mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-09-18 22:14:16 +00:00
apparmor: fix af_unix auditing to include all address information
The auditing of addresses currently doesn't include the source address
and mixes source and foreign/peer under the same audit name. Fix this
so source is always addr, and the foreign/peer is peer_addr.
Fixes: c05e705812 ("apparmor: add fine grained af_unix mediation")
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
parent
bc6e5f6933
commit
a30a9fdb66
3 changed files with 18 additions and 10 deletions
|
|
@ -584,8 +584,8 @@ static int unix_peer_perm(const struct cred *subj_cred,
|
|||
struct aa_profile *profile;
|
||||
DEFINE_AUDIT_SK(ad, op, subj_cred, sk);
|
||||
|
||||
ad.net.addr = peer_addr;
|
||||
ad.net.addrlen = peer_addrlen;
|
||||
ad.net.peer.addr = peer_addr;
|
||||
ad.net.peer.addrlen = peer_addrlen;
|
||||
|
||||
return fn_for_each_confined(label, profile,
|
||||
profile_peer_perm(profile, request, sk,
|
||||
|
|
|
|||
|
|
@ -140,6 +140,10 @@ struct apparmor_audit_data {
|
|||
int type, protocol;
|
||||
void *addr;
|
||||
int addrlen;
|
||||
struct {
|
||||
void *addr;
|
||||
int addrlen;
|
||||
} peer;
|
||||
} net;
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -99,10 +99,15 @@ static void audit_unix_sk_addr(struct audit_buffer *ab, const char *str,
|
|||
{
|
||||
const struct unix_sock *u = unix_sk(sk);
|
||||
|
||||
if (u && u->addr)
|
||||
audit_unix_addr(ab, str, u->addr->name, u->addr->len);
|
||||
else
|
||||
if (u && u->addr) {
|
||||
int addrlen;
|
||||
struct sockaddr_un *addr = aa_sunaddr(u, &addrlen);
|
||||
|
||||
audit_unix_addr(ab, str, addr, addrlen);
|
||||
} else {
|
||||
audit_unix_addr(ab, str, NULL, 0);
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
/* audit callback for net specific fields */
|
||||
|
|
@ -137,17 +142,16 @@ void audit_net_cb(struct audit_buffer *ab, void *va)
|
|||
}
|
||||
}
|
||||
if (ad->common.u.net->family == PF_UNIX) {
|
||||
if ((ad->request & ~NET_PEER_MASK) && ad->net.addr)
|
||||
if (ad->net.addr || !ad->common.u.net->sk)
|
||||
audit_unix_addr(ab, "addr",
|
||||
unix_addr(ad->net.addr),
|
||||
ad->net.addrlen);
|
||||
else
|
||||
audit_unix_sk_addr(ab, "addr", ad->common.u.net->sk);
|
||||
if (ad->request & NET_PEER_MASK) {
|
||||
if (ad->net.addr)
|
||||
audit_unix_addr(ab, "peer_addr",
|
||||
unix_addr(ad->net.addr),
|
||||
ad->net.addrlen);
|
||||
audit_unix_addr(ab, "peer_addr",
|
||||
unix_addr(ad->net.peer.addr),
|
||||
ad->net.peer.addrlen);
|
||||
}
|
||||
}
|
||||
if (ad->peer) {
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue