Skip to content

Commit 3bf3d72

Browse files
jrjohansenjrjohansen
committed
apparmor: verify loaded permission bits masks don't overlap
Add an additional verification that loaded permission sets don't overlap in ways that are not intended. This will help ensure that permission accumulation can't result in an invalid permission set. Signed-off-by: John Johansen <[email protected]>
1 parent 3dfd16a commit 3bf3d72

File tree

1 file changed

+30
-4
lines changed

1 file changed

+30
-4
lines changed

security/apparmor/policy_unpack.c

Lines changed: 30 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1150,11 +1150,37 @@ static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size)
11501150
return true;
11511151
}
11521152

1153-
static bool verify_perm_indexes(struct aa_policydb *pdb)
1153+
static bool verify_perm(struct aa_perms *perm)
1154+
{
1155+
/* TODO: allow option to just force the perms into a valid state */
1156+
if (perm->allow & perm->deny)
1157+
return false;
1158+
if (perm->subtree & ~perm->allow)
1159+
return false;
1160+
if (perm->cond & (perm->allow | perm->deny))
1161+
return false;
1162+
if (perm->kill & perm->allow)
1163+
return false;
1164+
if (perm->complain & (perm->allow | perm->deny))
1165+
return false;
1166+
if (perm->prompt & (perm->allow | perm->deny))
1167+
return false;
1168+
if (perm->complain & perm->prompt)
1169+
return false;
1170+
if (perm->hide & perm->allow)
1171+
return false;
1172+
1173+
return true;
1174+
}
1175+
1176+
static bool verify_perms(struct aa_policydb *pdb)
11541177
{
11551178
int i;
11561179

11571180
for (i = 0; i < pdb->size; i++) {
1181+
if (!verify_perm(&pdb->perms[i]))
1182+
return false;
1183+
/* verify indexes into str table */
11581184
if (pdb->perms[i].xindex >= pdb->trans.size)
11591185
return false;
11601186
if (pdb->perms[i].tag >= pdb->trans.size)
@@ -1187,17 +1213,17 @@ static int verify_profile(struct aa_profile *profile)
11871213
return -EPROTO;
11881214
}
11891215

1190-
if (!verify_perm_indexes(&profile->file)) {
1216+
if (!verify_perms(&profile->file)) {
11911217
audit_iface(profile, NULL, NULL,
11921218
"Unpack: Invalid perm index", NULL, -EPROTO);
11931219
return -EPROTO;
11941220
}
1195-
if (!verify_perm_indexes(&profile->policy)) {
1221+
if (!verify_perms(&profile->policy)) {
11961222
audit_iface(profile, NULL, NULL,
11971223
"Unpack: Invalid perm index", NULL, -EPROTO);
11981224
return -EPROTO;
11991225
}
1200-
if (!verify_perm_indexes(&profile->xmatch)) {
1226+
if (!verify_perms(&profile->xmatch)) {
12011227
audit_iface(profile, NULL, NULL,
12021228
"Unpack: Invalid perm index", NULL, -EPROTO);
12031229
return -EPROTO;

0 commit comments

Comments
 (0)