apparmor: make signal label match work when matching stacked labels

BugLink: http://bugs.launchpad.net/bugs/1763427
Given a label with a profile stack of
    A//&B or A//&C ...

A ptrace rule should be able to specify a generic trace pattern with
a rule like

    signal send A//&**,

however this is failing because while the correct label match routine
is called, it is being done post label decomposition so it is always
being done against a profile instead of the stacked label.

To fix this refactor the cross check to pass the full peer label in to
the label_match.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 3dc6b1ce6861ebf40b68ab4b752a05584a1f99bf
 git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor)
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
index 586facd35f7c0778a1b30d580527b596ecf1fd21..754f2ff8d3550ed3b9d0570607b2cfb76b613772 100644 (file)
--- a/security/apparmor/ipc.c
+++ b/security/apparmor/ipc.c
@@ -184,50 +184,34 @@ static void audit_signal_cb(struct audit_buffer *ab, void *va)
                        FLAGS_NONE, GFP_ATOMIC);
 }
 
-/* TODO: update to handle compound name&name2, conditionals */
-static void profile_match_signal(struct aa_profile *profile, const char *label,
-                                int signal, struct aa_perms *perms)
-{
-       unsigned int state;
-
-       /* TODO: secondary cache check <profile, profile, perm> */
-       state = aa_dfa_next(profile->policy.dfa,
-                           profile->policy.start[AA_CLASS_SIGNAL],
-                           signal);
-       state = aa_dfa_match(profile->policy.dfa, state, label);
-       aa_compute_perms(profile->policy.dfa, state, perms);
-}
-
 static int profile_signal_perm(struct aa_profile *profile,
-                              struct aa_profile *peer, u32 request,
+                              struct aa_label *peer, u32 request,
                               struct common_audit_data *sa)
 {
        struct aa_perms perms;
+       unsigned int state;
 
        if (profile_unconfined(profile) ||
            !PROFILE_MEDIATES(profile, AA_CLASS_SIGNAL))
                return 0;
 
-       aad(sa)->peer = &peer->label;
-       profile_match_signal(profile, peer->base.hname, aad(sa)->signal,
-                            &perms);
+       aad(sa)->peer = peer;
+       /* TODO: secondary cache check <profile, profile, perm> */
+       state = aa_dfa_next(profile->policy.dfa,
+                           profile->policy.start[AA_CLASS_SIGNAL],
+                           aad(sa)->signal);
+       aa_label_match(profile, peer, state, false, request, &perms);
        aa_apply_modes_to_perms(profile, &perms);
        return aa_check_perms(profile, &perms, request, sa, audit_signal_cb);
 }
 
-static int aa_signal_cross_perm(struct aa_profile *sender,
-                               struct aa_profile *target,
-                               struct common_audit_data *sa)
-{
-       return xcheck(profile_signal_perm(sender, target, MAY_WRITE, sa),
-                     profile_signal_perm(target, sender, MAY_READ, sa));
-}
-
 int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig)
 {
+       struct aa_profile *profile;
        DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL);
 
        aad(&sa)->signal = map_signal_num(sig);
-       return xcheck_labels_profiles(sender, target, aa_signal_cross_perm,
-                                     &sa);
+       return xcheck_labels(sender, target, profile,
+                       profile_signal_perm(profile, target, MAY_WRITE, &sa),
+                       profile_signal_perm(profile, sender, MAY_READ, &sa));
 }