]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - security/apparmor/ipc.c
projects / mirror_ubuntu-zesty-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'squashfs-updates' of git://git.kernel.org/pub/scm/linux/kernel/git/pkl...
[mirror_ubuntu-zesty-kernel.git] / security / apparmor / ipc.c
1 /*
2 * AppArmor security module
3 *
4 * This file contains AppArmor ipc mediation
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15 #include <linux/gfp.h>
16 #include <linux/ptrace.h>
17
18 #include "include/audit.h"
19 #include "include/capability.h"
20 #include "include/context.h"
21 #include "include/policy.h"
22 #include "include/ipc.h"
23
24 /* call back to audit ptrace fields */
25 static void audit_cb(struct audit_buffer *ab, void *va)
26 {
27 struct common_audit_data *sa = va;
28 audit_log_format(ab, " target=");
29 audit_log_untrustedstring(ab, sa->aad.target);
30 }
31
32 /**
33 * aa_audit_ptrace - do auditing for ptrace
34 * @profile: profile being enforced (NOT NULL)
35 * @target: profile being traced (NOT NULL)
36 * @error: error condition
37 *
38 * Returns: %0 or error code
39 */
40 static int aa_audit_ptrace(struct aa_profile *profile,
41 struct aa_profile *target, int error)
42 {
43 struct common_audit_data sa;
44 COMMON_AUDIT_DATA_INIT(&sa, NONE);
45 sa.aad.op = OP_PTRACE;
46 sa.aad.target = target;
47 sa.aad.error = error;
48
49 return aa_audit(AUDIT_APPARMOR_AUTO, profile, GFP_ATOMIC, &sa,
50 audit_cb);
51 }
52
53 /**
54 * aa_may_ptrace - test if tracer task can trace the tracee
55 * @tracer_task: task who will do the tracing (NOT NULL)
56 * @tracer: profile of the task doing the tracing (NOT NULL)
57 * @tracee: task to be traced
58 * @mode: whether PTRACE_MODE_READ || PTRACE_MODE_ATTACH
59 *
60 * Returns: %0 else error code if permission denied or error
61 */
62 int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer,
63 struct aa_profile *tracee, unsigned int mode)
64 {
65 /* TODO: currently only based on capability, not extended ptrace
66 * rules,
67 * Test mode for PTRACE_MODE_READ || PTRACE_MODE_ATTACH
68 */
69
70 if (unconfined(tracer) || tracer == tracee)
71 return 0;
72 /* log this capability request */
73 return aa_capable(tracer_task, tracer, CAP_SYS_PTRACE, 1);
74 }
75
76 /**
77 * aa_ptrace - do ptrace permission check and auditing
78 * @tracer: task doing the tracing (NOT NULL)
79 * @tracee: task being traced (NOT NULL)
80 * @mode: ptrace mode either PTRACE_MODE_READ || PTRACE_MODE_ATTACH
81 *
82 * Returns: %0 else error code if permission denied or error
83 */
84 int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
85 unsigned int mode)
86 {
87 /*
88 * tracer can ptrace tracee when
89 * - tracer is unconfined ||
90 * - tracer is in complain mode
91 * - tracer has rules allowing it to trace tracee currently this is:
92 * - confined by the same profile ||
93 * - tracer profile has CAP_SYS_PTRACE
94 */
95
96 struct aa_profile *tracer_p;
97 /* cred released below */
98 const struct cred *cred = get_task_cred(tracer);
99 int error = 0;
100 tracer_p = aa_cred_profile(cred);
101
102 if (!unconfined(tracer_p)) {
103 /* lcred released below */
104 const struct cred *lcred = get_task_cred(tracee);
105 struct aa_profile *tracee_p = aa_cred_profile(lcred);
106
107 error = aa_may_ptrace(tracer, tracer_p, tracee_p, mode);
108 error = aa_audit_ptrace(tracer_p, tracee_p, error);
109
110 put_cred(lcred);
111 }
112 put_cred(cred);
113
114 return error;
115 }
ubuntu-zesty-kernel mirror