This source file includes following definitions.
- audit_cb
- audit_caps
- profile_capable
- aa_capable
1
2
3
4
5
6
7
8
9
10
11 #include <linux/capability.h>
12 #include <linux/errno.h>
13 #include <linux/gfp.h>
14 #include <linux/security.h>
15
16 #include "include/apparmor.h"
17 #include "include/capability.h"
18 #include "include/cred.h"
19 #include "include/policy.h"
20 #include "include/audit.h"
21
22
23
24
25 #include "capability_names.h"
26
27 struct aa_sfs_entry aa_sfs_entry_caps[] = {
28 AA_SFS_FILE_STRING("mask", AA_SFS_CAPS_MASK),
29 { }
30 };
31
32 struct audit_cache {
33 struct aa_profile *profile;
34 kernel_cap_t caps;
35 };
36
37 static DEFINE_PER_CPU(struct audit_cache, audit_cache);
38
39
40
41
42
43
44 static void audit_cb(struct audit_buffer *ab, void *va)
45 {
46 struct common_audit_data *sa = va;
47
48 audit_log_format(ab, " capname=");
49 audit_log_untrustedstring(ab, capability_names[sa->u.cap]);
50 }
51
52
53
54
55
56
57
58
59
60
61
62
63
64 static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile,
65 int cap, int error)
66 {
67 struct audit_cache *ent;
68 int type = AUDIT_APPARMOR_AUTO;
69
70 aad(sa)->error = error;
71
72 if (likely(!error)) {
73
74 if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
75 !cap_raised(profile->caps.audit, cap)))
76 return 0;
77 type = AUDIT_APPARMOR_AUDIT;
78 } else if (KILL_MODE(profile) ||
79 cap_raised(profile->caps.kill, cap)) {
80 type = AUDIT_APPARMOR_KILL;
81 } else if (cap_raised(profile->caps.quiet, cap) &&
82 AUDIT_MODE(profile) != AUDIT_NOQUIET &&
83 AUDIT_MODE(profile) != AUDIT_ALL) {
84
85 return error;
86 }
87
88
89 ent = &get_cpu_var(audit_cache);
90 if (profile == ent->profile && cap_raised(ent->caps, cap)) {
91 put_cpu_var(audit_cache);
92 if (COMPLAIN_MODE(profile))
93 return complain_error(error);
94 return error;
95 } else {
96 aa_put_profile(ent->profile);
97 ent->profile = aa_get_profile(profile);
98 cap_raise(ent->caps, cap);
99 }
100 put_cpu_var(audit_cache);
101
102 return aa_audit(type, profile, sa, audit_cb);
103 }
104
105
106
107
108
109
110
111
112
113
114 static int profile_capable(struct aa_profile *profile, int cap,
115 unsigned int opts, struct common_audit_data *sa)
116 {
117 int error;
118
119 if (cap_raised(profile->caps.allow, cap) &&
120 !cap_raised(profile->caps.denied, cap))
121 error = 0;
122 else
123 error = -EPERM;
124
125 if (opts & CAP_OPT_NOAUDIT) {
126 if (!COMPLAIN_MODE(profile))
127 return error;
128
129
130
131 aad(sa)->info = "optional: no audit";
132 }
133
134 return audit_caps(sa, profile, cap, error);
135 }
136
137
138
139
140
141
142
143
144
145
146
147 int aa_capable(struct aa_label *label, int cap, unsigned int opts)
148 {
149 struct aa_profile *profile;
150 int error = 0;
151 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, OP_CAPABLE);
152
153 sa.u.cap = cap;
154 error = fn_for_each_confined(label, profile,
155 profile_capable(profile, cap, opts, &sa));
156
157 return error;
158 }