diff options
author | John Johansen <john.johansen@canonical.com> | 2022-09-20 06:48:48 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-11-28 20:20:07 +0300 |
commit | 690f33e1edf5cd996b54094409de0067ae3fa216 (patch) | |
tree | bf88ba28f66e1bfa25301032c491b14a88266b94 /security/apparmor/ipc.c | |
parent | 30b3669d40ad2400dfac75d1250596b5b0cb241b (diff) | |
download | linux-690f33e1edf5cd996b54094409de0067ae3fa216.tar.xz |
apparmor: pass cred through to audit info.
[ Upstream commit 90c436a64a6e20482a9a613c47eb4af2e8a5328e ]
The cred is needed to properly audit some messages, and will be needed
in the future for uid conditional mediation. So pass it through to
where the apparmor_audit_data struct gets defined.
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Stable-dep-of: 157a3537d6bc ("apparmor: Fix regression in mount mediation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'security/apparmor/ipc.c')
-rw-r--r-- | security/apparmor/ipc.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c index fd8306399b82..c0d0dbd7b4c4 100644 --- a/security/apparmor/ipc.c +++ b/security/apparmor/ipc.c @@ -75,7 +75,8 @@ static void audit_signal_cb(struct audit_buffer *ab, void *va) FLAGS_NONE, GFP_ATOMIC); } -static int profile_signal_perm(struct aa_profile *profile, +static int profile_signal_perm(const struct cred *cred, + struct aa_profile *profile, struct aa_label *peer, u32 request, struct apparmor_audit_data *ad) { @@ -88,6 +89,7 @@ static int profile_signal_perm(struct aa_profile *profile, !ANY_RULE_MEDIATES(&profile->rules, AA_CLASS_SIGNAL)) return 0; + ad->subj_cred = cred; ad->peer = peer; /* TODO: secondary cache check <profile, profile, perm> */ state = aa_dfa_next(rules->policy.dfa, @@ -98,7 +100,9 @@ static int profile_signal_perm(struct aa_profile *profile, return aa_check_perms(profile, &perms, request, ad, audit_signal_cb); } -int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig) +int aa_may_signal(const struct cred *subj_cred, struct aa_label *sender, + const struct cred *target_cred, struct aa_label *target, + int sig) { struct aa_profile *profile; DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_SIGNAL, OP_SIGNAL); @@ -106,6 +110,8 @@ int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig) ad.signal = map_signal_num(sig); ad.unmappedsig = sig; return xcheck_labels(sender, target, profile, - profile_signal_perm(profile, target, MAY_WRITE, &ad), - profile_signal_perm(profile, sender, MAY_READ, &ad)); + profile_signal_perm(subj_cred, profile, target, + MAY_WRITE, &ad), + profile_signal_perm(target_cred, profile, sender, + MAY_READ, &ad)); } |