Home Explore Help
Register Sign In
Apq
/
pve-edge-kernel
mirror of https://github.com/fabianishere/pve-edge-kernel.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: c68cdfe7ff
Branches Tags
pve-edge-kernel
/
debian
/
patches
/
pve
/
0007-apparmor-compatibility-v2.x-net-rules.patch

0007-apparmor-compatibility-v2.x-net-rules.patch 8.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250 
  1. From f153f512ed7a81e9b92a04d49869cffebf714f52 Mon Sep 17 00:00:00 2001
    2. 

  2. From: John Johansen <[email protected]>
    3. 

  3. Date: Sun, 17 Jun 2018 03:56:25 -0700
    4. 

  4. Subject: UBUNTU: SAUCE: apparmor: patch to provide compatibility with v2.x net
    5. 

  5.  rules
    6. 

  6. 

  7. The networking rules upstreamed in 4.17 have a deliberate abi break
    8. 

  8. with the older 2.x network rules.
    9. 

  9. 

  10. This patch provides compatibility with the older rules for those
    11. 

  11. still using an apparmor 2.x userspace and still want network rules
    12. 

  12. to work on a newer kernel.
    13. 

  13. 

  14. Signed-off-by: John Johansen <[email protected]>
    15. 

  15. [ saf: resolve conflicts when rebasing to 4.20 ]
    16. 

  16. Signed-off-by: Seth Forshee <[email protected]>
    17. 

  17. ---
    18. 

  18.  security/apparmor/apparmorfs.c       |  1 +
    19. 

  19.  security/apparmor/include/apparmor.h |  2 +-
    20. 

  20.  security/apparmor/include/net.h      | 11 ++++++++
    21. 

  21.  security/apparmor/include/policy.h   |  2 ++
    22. 

  22.  security/apparmor/net.c              | 31 ++++++++++++++++-----
    23. 

  23.  security/apparmor/policy.c           |  1 +
    24. 

  24.  security/apparmor/policy_unpack.c    | 54 ++++++++++++++++++++++++++++++++++--
    25. 

  25.  7 files changed, 92 insertions(+), 10 deletions(-)
    26. 

  26. 

  27. (limited to 'security/apparmor')
    28. 

  28. 

  29. diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
    30. 

  30. index 2ee3b3d..0aef8e3 100644
    31. 

  31. --- a/security/apparmor/apparmorfs.c
    32. 

  32. +++ b/security/apparmor/apparmorfs.c
    33. 

  33. @@ -2362,6 +2362,7 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = {
    34. 

  34.  	AA_SFS_DIR("domain",			aa_sfs_entry_domain),
    35. 

  35.  	AA_SFS_DIR("file",			aa_sfs_entry_file),
    36. 

  36.  	AA_SFS_DIR("network_v8",		aa_sfs_entry_network),
    37. 

  37. +	AA_SFS_DIR("network",			aa_sfs_entry_network_compat),
    38. 

  38.  	AA_SFS_DIR("mount",			aa_sfs_entry_mount),
    39. 

  39.  	AA_SFS_DIR("namespaces",		aa_sfs_entry_ns),
    40. 

  40.  	AA_SFS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),
    41. 

  41. diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
    42. 

  42. index 1fbabdb..5870de2 100644
    43. 

  43. --- a/security/apparmor/include/apparmor.h
    44. 

  44. +++ b/security/apparmor/include/apparmor.h
    45. 

  45. @@ -20,7 +20,7 @@
    46. 

  46.  #define AA_CLASS_UNKNOWN	1
    47. 

  47.  #define AA_CLASS_FILE		2
    48. 

  48.  #define AA_CLASS_CAP		3
    49. 

  49. -#define AA_CLASS_DEPRECATED	4
    50. 

  50. +#define AA_CLASS_NET_COMPAT	4
    51. 

  51.  #define AA_CLASS_RLIMITS	5
    52. 

  52.  #define AA_CLASS_DOMAIN		6
    53. 

  53.  #define AA_CLASS_MOUNT		7
    54. 

  54. diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
    55. 

  55. index aadb4b2..98a42ef 100644
    56. 

  56. --- a/security/apparmor/include/net.h
    57. 

  57. +++ b/security/apparmor/include/net.h
    58. 

  58. @@ -68,6 +68,16 @@ struct aa_sk_ctx {
    59. 

  59.  	DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type,	\
    60. 

  60.  			 (SK)->sk_protocol)
    61. 

  61.  
    62. 

  62. +/* struct aa_net - network confinement data
    63. 

  63. + * @allow: basic network families permissions
    64. 

  64. + * @audit: which network permissions to force audit
    65. 

  65. + * @quiet: which network permissions to quiet rejects
    66. 

  66. + */
    67. 

  67. +struct aa_net_compat {
    68. 

  68. +	u16 allow[AF_MAX];
    69. 

  69. +	u16 audit[AF_MAX];
    70. 

  70. +	u16 quiet[AF_MAX];
    71. 

  71. +};
    72. 

  72.  
    73. 

  73.  #define af_select(FAMILY, FN, DEF_FN)		\
    74. 

