_ERR(profile->xmatch);
626629
profile->xmatch = NULL;
630+
info = "bad xmatch";
627631
goto fail;
628632
}
629633
/* xmatch_len is not optional if xmatch is set */
630634
if (profile->xmatch) {
631-
if (!unpack_u32(e, &tmp, NULL))
635+
if (!unpack_u32(e, &tmp, NULL)) {
636+
info = "missing xmatch len";
632637
goto fail;
638+
}
633639
profile->xmatch_len = tmp;
634640
}
635641

636642
/* disconnected attachment string is optional */
637643
(void) unpack_str(e, &profile->disconnected, "disconnected");
638644

639645
/* per profile debug flags (complain, audit) */
640-
if (!unpack_nameX(e, AA_STRUCT, "flags"))
646+
if (!unpack_nameX(e, AA_STRUCT, "flags")) {
647+
info = "profile missing flags";
641648
goto fail;
649+
}
650+
info = "failed to unpack profile flags";
642651
if (!unpack_u32(e, &tmp, NULL))
643652
goto fail;
644653
if (tmp & PACKED_FLAG_HAT)
@@ -667,6 +676,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
667676
/* set a default value if path_flags field is not present */
668677
profile->path_flags = PATH_MEDIATE_DELETED;
669678

679+
info = "failed to unpack profile capabilities";
670680
if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))
671681
goto fail;
672682
if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL))
@@ -676,6 +686,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
676686
if (!unpack_u32(e, &tmpcap.cap[0], NULL))
677687
goto fail;
678688

689+
info = "failed to unpack upper profile capabilities";
679690
if (unpack_nameX(e, AA_STRUCT, "caps64")) {
680691
/* optional upper half of 64 bit caps */
681692
if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL))
@@ -690,6 +701,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
690701
goto fail;
691702
}
692703

704+
info = "failed to unpack extended profile capabilities";
693705
if (unpack_nameX(e, AA_STRUCT, "capsx")) {
694706
/* optional extended caps mediation mask */
695707
if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL))
@@ -700,11 +712,14 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
700712
goto fail;
701713
}
702714

703-
if (!unpack_rlimits(e, profile))
715+
if (!unpack_rlimits(e, profile)) {
716+
info = "failed to unpack profile rlimits";
704717
goto fail;
718+
}
705719

706720
if (unpack_nameX(e, AA_STRUCT, "policydb")) {
707721
/* generic policy dfa - optional and may be NULL */
722+
info = "failed to unpack policydb";
708723
profile->policy.dfa = unpack_dfa(e);
709724
if (IS_ERR(profile->policy.dfa)) {
710725
error = PTR_ERR(profile->policy.dfa);
@@ -734,6 +749,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
734749
if (IS_ERR(profile->file.dfa)) {
735750
error = PTR_ERR(profile->file.dfa);
736751
profile->file.dfa = NULL;
752+
info = "failed to unpack profile file rules";
737753
goto fail;
738754
} else if (profile->file.dfa) {
739755
if (!unpack_u32(e, &profile->file.start, "dfa_start"))
@@ -746,10 +762,13 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
746762
} else
747763
profile->file.dfa = aa_get_dfa(nulldfa);
748764

749-
if (!unpack_trans_table(e, profile))
765+
if (!unpack_trans_table(e, profile)) {
766+
info = "failed to unpack profile transition table";
750767
goto fail;
768+
}
751769

752770
if (unpack_nameX(e, AA_STRUCT, "data")) {
771+
info = "out of memory";
753772
profile->data = kzalloc(sizeof(*profile->data), GFP_KERNEL);
754773
if (!profile->data)
755774
goto fail;
@@ -761,8 +780,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
761780
params.hashfn = strhash;
762781
params.obj_cmpfn = datacmp;
763782

764-
if (rhashtable_init(profile->data, &params))
783+
if (rhashtable_init(profile->data, &params)) {
784+
info = "failed to init key, value hash table";
765785
goto fail;
786+
}
766787

767788
while (unpack_strdup(e, &key, NULL)) {
768789
data = kzalloc(sizeof(*data), GFP_KERNEL);
@@ -784,12 +805,16 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
784805
profile->data->p);
785806
}
786807

787-
if (!unpack_nameX(e, AA_STRUCTEND, NULL))
808+
if (!unpack_nameX(e, AA_STRUCTEND, NULL)) {
809+
info = "failed to unpack end of key, value data table";
788810
goto fail;
811+
}
789812
}
790813

791-
if (!unpack_nameX(e, AA_STRUCTEND, NULL))
814+
if (!unpack_nameX(e, AA_STRUCTEND, NULL)) {
815+
info = "failed to unpack end of profile";
792816
goto fail;
817+
}
793818

794819
return profile;
795820

@@ -798,8 +823,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
798823
name = NULL;
799824
else if (!name)
800825
name = "unknown";
801-
audit_iface(profile, NULL, name, "failed to unpack profile", e,
802-
error);
826+
audit_iface(profile, NULL, name, info, e, error);
803827
aa_free_profile(profile);
804828

805829
return ERR_PTR(error);

0 commit comments

Comments
 (0)