]>
git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/apparmor/ipc.c
2 * AppArmor security module
4 * This file contains AppArmor ipc mediation
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2017 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include <linux/gfp.h>
16 #include <linux/ptrace.h>
18 #include "include/audit.h"
19 #include "include/capability.h"
20 #include "include/context.h"
21 #include "include/policy.h"
22 #include "include/ipc.h"
25 * audit_ptrace_mask - convert mask to permission string
26 * @buffer: buffer to write string to (NOT NULL)
27 * @mask: permission mask to convert
29 static void audit_ptrace_mask(struct audit_buffer
*ab
, u32 mask
)
33 audit_log_string(ab
, "read");
36 audit_log_string(ab
, "trace");
39 audit_log_string(ab
, "readby");
41 case AA_MAY_BE_TRACED
:
42 audit_log_string(ab
, "tracedby");
47 /* call back to audit ptrace fields */
48 static void audit_ptrace_cb(struct audit_buffer
*ab
, void *va
)
50 struct common_audit_data
*sa
= va
;
52 if (aad(sa
)->request
& AA_PTRACE_PERM_MASK
) {
53 audit_log_format(ab
, " requested_mask=");
54 audit_ptrace_mask(ab
, aad(sa
)->request
);
56 if (aad(sa
)->denied
& AA_PTRACE_PERM_MASK
) {
57 audit_log_format(ab
, " denied_mask=");
58 audit_ptrace_mask(ab
, aad(sa
)->denied
);
61 audit_log_format(ab
, " peer=");
62 aa_label_xaudit(ab
, labels_ns(aad(sa
)->label
), aad(sa
)->peer
,
63 FLAGS_NONE
, GFP_ATOMIC
);
66 /* TODO: conditionals */
67 static int profile_ptrace_perm(struct aa_profile
*profile
,
68 struct aa_profile
*peer
, u32 request
,
69 struct common_audit_data
*sa
)
71 struct aa_perms perms
= { };
73 /* need because of peer in cross check */
74 if (profile_unconfined(profile
) ||
75 !PROFILE_MEDIATES(profile
, AA_CLASS_PTRACE
))
78 aad(sa
)->peer
= &peer
->label
;
79 aa_profile_match_label(profile
, &peer
->label
, AA_CLASS_PTRACE
, request
,
81 aa_apply_modes_to_perms(profile
, &perms
);
82 return aa_check_perms(profile
, &perms
, request
, sa
, audit_ptrace_cb
);
85 static int cross_ptrace_perm(struct aa_profile
*tracer
,
86 struct aa_profile
*tracee
, u32 request
,
87 struct common_audit_data
*sa
)
89 if (PROFILE_MEDIATES(tracer
, AA_CLASS_PTRACE
))
90 return xcheck(profile_ptrace_perm(tracer
, tracee
, request
, sa
),
91 profile_ptrace_perm(tracee
, tracer
,
92 request
<< PTRACE_PERM_SHIFT
,
94 /* policy uses the old style capability check for ptrace */
95 if (profile_unconfined(tracer
) || tracer
== tracee
)
98 aad(sa
)->label
= &tracer
->label
;
99 aad(sa
)->peer
= &tracee
->label
;
100 aad(sa
)->request
= 0;
101 aad(sa
)->error
= aa_capable(&tracer
->label
, CAP_SYS_PTRACE
, 1);
103 return aa_audit(AUDIT_APPARMOR_AUTO
, tracer
, sa
, audit_ptrace_cb
);
107 * aa_may_ptrace - test if tracer task can trace the tracee
108 * @tracer: label of the task doing the tracing (NOT NULL)
109 * @tracee: task label to be traced
110 * @request: permission request
112 * Returns: %0 else error code if permission denied or error
114 int aa_may_ptrace(struct aa_label
*tracer
, struct aa_label
*tracee
,
117 DEFINE_AUDIT_DATA(sa
, LSM_AUDIT_DATA_NONE
, OP_PTRACE
);
119 return xcheck_labels_profiles(tracer
, tracee
, cross_ptrace_perm
,