From 31f75bfecd9cef7d485b1cda3c6c38cc0b4a5c6c Mon Sep 17 00:00:00 2001 From: John Johansen Date: Mon, 16 Jan 2017 00:43:07 -0800 Subject: [PATCH] apparmor: make computing policy hashes conditional on kernel parameter Allow turning off the computation of the policy hashes via the apparmor.hash_policy kernel parameter. Signed-off-by: John Johansen --- security/apparmor/lsm.c | 48 +++++++++++++++---------------- security/apparmor/policy_unpack.c | 15 ++++++---- 2 files changed, 33 insertions(+), 30 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 264aa192032e..6a5cf54cfa72 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -165,6 +165,26 @@ static int common_perm(const char *op, const struct path *path, u32 mask, return error; } +/** + * common_perm_cond - common permission wrapper around inode cond + * @op: operation being checked + * @path: location to check (NOT NULL) + * @mask: requested permissions mask + * + * Returns: %0 else error code if error or permission denied + */ +static int common_perm_cond(const char *op, const struct path *path, u32 mask) +{ + struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, + d_backing_inode(path->dentry)->i_mode + }; + + if (!path_mediated_fs(path->dentry)) + return 0; + + return common_perm(op, path, mask, &cond); +} + /** * common_perm_dir_dentry - common permission wrapper when path is dir, dentry * @op: operation being checked @@ -184,26 +204,6 @@ static int common_perm_dir_dentry(const char *op, const struct path *dir, return common_perm(op, &path, mask, cond); } -/** - * common_perm_path - common permission wrapper when mnt, dentry - * @op: operation being checked - * @path: location to check (NOT NULL) - * @mask: requested permissions mask - * - * Returns: %0 else error code if error or permission denied - */ -static inline int common_perm_path(const char *op, const struct path *path, - u32 mask) -{ - struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, - d_backing_inode(path->dentry)->i_mode - }; - if (!path_mediated_fs(path->dentry)) - return 0; - - return common_perm(op, path, mask, &cond); -} - /** * common_perm_rm - common permission wrapper for operations doing rm * @op: operation being checked @@ -274,7 +274,7 @@ static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, static int apparmor_path_truncate(const struct path *path) { - return common_perm_path(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE); + return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE); } static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, @@ -333,17 +333,17 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d static int apparmor_path_chmod(const struct path *path, umode_t mode) { - return common_perm_path(OP_CHMOD, path, AA_MAY_CHMOD); + return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); } static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) { - return common_perm_path(OP_CHOWN, path, AA_MAY_CHOWN); + return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); } static int apparmor_inode_getattr(const struct path *path) { - return common_perm_path(OP_GETATTR, path, AA_MAY_META_READ); + return common_perm_cond(OP_GETATTR, path, AA_MAY_META_READ); } static int apparmor_file_open(struct file *file, const struct cred *cred) diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 441efc965f2b..59c891ad1270 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -825,7 +825,8 @@ int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, if (error) goto fail_profile; - error = aa_calc_profile_hash(profile, e.version, start, + if (aa_g_hash_policy) + error = aa_calc_profile_hash(profile, e.version, start, e.pos - start); if (error) goto fail_profile; @@ -841,11 +842,13 @@ int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, list_add_tail(&ent->list, lh); } udata->abi = e.version & K_ABI_MASK; - udata->hash = aa_calc_hash(udata->data, udata->size); - if (IS_ERR(udata->hash)) { - error = PTR_ERR(udata->hash); - udata->hash = NULL; - goto fail; + if (aa_g_hash_policy) { + udata->hash = aa_calc_hash(udata->data, udata->size); + if (IS_ERR(udata->hash)) { + error = PTR_ERR(udata->hash); + udata->hash = NULL; + goto fail; + } } return 0;