summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-01-16 09:43:07 +0100
committerJohn Johansen <john.johansen@canonical.com>2017-01-16 10:18:50 +0100
commit31f75bfecd9cef7d485b1cda3c6c38cc0b4a5c6c (patch)
tree0758d1473b978e95a90655ebdba9c7e25147b68c /security
parentapparmor: convert change_profile to use fqname later to give better control (diff)
downloadlinux-31f75bfecd9cef7d485b1cda3c6c38cc0b4a5c6c.tar.xz
linux-31f75bfecd9cef7d485b1cda3c6c38cc0b4a5c6c.zip
apparmor: make computing policy hashes conditional on kernel parameter
Allow turning off the computation of the policy hashes via the apparmor.hash_policy kernel parameter. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/lsm.c46
-rw-r--r--security/apparmor/policy_unpack.c15
2 files changed, 32 insertions, 29 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 264aa192032e..6a5cf54cfa72 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -166,42 +166,42 @@ static int common_perm(const char *op, const struct path *path, u32 mask,
}
/**
- * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
+ * common_perm_cond - common permission wrapper around inode cond
* @op: operation being checked
- * @dir: directory of the dentry (NOT NULL)
- * @dentry: dentry to check (NOT NULL)
+ * @path: location to check (NOT NULL)
* @mask: requested permissions mask
- * @cond: conditional info for the permission request (NOT NULL)
*
* Returns: %0 else error code if error or permission denied
*/
-static int common_perm_dir_dentry(const char *op, const struct path *dir,
- struct dentry *dentry, u32 mask,
- struct path_cond *cond)
+static int common_perm_cond(const char *op, const struct path *path, u32 mask)
{
- struct path path = { .mnt = dir->mnt, .dentry = dentry };
+ struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
+ d_backing_inode(path->dentry)->i_mode
+ };
- return common_perm(op, &path, mask, cond);
+ if (!path_mediated_fs(path->dentry))
+ return 0;
+
+ return common_perm(op, path, mask, &cond);
}
/**
- * common_perm_path - common permission wrapper when mnt, dentry
+ * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
* @op: operation being checked
- * @path: location to check (NOT NULL)
+ * @dir: directory of the dentry (NOT NULL)
+ * @dentry: dentry to check (NOT NULL)
* @mask: requested permissions mask
+ * @cond: conditional info for the permission request (NOT NULL)
*
* Returns: %0 else error code if error or permission denied
*/
-static inline int common_perm_path(const char *op, const struct path *path,
- u32 mask)
+static int common_perm_dir_dentry(const char *op, const struct path *dir,
+ struct dentry *dentry, u32 mask,
+ struct path_cond *cond)
{
- struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
- d_backing_inode(path->dentry)->i_mode
- };
- if (!path_mediated_fs(path->dentry))
- return 0;
+ struct path path = { .mnt = dir->mnt, .dentry = dentry };
- return common_perm(op, path, mask, &cond);
+ return common_perm(op, &path, mask, cond);
}
/**
@@ -274,7 +274,7 @@ static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
static int apparmor_path_truncate(const struct path *path)
{
- return common_perm_path(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE);
+ return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE);
}
static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
@@ -333,17 +333,17 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d
static int apparmor_path_chmod(const struct path *path, umode_t mode)
{
- return common_perm_path(OP_CHMOD, path, AA_MAY_CHMOD);
+ return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
}
static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
{
- return common_perm_path(OP_CHOWN, path, AA_MAY_CHOWN);
+ return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
}
static int apparmor_inode_getattr(const struct path *path)
{
- return common_perm_path(OP_GETATTR, path, AA_MAY_META_READ);
+ return common_perm_cond(OP_GETATTR, path, AA_MAY_META_READ);
}
static int apparmor_file_open(struct file *file, const struct cred *cred)
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 441efc965f2b..59c891ad1270 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -825,7 +825,8 @@ int aa_unpack(struct aa_loaddata *udata, struct list_head *lh,
if (error)
goto fail_profile;
- error = aa_calc_profile_hash(profile, e.version, start,
+ if (aa_g_hash_policy)
+ error = aa_calc_profile_hash(profile, e.version, start,
e.pos - start);
if (error)
goto fail_profile;
@@ -841,11 +842,13 @@ int aa_unpack(struct aa_loaddata *udata, struct list_head *lh,
list_add_tail(&ent->list, lh);
}
udata->abi = e.version & K_ABI_MASK;
- udata->hash = aa_calc_hash(udata->data, udata->size);
- if (IS_ERR(udata->hash)) {
- error = PTR_ERR(udata->hash);
- udata->hash = NULL;
- goto fail;
+ if (aa_g_hash_policy) {
+ udata->hash = aa_calc_hash(udata->data, udata->size);
+ if (IS_ERR(udata->hash)) {
+ error = PTR_ERR(udata->hash);
+ udata->hash = NULL;
+ goto fail;
+ }
}
return 0;