summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-01-16 00:42:25 -0800
committerJohn Johansen <john.johansen@canonical.com>2017-01-16 01:18:22 -0800
commit92b6d8eff55f8dca57ade26e1dde2c3b6acdae02 (patch)
treefbfa2973ecd4185de867f62e37878077a0738904
parent31617ddfdd7764a5046f076247208aa324458069 (diff)
apparmor: allow ns visibility question to consider subnses
Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r--security/apparmor/apparmorfs.c2
-rw-r--r--security/apparmor/include/policy_ns.h4
-rw-r--r--security/apparmor/policy_ns.c12
-rw-r--r--security/apparmor/procattr.c4
4 files changed, 14 insertions, 8 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 0f1a4a28e025..d7cfd79d9857 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -750,7 +750,7 @@ static int seq_show_profile(struct seq_file *f, void *p)
struct aa_ns *root = f->private;
if (profile->ns != root)
- seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
+ seq_printf(f, ":%s://", aa_ns_name(root, profile->ns, true));
seq_printf(f, "%s (%s)\n", profile->base.hname,
aa_profile_mode_names[profile->mode]);
diff --git a/security/apparmor/include/policy_ns.h b/security/apparmor/include/policy_ns.h
index ebf9b40f84ed..e4c876544adc 100644
--- a/security/apparmor/include/policy_ns.h
+++ b/security/apparmor/include/policy_ns.h
@@ -74,8 +74,8 @@ extern struct aa_ns *root_ns;
extern const char *aa_hidden_ns_name;
-bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view);
-const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child);
+bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns);
+const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns);
void aa_free_ns(struct aa_ns *ns);
int aa_alloc_root_ns(void);
void aa_free_root_ns(void);
diff --git a/security/apparmor/policy_ns.c b/security/apparmor/policy_ns.c
index bab23cce197c..e7b7a829532e 100644
--- a/security/apparmor/policy_ns.c
+++ b/security/apparmor/policy_ns.c
@@ -33,18 +33,23 @@ const char *aa_hidden_ns_name = "---";
* aa_ns_visible - test if @view is visible from @curr
* @curr: namespace to treat as the parent (NOT NULL)
* @view: namespace to test if visible from @curr (NOT NULL)
+ * @subns: whether view of a subns is allowed
*
* Returns: true if @view is visible from @curr else false
*/
-bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view)
+bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns)
{
if (curr == view)
return true;
+ if (!subns)
+ return false;
+
for ( ; view; view = view->parent) {
if (view->parent == curr)
return true;
}
+
return false;
}
@@ -52,16 +57,17 @@ bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view)
* aa_na_name - Find the ns name to display for @view from @curr
* @curr - current namespace (NOT NULL)
* @view - namespace attempting to view (NOT NULL)
+ * @subns - are subns visible
*
* Returns: name of @view visible from @curr
*/
-const char *aa_ns_name(struct aa_ns *curr, struct aa_ns *view)
+const char *aa_ns_name(struct aa_ns *curr, struct aa_ns *view, bool subns)
{
/* if view == curr then the namespace name isn't displayed */
if (curr == view)
return "";
- if (aa_ns_visible(curr, view)) {
+ if (aa_ns_visible(curr, view, subns)) {
/* at this point if a ns is visible it is in a view ns
* thus the curr ns.hname is a prefix of its name.
* Only output the virtualized portion of the name
diff --git a/security/apparmor/procattr.c b/security/apparmor/procattr.c
index 15ddf74ac269..1babd3655520 100644
--- a/security/apparmor/procattr.c
+++ b/security/apparmor/procattr.c
@@ -44,10 +44,10 @@ int aa_getprocattr(struct aa_profile *profile, char **string)
struct aa_ns *current_ns = __aa_current_profile()->ns;
char *s;
- if (!aa_ns_visible(current_ns, ns))
+ if (!aa_ns_visible(current_ns, ns, true))
return -EACCES;
- ns_name = aa_ns_name(current_ns, ns);
+ ns_name = aa_ns_name(current_ns, ns, true);
ns_len = strlen(ns_name);
/* if the visible ns_name is > 0 increase size for : :// seperator */