[apparmor] [PATCH 4/4] apparmor: use security_path_access hook
John Johansen
john.johansen at canonical.com
Tue Nov 5 13:35:01 UTC 2013
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
security/apparmor/audit.c | 1 +
security/apparmor/include/audit.h | 1 +
security/apparmor/lsm.c | 13 +++++++++++++
3 files changed, 15 insertions(+)
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 6ebebd5..cc7d6c6 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -39,6 +39,7 @@ const char *const op_table[] = {
"chdir",
"getattr",
"open",
+ "access",
"file_perm",
"file_lock",
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 57f5ce8..190cc8b 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -67,6 +67,7 @@ enum aa_ops {
OP_CHDIR,
OP_GETATTR,
OP_OPEN,
+ OP_ACCESS,
OP_FPERM,
OP_FLOCK,
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 794aa1a..1f5e370 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -376,6 +376,18 @@ static int apparmor_path_chdir(struct path *path)
return common_perm(OP_CHDIR, path, MAY_READ, &cond);
}
+static int apparmor_path_access(struct path *path, umode_t mode)
+{
+ struct path_cond cond = { path->dentry->d_inode->i_uid,
+ path->dentry->d_inode->i_mode
+ };
+
+ if (!mediated_filesystem(path->dentry->d_inode))
+ return 0;
+
+ return common_perm(OP_ACCESS, path, mode & ~MAY_ACCESS, &cond);
+}
+
static int apparmor_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
{
if (!mediated_filesystem(dentry->d_inode))
@@ -645,6 +657,7 @@ static struct security_operations apparmor_ops = {
.path_chmod = apparmor_path_chmod,
.path_chown = apparmor_path_chown,
.path_chdir = apparmor_path_chdir,
+ .path_access = apparmor_path_access,
.path_truncate = apparmor_path_truncate,
.inode_getattr = apparmor_inode_getattr,
--
1.8.3.2
More information about the AppArmor
mailing list