[apparmor] [PATCH 10/16] AppArmor: Make chroot relative the default path lookup type

Wed, 22 Feb 2012 09:12:12 -0800 

Profiles that want name lookup past the chroot to the namespace root
must be marked as such, all other profiles should be chroot relative.

Currently the autogenerated null (learning), and unconfined  profiles are
not marked as such. Make sure they are properly flagged. This should not
affect behavior except for auto-generated profiles when a chroot is entered.
Profiles loaded from userspace will not be affected as they provide their
own value for the flag.

This change does not affect mediation as it only changes the path reported by
the unconfined (none mediating), an null learning profiles.

Also ensure that if a profile is ever loaded with out path flags set, that
it defaults to being chroot relative.

Signed-off-by: John Johansen <[email protected]>
---
 security/apparmor/policy.c        |    3 +++
 security/apparmor/policy_unpack.c |    3 ++-
 2 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 4f0eade..537e5dc 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -655,6 +655,9 @@ struct aa_profile *aa_alloc_profile(const char *hname)
                return NULL;
        }
 
+       /* default to chroot relative paths */
+       profile->path_flags = PATH_CHROOT_REL;
+
        /* refcount released by caller */
        return profile;
 }
diff --git a/security/apparmor/policy_unpack.c 
b/security/apparmor/policy_unpack.c
index 5c46acf..6137b10 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -25,6 +25,7 @@
 #include "include/audit.h"
 #include "include/context.h"
 #include "include/match.h"
+#include "include/path.h"
 #include "include/policy.h"
 #include "include/policy_unpack.h"
 #include "include/sid.h"
@@ -523,7 +524,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
                profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED;
        else
                /* set a default value if path_flags field is not present */
-               profile->path_flags = PFLAG_MEDIATE_DELETED;
+               profile->path_flags = PFLAG_MEDIATE_DELETED | PATH_CHROOT_REL;
 
        if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))
                goto fail;
-- 
1.7.9


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to