  74.  ({						\
    75. 

  75. @@ -87,6 +97,7 @@ struct aa_secmark {
    76. 

  76.  };
    77. 

  77.  
    78. 

  78.  extern struct aa_sfs_entry aa_sfs_entry_network[];
    79. 

  79. +extern struct aa_sfs_entry aa_sfs_entry_network_compat[];
    80. 

  80.  
    81. 

  81.  void audit_net_cb(struct audit_buffer *ab, void *va);
    82. 

  82.  int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
    83. 

  83. diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
    84. 

  84. index b5b4b81..f904105 100644
    85. 

  85. --- a/security/apparmor/include/policy.h
    86. 

  86. +++ b/security/apparmor/include/policy.h
    87. 

  87. @@ -108,6 +108,7 @@ struct aa_data {
    88. 

  88.   * @policy: general match rules governing policy
    89. 

  89.   * @file: The set of rules governing basic file access and domain transitions
    90. 

  90.   * @caps: capabilities for the profile
    91. 

  91. + * @net_compat: v2 compat network controls for the profile
    92. 

  92.   * @rlimits: rlimits for the profile
    93. 

  93.   *
    94. 

  94.   * @dents: dentries for the profiles file entries in apparmorfs
    95. 

  95. @@ -145,6 +146,7 @@ struct aa_profile {
    96. 

  96.  	struct aa_policydb policy;
    97. 

  97.  	struct aa_file_rules file;
    98. 

  98.  	struct aa_caps caps;
    99. 

  99. +	struct aa_net_compat *net_compat;
    100. 

  100.  
    101. 

  101.  	int xattr_count;
    102. 

  102.  	char **xattrs;
    103. 

  103. diff --git a/security/apparmor/net.c b/security/apparmor/net.c
    104. 

  104. index e0c1b50..e693df8 100644
    105. 

  105. --- a/security/apparmor/net.c
    106. 

  106. +++ b/security/apparmor/net.c
    107. 

  107. @@ -24,6 +24,11 @@ struct aa_sfs_entry aa_sfs_entry_network[] = {
    108. 

  108.  	{ }
    109. 

  109.  };
    110. 

  110.  
    111. 

  111. +struct aa_sfs_entry aa_sfs_entry_network_compat[] = {
    112. 

  112. +	AA_SFS_FILE_STRING("af_mask",	AA_SFS_AF_MASK),
    113. 

  113. +	{ }
    114. 

  114. +};
    115. 

  115. +
    116. 

  116.  static const char * const net_mask_names[] = {
    117. 

  117.  	"unknown",
    118. 

  118.  	"send",
    119. 

  119. @@ -118,14 +123,26 @@ int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
    120. 

  120.  	if (profile_unconfined(profile))
    121. 

  121.  		return 0;
    122. 

  122.  	state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
    123. 

  123. -	if (!state)
    124. 

  124. +	if (state) {
    125. 

  125. +		if (!state)
    126. 

  126. +			return 0;
    127. 

  127. +		buffer[0] = cpu_to_be16(family);
    128. 

  128. +		buffer[1] = cpu_to_be16((u16) type);
    129. 

  129. +		state = aa_dfa_match_len(profile->policy.dfa, state,
    130. 

  130. +					 (char *) &buffer, 4);
    131. 

  131. +		aa_compute_perms(profile->policy.dfa, state, &perms);
    132. 

  132. +	} else if (profile->net_compat) {
    133. 

  133. +		/* 2.x socket mediation compat */
    134. 

  134. +		perms.allow = (profile->net_compat->allow[family] & (1 << type)) ?
    135. 

  135. +			ALL_PERMS_MASK : 0;
    136. 

  136. +		perms.audit = (profile->net_compat->audit[family] & (1 << type)) ?
    137. 

  137. +			ALL_PERMS_MASK : 0;
    138. 

  138. +		perms.quiet = (profile->net_compat->quiet[family] & (1 << type)) ?
    139. 

  139. +			ALL_PERMS_MASK : 0;
    140. 

  140. +
    141. 

  141. +	} else {
    142. 

  142.  		return 0;
    143. 

  143. -
    144. 

  144. -	buffer[0] = cpu_to_be16(family);
    145. 

  145. -	buffer[1] = cpu_to_be16((u16) type);
    146. 

  146. -	state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
    147. 

  147. -				 4);
    148. 

  148. -	aa_compute_perms(profile->policy.dfa, state, &perms);
    149. 

  149. +	}
    150. 

  150.  	aa_apply_modes_to_perms(profile, &perms);
    151. 

  151.  
    152. 

  152.  	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
    153. 

  153. diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
    154. 

  154. index 4c010c9..a00e39b 100644
    155. 

  155. --- a/security/apparmor/policy.c
    156. 

  156. +++ b/security/apparmor/policy.c
    157. 

  157. @@ -222,6 +222,7 @@ void aa_free_profile(struct aa_profile *profile)
    158. 

  158.  	aa_free_file_rules(&profile->file);
    159. 

