AppArmor: Abstract use of cred security blob
Don't use the cred->security pointer directly. Provide a helper function that provides the security blob pointer. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> [kees: adjusted for ordered init series] Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Родитель
3d25252948
Коммит
69b5a44a95
|
@ -975,7 +975,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
|
||||||
}
|
}
|
||||||
aa_put_label(cred_label(bprm->cred));
|
aa_put_label(cred_label(bprm->cred));
|
||||||
/* transfer reference, released when cred is freed */
|
/* transfer reference, released when cred is freed */
|
||||||
cred_label(bprm->cred) = new;
|
set_cred_label(bprm->cred, new);
|
||||||
|
|
||||||
done:
|
done:
|
||||||
aa_put_label(label);
|
aa_put_label(label);
|
||||||
|
|
|
@ -23,8 +23,22 @@
|
||||||
#include "policy_ns.h"
|
#include "policy_ns.h"
|
||||||
#include "task.h"
|
#include "task.h"
|
||||||
|
|
||||||
#define cred_label(X) ((X)->security)
|
static inline struct aa_label *cred_label(const struct cred *cred)
|
||||||
|
{
|
||||||
|
struct aa_label **blob = cred->security;
|
||||||
|
|
||||||
|
AA_BUG(!blob);
|
||||||
|
return *blob;
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline void set_cred_label(const struct cred *cred,
|
||||||
|
struct aa_label *label)
|
||||||
|
{
|
||||||
|
struct aa_label **blob = cred->security;
|
||||||
|
|
||||||
|
AA_BUG(!blob);
|
||||||
|
*blob = label;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* aa_cred_raw_label - obtain cred's label
|
* aa_cred_raw_label - obtain cred's label
|
||||||
|
|
|
@ -60,7 +60,7 @@ DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
|
||||||
static void apparmor_cred_free(struct cred *cred)
|
static void apparmor_cred_free(struct cred *cred)
|
||||||
{
|
{
|
||||||
aa_put_label(cred_label(cred));
|
aa_put_label(cred_label(cred));
|
||||||
cred_label(cred) = NULL;
|
set_cred_label(cred, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -68,7 +68,7 @@ static void apparmor_cred_free(struct cred *cred)
|
||||||
*/
|
*/
|
||||||
static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
|
static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
|
||||||
{
|
{
|
||||||
cred_label(cred) = NULL;
|
set_cred_label(cred, NULL);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -78,7 +78,7 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
|
||||||
static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
|
static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
|
||||||
gfp_t gfp)
|
gfp_t gfp)
|
||||||
{
|
{
|
||||||
cred_label(new) = aa_get_newest_label(cred_label(old));
|
set_cred_label(new, aa_get_newest_label(cred_label(old)));
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -87,7 +87,7 @@ static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
|
||||||
*/
|
*/
|
||||||
static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
|
static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
|
||||||
{
|
{
|
||||||
cred_label(new) = aa_get_newest_label(cred_label(old));
|
set_cred_label(new, aa_get_newest_label(cred_label(old)));
|
||||||
}
|
}
|
||||||
|
|
||||||
static void apparmor_task_free(struct task_struct *task)
|
static void apparmor_task_free(struct task_struct *task)
|
||||||
|
@ -1485,7 +1485,7 @@ static int __init set_init_ctx(void)
|
||||||
if (!ctx)
|
if (!ctx)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
cred_label(cred) = aa_get_label(ns_unconfined(root_ns));
|
set_cred_label(cred, aa_get_label(ns_unconfined(root_ns)));
|
||||||
task_ctx(current) = ctx;
|
task_ctx(current) = ctx;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -81,7 +81,7 @@ int aa_replace_current_label(struct aa_label *label)
|
||||||
*/
|
*/
|
||||||
aa_get_label(label);
|
aa_get_label(label);
|
||||||
aa_put_label(cred_label(new));
|
aa_put_label(cred_label(new));
|
||||||
cred_label(new) = label;
|
set_cred_label(new, label);
|
||||||
|
|
||||||
commit_creds(new);
|
commit_creds(new);
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -138,7 +138,7 @@ int aa_set_current_hat(struct aa_label *label, u64 token)
|
||||||
return -EACCES;
|
return -EACCES;
|
||||||
}
|
}
|
||||||
|
|
||||||
cred_label(new) = aa_get_newest_label(label);
|
set_cred_label(new, aa_get_newest_label(label));
|
||||||
/* clear exec on switching context */
|
/* clear exec on switching context */
|
||||||
aa_put_label(ctx->onexec);
|
aa_put_label(ctx->onexec);
|
||||||
ctx->onexec = NULL;
|
ctx->onexec = NULL;
|
||||||
|
@ -172,7 +172,7 @@ int aa_restore_previous_label(u64 token)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
aa_put_label(cred_label(new));
|
aa_put_label(cred_label(new));
|
||||||
cred_label(new) = aa_get_newest_label(ctx->previous);
|
set_cred_label(new, aa_get_newest_label(ctx->previous));
|
||||||
AA_BUG(!cred_label(new));
|
AA_BUG(!cred_label(new));
|
||||||
/* clear exec && prev information when restoring to previous context */
|
/* clear exec && prev information when restoring to previous context */
|
||||||
aa_clear_task_ctx_trans(ctx);
|
aa_clear_task_ctx_trans(ctx);
|
||||||
|
|
Загрузка…
Ссылка в новой задаче