Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ipc.c
Go to the documentation of this file.
1 /*
2  * AppArmor security module
3  *
4  * This file contains AppArmor ipc mediation
5  *
6  * Copyright (C) 1998-2008 Novell/SUSE
7  * Copyright 2009-2010 Canonical Ltd.
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU General Public License as
11  * published by the Free Software Foundation, version 2 of the
12  * License.
13  */
14 
15 #include <linux/gfp.h>
16 #include <linux/ptrace.h>
17 
18 #include "include/audit.h"
19 #include "include/capability.h"
20 #include "include/context.h"
21 #include "include/policy.h"
22 #include "include/ipc.h"
23 
24 /* call back to audit ptrace fields */
25 static void audit_cb(struct audit_buffer *ab, void *va)
26 {
27  struct common_audit_data *sa = va;
28  audit_log_format(ab, " target=");
29  audit_log_untrustedstring(ab, sa->aad->target);
30 }
31 
40 static int aa_audit_ptrace(struct aa_profile *profile,
41  struct aa_profile *target, int error)
42 {
43  struct common_audit_data sa;
44  struct apparmor_audit_data aad = {0,};
45  sa.type = LSM_AUDIT_DATA_NONE;
46  sa.aad = &aad;
47  aad.op = OP_PTRACE;
48  aad.target = target;
49  aad.error = error;
50 
51  return aa_audit(AUDIT_APPARMOR_AUTO, profile, GFP_ATOMIC, &sa,
52  audit_cb);
53 }
54 
64 int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer,
65  struct aa_profile *tracee, unsigned int mode)
66 {
67  /* TODO: currently only based on capability, not extended ptrace
68  * rules,
69  * Test mode for PTRACE_MODE_READ || PTRACE_MODE_ATTACH
70  */
71 
72  if (unconfined(tracer) || tracer == tracee)
73  return 0;
74  /* log this capability request */
75  return aa_capable(tracer_task, tracer, CAP_SYS_PTRACE, 1);
76 }
77 
86 int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
87  unsigned int mode)
88 {
89  /*
90  * tracer can ptrace tracee when
91  * - tracer is unconfined ||
92  * - tracer is in complain mode
93  * - tracer has rules allowing it to trace tracee currently this is:
94  * - confined by the same profile ||
95  * - tracer profile has CAP_SYS_PTRACE
96  */
97 
98  struct aa_profile *tracer_p;
99  /* cred released below */
100  const struct cred *cred = get_task_cred(tracer);
101  int error = 0;
102  tracer_p = aa_cred_profile(cred);
103 
104  if (!unconfined(tracer_p)) {
105  /* lcred released below */
106  const struct cred *lcred = get_task_cred(tracee);
107  struct aa_profile *tracee_p = aa_cred_profile(lcred);
108 
109  error = aa_may_ptrace(tracer, tracer_p, tracee_p, mode);
110  error = aa_audit_ptrace(tracer_p, tracee_p, error);
111 
112  put_cred(lcred);
113  }
114  put_cred(cred);
115 
116  return error;
117 }