  159.  	aa_free_cap_rules(&profile->caps);
    160. 

  160.  	aa_free_rlimit_rules(&profile->rlimits);
    161. 

  161. +	kfree_sensitive(profile->net_compat);
    162. 

  162.  
    163. 

  163.  	for (i = 0; i < profile->xattr_count; i++)
    164. 

  164.  		kfree_sensitive(profile->xattrs[i]);
    165. 

  165. diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
    166. 

  166. index 4e1f96b..aedfecc 100644
    167. 

  167. --- a/security/apparmor/policy_unpack.c
    168. 

  168. +++ b/security/apparmor/policy_unpack.c
    169. 

  169. @@ -34,7 +34,7 @@
    170. 

  170.  
    171. 

  171.  #define v5	5	/* base version */
    172. 

  172.  #define v6	6	/* per entry policydb mediation check */
    173. 

  173. -#define v7	7
    174. 

  174. +#define v7	7	/* v2 compat networking */
    175. 

  175.  #define v8	8	/* full network masking */
    176. 

  176.  
    177. 

  177.  /*
    178. 

  178. @@ -314,6 +314,19 @@ fail:
    179. 

  179.  	return false;
    180. 

  180.  }
    181. 

  181.  
    182. 

  182. +static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
    183. 

  183. +{
    184. 

  184. +	if (unpack_nameX(e, AA_U16, name)) {
    185. 

  185. +		if (!inbounds(e, sizeof(u16)))
    186. 

  186. +			return 0;
    187. 

  187. +		if (data)
    188. 

  188. +			*data = le16_to_cpu(get_unaligned((__le16 *) e->pos));
    189. 

  189. +		e->pos += sizeof(u16);
    190. 

  190. +		return 1;
    191. 

  191. +	}
    192. 

  192. +	return 0;
    193. 

  193. +}
    194. 

  194. +
    195. 

  195.  static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
    196. 

  196.  {
    197. 

  197.  	void *pos = e->pos;
    198. 

  198. @@ -676,7 +689,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
    199. 

  199.  	struct aa_profile *profile = NULL;
    200. 

  200.  	const char *tmpname, *tmpns = NULL, *name = NULL;
    201. 

  201.  	const char *info = "failed to unpack profile";
    202. 

  202. -	size_t ns_len;
    203. 

  203. +	size_t size = 0, ns_len;
    204. 

  204.  	struct rhashtable_params params = { 0 };
    205. 

  205.  	char *key = NULL;
    206. 

  206.  	struct aa_data *data;
    207. 

  207. @@ -823,6 +836,43 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
    208. 

  208.  		goto fail;
    209. 

  209.  	}
    210. 

  210.  
    211. 

  211. +	size = unpack_array(e, "net_allowed_af");
    212. 

  212. +	if (size || VERSION_LT(e->version, v8)) {
    213. 

  213. +		profile->net_compat = kzalloc(sizeof(struct aa_net_compat), GFP_KERNEL);
    214. 

  214. +		if (!profile->net_compat) {
    215. 

  215. +			info = "out of memory";
    216. 

  216. +			goto fail;
    217. 

  217. +		}
    218. 

  218. +		for (i = 0; i < size; i++) {
    219. 

  219. +			/* discard extraneous rules that this kernel will
    220. 

  220. +			 * never request
    221. 

  221. +			 */
    222. 

  222. +			if (i >= AF_MAX) {
    223. 

  223. +				u16 tmp;
    224. 

  224. +
    225. 

  225. +				if (!unpack_u16(e, &tmp, NULL) ||
    226. 

  226. +				    !unpack_u16(e, &tmp, NULL) ||
    227. 

  227. +				    !unpack_u16(e, &tmp, NULL))
    228. 

  228. +					goto fail;
    229. 

  229. +				continue;
    230. 

  230. +			}
    231. 

  231. +			if (!unpack_u16(e, &profile->net_compat->allow[i], NULL))
    232. 

  232. +				goto fail;
    233. 

  233. +			if (!unpack_u16(e, &profile->net_compat->audit[i], NULL))
    234. 

  234. +				goto fail;
    235. 

  235. +			if (!unpack_u16(e, &profile->net_compat->quiet[i], NULL))
    236. 

  236. +				goto fail;
    237. 

  237. +		}
    238. 

  238. +		if (size && !unpack_nameX(e, AA_ARRAYEND, NULL))
    239. 

  239. +			goto fail;
    240. 

  240. +		if (VERSION_LT(e->version, v7)) {
    241. 

  241. +			/* pre v7 policy always allowed these */
    242. 

  242. +			profile->net_compat->allow[AF_UNIX] = 0xffff;
    243. 

  243. +			profile->net_compat->allow[AF_NETLINK] = 0xffff;
    244. 

  244. +		}
    245. 

  245. +	}
    246. 

  246. +
    247. 

  247. +
    248. 

  248.  	if (unpack_nameX(e, AA_STRUCT, "policydb")) {
    249. 

  249.  		/* generic policy dfa - optional and may be NULL */
    250. 

  250.  		info = "failed to unpack policydb";
    251.