Commit 3cfcc19e0b5390c04cb5bfa4e8fde39395410e61
1 parent
e573cc30bb
Exists in
smarc-imx_3.14.28_1.0.0_ga
and in
1 other branch
apparmor: add utility function to get an arbitrary tasks profile.
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Showing 4 changed files with 49 additions and 32 deletions Side-by-side Diff
security/apparmor/context.c
| ... | ... | @@ -69,6 +69,23 @@ |
| 69 | 69 | } |
| 70 | 70 | |
| 71 | 71 | /** |
| 72 | + * aa_get_task_profile - Get another task's profile | |
| 73 | + * @task: task to query (NOT NULL) | |
| 74 | + * | |
| 75 | + * Returns: counted reference to @task's profile | |
| 76 | + */ | |
| 77 | +struct aa_profile *aa_get_task_profile(struct task_struct *task) | |
| 78 | +{ | |
| 79 | + struct aa_profile *p; | |
| 80 | + | |
| 81 | + rcu_read_lock(); | |
| 82 | + p = aa_get_profile(__aa_task_profile(task)); | |
| 83 | + rcu_read_unlock(); | |
| 84 | + | |
| 85 | + return p; | |
| 86 | +} | |
| 87 | + | |
| 88 | +/** | |
| 72 | 89 | * aa_replace_current_profile - replace the current tasks profiles |
| 73 | 90 | * @profile: new profile (NOT NULL) |
| 74 | 91 | * |
security/apparmor/domain.c
| ... | ... | @@ -62,17 +62,14 @@ |
| 62 | 62 | struct aa_profile *to_profile) |
| 63 | 63 | { |
| 64 | 64 | struct task_struct *tracer; |
| 65 | - const struct cred *cred = NULL; | |
| 66 | 65 | struct aa_profile *tracerp = NULL; |
| 67 | 66 | int error = 0; |
| 68 | 67 | |
| 69 | 68 | rcu_read_lock(); |
| 70 | 69 | tracer = ptrace_parent(task); |
| 71 | - if (tracer) { | |
| 70 | + if (tracer) | |
| 72 | 71 | /* released below */ |
| 73 | - cred = get_task_cred(tracer); | |
| 74 | - tracerp = aa_cred_profile(cred); | |
| 75 | - } | |
| 72 | + tracerp = aa_get_task_profile(tracer); | |
| 76 | 73 | |
| 77 | 74 | /* not ptraced */ |
| 78 | 75 | if (!tracer || unconfined(tracerp)) |
| ... | ... | @@ -82,8 +79,7 @@ |
| 82 | 79 | |
| 83 | 80 | out: |
| 84 | 81 | rcu_read_unlock(); |
| 85 | - if (cred) | |
| 86 | - put_cred(cred); | |
| 82 | + aa_put_profile(tracerp); | |
| 87 | 83 | |
| 88 | 84 | return error; |
| 89 | 85 | } |
security/apparmor/include/context.h
| ... | ... | @@ -80,24 +80,9 @@ |
| 80 | 80 | int aa_set_current_onexec(struct aa_profile *profile); |
| 81 | 81 | int aa_set_current_hat(struct aa_profile *profile, u64 token); |
| 82 | 82 | int aa_restore_previous_profile(u64 cookie); |
| 83 | +struct aa_profile *aa_get_task_profile(struct task_struct *task); | |
| 83 | 84 | |
| 84 | -/** | |
| 85 | - * __aa_task_is_confined - determine if @task has any confinement | |
| 86 | - * @task: task to check confinement of (NOT NULL) | |
| 87 | - * | |
| 88 | - * If @task != current needs to be called in RCU safe critical section | |
| 89 | - */ | |
| 90 | -static inline bool __aa_task_is_confined(struct task_struct *task) | |
| 91 | -{ | |
| 92 | - struct aa_task_cxt *cxt = __task_cred(task)->security; | |
| 93 | 85 | |
| 94 | - BUG_ON(!cxt || !cxt->profile); | |
| 95 | - if (unconfined(aa_newest_version(cxt->profile))) | |
| 96 | - return 0; | |
| 97 | - | |
| 98 | - return 1; | |
| 99 | -} | |
| 100 | - | |
| 101 | 86 | /** |
| 102 | 87 | * aa_cred_profile - obtain cred's profiles |
| 103 | 88 | * @cred: cred to obtain profiles from (NOT NULL) |
| ... | ... | @@ -111,6 +96,30 @@ |
| 111 | 96 | struct aa_task_cxt *cxt = cred->security; |
| 112 | 97 | BUG_ON(!cxt || !cxt->profile); |
| 113 | 98 | return aa_newest_version(cxt->profile); |
| 99 | +} | |
| 100 | + | |
| 101 | +/** | |
| 102 | + * __aa_task_profile - retrieve another task's profile | |
| 103 | + * @task: task to query (NOT NULL) | |
| 104 | + * | |
| 105 | + * Returns: @task's profile without incrementing its ref count | |
| 106 | + * | |
| 107 | + * If @task != current needs to be called in RCU safe critical section | |
| 108 | + */ | |
| 109 | +static inline struct aa_profile *__aa_task_profile(struct task_struct *task) | |
| 110 | +{ | |
| 111 | + return aa_cred_profile(__task_cred(task)); | |
| 112 | +} | |
| 113 | + | |
| 114 | +/** | |
| 115 | + * __aa_task_is_confined - determine if @task has any confinement | |
| 116 | + * @task: task to check confinement of (NOT NULL) | |
| 117 | + * | |
| 118 | + * If @task != current needs to be called in RCU safe critical section | |
| 119 | + */ | |
| 120 | +static inline bool __aa_task_is_confined(struct task_struct *task) | |
| 121 | +{ | |
| 122 | + return !unconfined(__aa_task_profile(task)); | |
| 114 | 123 | } |
| 115 | 124 | |
| 116 | 125 | /** |
security/apparmor/ipc.c
| ... | ... | @@ -95,23 +95,18 @@ |
| 95 | 95 | * - tracer profile has CAP_SYS_PTRACE |
| 96 | 96 | */ |
| 97 | 97 | |
| 98 | - struct aa_profile *tracer_p; | |
| 99 | - /* cred released below */ | |
| 100 | - const struct cred *cred = get_task_cred(tracer); | |
| 98 | + struct aa_profile *tracer_p = aa_get_task_profile(tracer); | |
| 101 | 99 | int error = 0; |
| 102 | - tracer_p = aa_cred_profile(cred); | |
| 103 | 100 | |
| 104 | 101 | if (!unconfined(tracer_p)) { |
| 105 | - /* lcred released below */ | |
| 106 | - const struct cred *lcred = get_task_cred(tracee); | |
| 107 | - struct aa_profile *tracee_p = aa_cred_profile(lcred); | |
| 102 | + struct aa_profile *tracee_p = aa_get_task_profile(tracee); | |
| 108 | 103 | |
| 109 | 104 | error = aa_may_ptrace(tracer, tracer_p, tracee_p, mode); |
| 110 | 105 | error = aa_audit_ptrace(tracer_p, tracee_p, error); |
| 111 | 106 | |
| 112 | - put_cred(lcred); | |
| 107 | + aa_put_profile(tracee_p); | |
| 113 | 108 | } |
| 114 | - put_cred(cred); | |
| 109 | + aa_put_profile(tracer_p); | |
| 115 | 110 | |
| 116 | 111 | return error; |
| 117 | 112 | } |