* @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0)
* @count: number of hat names in @hats
* @token: magic value to validate the hat change
- * @permtest: true if this is just a permission test
+ * @flags: flags affecting behavior of the change
*
* Change to the first profile specified in @hats that exists, and store
* the @hat_magic in the current task context. If the count == 0 and the
*
* Returns %0 on success, error otherwise.
*/
-int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
+int aa_change_hat(const char *hats[], int count, u64 token, int flags)
{
const struct cred *cred;
struct aa_task_ctx *ctx;
/* released below */
hat = aa_find_child(root, hats[i]);
if (!hat) {
- if (!COMPLAIN_MODE(root) || permtest) {
+ if (!COMPLAIN_MODE(root) || (flags & AA_CHANGE_TEST)) {
if (list_empty(&root->base.profiles))
error = -ECHILD;
else
goto audit;
}
- if (!permtest) {
+ if (!(flags & AA_CHANGE_TEST)) {
error = aa_set_current_hat(hat, token);
if (error == -EACCES)
/* kill task in case of brute force attacks */
goto out;
audit:
- if (!permtest)
+ if (!(flags & AA_CHANGE_TEST))
error = aa_audit_file(profile, &perms, OP_CHANGE_HAT,
AA_MAY_CHANGEHAT, NULL, target,
GLOBAL_ROOT_UID, info, error);
* aa_change_profile - perform a one-way profile transition
* @fqname: name of profile may include namespace (NOT NULL)
* @onexec: whether this transition is to take place immediately or at exec
- * @permtest: true if this is just a permission test
+ * @flags: flags affecting change behavior
*
* Change to new profile @name. Unlike with hats, there is no way
* to change back. If @name isn't specified the current profile name is
*
* Returns %0 on success, error otherwise.
*/
-int aa_change_profile(const char *fqname, bool onexec,
- bool permtest, bool stack)
+int aa_change_profile(const char *fqname, int flags)
{
const struct cred *cred;
struct aa_profile *profile, *target = NULL;
return -EINVAL;
}
- if (onexec) {
+ if (flags & AA_CHANGE_ONEXEC) {
request = AA_MAY_ONEXEC;
op = OP_CHANGE_ONEXEC;
} else {
if (!target) {
info = "profile not found";
error = -ENOENT;
- if (permtest || !COMPLAIN_MODE(profile))
+ if ((flags & AA_CHANGE_TEST) ||
+ !COMPLAIN_MODE(profile))
goto audit;
/* released below */
target = aa_new_null_profile(profile, false, fqname,
goto audit;
}
- if (permtest)
+ if (flags & AA_CHANGE_TEST)
goto audit;
- if (onexec)
+ if (flags & AA_CHANGE_ONEXEC)
error = aa_set_current_onexec(target);
else
error = aa_replace_current_profile(target);
audit:
- if (!permtest)
+ if (!(flags & AA_CHANGE_TEST))
error = aa_audit_file(profile, &perms, op, request, NULL,
fqname, GLOBAL_ROOT_UID, info, error);
char **table;
};
+#define AA_CHANGE_NOFLAGS 0
+#define AA_CHANGE_TEST 1
+#define AA_CHANGE_CHILD 2
+#define AA_CHANGE_ONEXEC 4
+
int apparmor_bprm_set_creds(struct linux_binprm *bprm);
int apparmor_bprm_secureexec(struct linux_binprm *bprm);
void aa_free_domain_entries(struct aa_domain *domain);
-int aa_change_hat(const char *hats[], int count, u64 token, bool permtest);
-int aa_change_profile(const char *fqname, bool onexec, bool permtest,
- bool stack);
+int aa_change_hat(const char *hats[], int count, u64 token, int flags);
+int aa_change_profile(const char *fqname, int flags);
#endif /* __AA_DOMAIN_H */
#ifndef __AA_PROCATTR_H
#define __AA_PROCATTR_H
-#define AA_DO_TEST 1
-#define AA_ONEXEC 1
-
int aa_getprocattr(struct aa_profile *profile, char **string);
-int aa_setprocattr_changehat(char *args, size_t size, int test);
-int aa_setprocattr_changeprofile(char *fqname, bool onexec, int test);
+int aa_setprocattr_changehat(char *args, size_t size, int flags);
#endif /* __AA_PROCATTR_H */
if (strcmp(name, "current") == 0) {
if (strcmp(command, "changehat") == 0) {
error = aa_setprocattr_changehat(args, arg_size,
- !AA_DO_TEST);
+ AA_CHANGE_NOFLAGS);
} else if (strcmp(command, "permhat") == 0) {
error = aa_setprocattr_changehat(args, arg_size,
- AA_DO_TEST);
+ AA_CHANGE_TEST);
} else if (strcmp(command, "changeprofile") == 0) {
- error = aa_change_profile(args, !AA_ONEXEC,
- !AA_DO_TEST, false);
+ error = aa_change_profile(args, AA_CHANGE_NOFLAGS);
} else if (strcmp(command, "permprofile") == 0) {
- error = aa_change_profile(args, !AA_ONEXEC, AA_DO_TEST,
- false);
+ error = aa_change_profile(args, AA_CHANGE_TEST);
} else
goto fail;
} else if (strcmp(name, "exec") == 0) {
if (strcmp(command, "exec") == 0)
- error = aa_change_profile(args, AA_ONEXEC, !AA_DO_TEST,
- false);
+ error = aa_change_profile(args, AA_CHANGE_ONEXEC);
else
goto fail;
} else
* aa_setprocattr_chagnehat - handle procattr interface to change_hat
* @args: args received from writing to /proc/<pid>/attr/current (NOT NULL)
* @size: size of the args
- * @test: true if this is a test of change_hat permissions
+ * @flags: set of flags governing behavior
*
* Returns: %0 or error code if change_hat fails
*/
-int aa_setprocattr_changehat(char *args, size_t size, int test)
+int aa_setprocattr_changehat(char *args, size_t size, int flags)
{
char *hat;
u64 token;
AA_DEBUG("%s: (pid %d) Magic 0x%llx count %d Hat '%s'\n",
__func__, current->pid, token, count, "<NULL>");
- return aa_change_hat(hats, count, token, test);
+ return aa_change_hat(hats, count, token, flags);
}
projects / linux.git / commitdiff