Re: [PATCH 11/12] AppArmor: LSM interface, and security module initialization

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: John Johansen <john.johansen@canonical.com>
To: Eric Paris <eparis@parisplace.org>
Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: [PATCH 11/12] AppArmor: LSM interface, and security module 	initialization
Date: Tue, 10 Nov 2009 10:38:53 -0800	[thread overview]
Message-ID: <4AF9B33D.5020908@canonical.com> (raw)
In-Reply-To: <7e0fb38c0911090720h6c244badmb635768bb16c4a55@mail.gmail.com>

Eric Paris wrote:
> On Tue, Nov 3, 2009 at 6:48 PM, John Johansen
> <john.johansen@canonical.com> wrote:
>> AppArmor hooks to interface with the LSM, and module parameters and
>> initialization.
>>
>> Signed-off-by: John Johansen <john.johansen@canonical.com>
>> ---
> 
> 
>> +static int apparmor_file_mmap(struct file *file, unsigned long reqprot,
>> +                             unsigned long prot, unsigned long flags,
>> +                             unsigned long addr, unsigned long addr_only)
>> +{
>> +       int rc = 0;
>> +       struct aa_profile *profile = aa_current_profile_wupd();
>> +       /*
>> +        * test before cap_file_mmap.  For confined tasks AppArmor will
>> +        * enforce the mmap value set in the profile or default
>> +        * to LSM_MMAP_MIN_ADDR
>> +        */
>> +       if (profile) {
>> +               if (profile->flags & PFLAG_MMAP_MIN_ADDR) {
>> +                       if (addr < profile->mmap_min_addr)
>> +                               rc = -EACCES;
>> +               } else if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
>> +                       rc = -EACCES;
>> +               }
>> +               if (rc) {
>> +                       struct aa_audit sa = {
>> +                               .operation = "file_mmap",
>> +                               .gfp_mask = GFP_KERNEL,
>> +                               .info = "addr < mmap_min_addr",
>> +                               .error = rc,
>> +                       };
>> +                       return aa_audit(AUDIT_APPARMOR_DENIED, profile, &sa,
>> +                                       NULL);
>> +               }
>> +       }
>> +       rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
>> +       if (rc || addr_only)
>> +               return rc;
>> +
>> +       return common_mmap(file, "file_mmap", prot, flags);
>> +}
> 
> There is a reason we do the round_hint_to_min() stuff in the vm and we
> recalculate that value every time dac_mmap_min_addr is change.  It's
> because mmap (NOT MAP_FIXED) with a hint < profile->mmap_min_addr is
> going to end up getting denied here since the VM is going to assign it
> the address it wanted instead of find a new address and you are going
> to deny that task.
> 
> If profile() is a per task thing, I think you are in a failed
> situation and can't solve the problem wtihout intrusive VFS hooks.  If
> profile is a global thing just update that global value.  In either
> case, this code is wrong....
> 
yep, thanks for pointing this out.  I will look into it.

john

next prev parent reply	other threads:[~2009-11-10 18:38 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-11-03 23:48 [Patch 0/12] AppArmor security module John Johansen
2009-11-03 23:48 ` [PATCH 01/12] AppArmor: misc. base functions and defines John Johansen
2009-11-03 23:48 ` [PATCH 02/12] AppArmor: basic auditing infrastructure John Johansen
2009-11-09 15:37   ` Eric Paris
2009-11-10 18:38     ` John Johansen
2009-11-03 23:48 ` [PATCH 03/12] AppArmor: contexts used in attaching policy to system objects John Johansen
2009-11-03 23:48 ` [PATCH 04/12] AppArmor: core policy routines John Johansen
2009-11-03 23:48 ` [PATCH 05/12] AppArmor: dfa match engine John Johansen
2009-11-03 23:48 ` [PATCH 06/12] AppArmor: policy routines for loading and unpacking policy John Johansen
2009-11-03 23:48 ` [PATCH 07/12] AppArmor: userspace interfaces John Johansen
2009-11-03 23:48 ` [PATCH 08/12] AppArmor: file enforcement routines John Johansen
2009-11-03 23:48 ` [PATCH 09/12] AppArmor: mediation of non file objects John Johansen
2009-11-03 23:48 ` [PATCH 10/12] AppArmor: domain functions for domain transition John Johansen
2009-11-03 23:48 ` [PATCH 11/12] AppArmor: LSM interface, and security module initialization John Johansen
2009-11-09 15:20   ` Eric Paris
2009-11-10 18:38     ` John Johansen [this message]
2009-11-03 23:48 ` [PATCH 12/12] AppArmor: Enable configuring and building of the AppArmor security module John Johansen
2009-11-04  4:41 ` [Patch 0/12] " Tetsuo Handa
2009-11-05  5:10   ` John Johansen
2009-11-05  5:49     ` Tetsuo Handa
2009-11-06 23:50       ` John Johansen
  -- strict thread matches above, loose matches on Subject: below --
2009-11-10 16:12 [AppArmor #3 " John Johansen
2009-11-10 16:13 ` [PATCH 11/12] AppArmor: LSM interface, and security module initialization John Johansen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4AF9B33D.5020908@canonical.com \
    --to=john.johansen@canonical.com \
    --cc=eparis@parisplace.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox