apparmor: make computing policy hashes conditional on kernel parameter

jrjohansen · jrjohansen · commit 31f75bfecd9c · 2017-01-16T01:18:50.000-08:00
Allow turning off the computation of the policy hashes via the
apparmor.hash_policy kernel parameter.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
@@ -166,42 +166,42 @@ static int common_perm(const char *op, const struct path *path, u32 mask,
 }
 
 /**
- * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
+ * common_perm_cond - common permission wrapper around inode cond
  * @op: operation being checked
- * @dir: directory of the dentry  (NOT NULL)
- * @dentry: dentry to check  (NOT NULL)
+ * @path: location to check (NOT NULL)
  * @mask: requested permissions mask
- * @cond: conditional info for the permission request  (NOT NULL)
  *
  * Returns: %0 else error code if error or permission denied
  */
-static int common_perm_dir_dentry(const char *op, const struct path *dir,
-				  struct dentry *dentry, u32 mask,
-				  struct path_cond *cond)
+static int common_perm_cond(const char *op, const struct path *path, u32 mask)
 {
-	struct path path = { .mnt = dir->mnt, .dentry = dentry };
+	struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
+				  d_backing_inode(path->dentry)->i_mode
+	};
 
-	return common_perm(op, &path, mask, cond);
+	if (!path_mediated_fs(path->dentry))
+		return 0;
+
+	return common_perm(op, path, mask, &cond);
 }
 
 /**
- * common_perm_path - common permission wrapper when mnt, dentry
+ * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
  * @op: operation being checked
- * @path: location to check (NOT NULL)
+ * @dir: directory of the dentry  (NOT NULL)
+ * @dentry: dentry to check  (NOT NULL)
  * @mask: requested permissions mask
+ * @cond: conditional info for the permission request  (NOT NULL)
  *
  * Returns: %0 else error code if error or permission denied
  */
-static inline int common_perm_path(const char *op, const struct path *path,
-				   u32 mask)
+static int common_perm_dir_dentry(const char *op, const struct path *dir,
+				  struct dentry *dentry, u32 mask,
+				  struct path_cond *cond)
 {
-	struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
-				  d_backing_inode(path->dentry)->i_mode
-	};
-	if (!path_mediated_fs(path->dentry))
-		return 0;
+	struct path path = { .mnt = dir->mnt, .dentry = dentry };
 
-	return common_perm(op, path, mask, &cond);
+	return common_perm(op, &path, mask, cond);
 }
 
 /**
@@ -274,7 +274,7 @@ static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
 
 static int apparmor_path_truncate(const struct path *path)
 {
-	return common_perm_path(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE);
+	return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE);
 }
 
 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
@@ -333,17 +333,17 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d
 
 static int apparmor_path_chmod(const struct path *path, umode_t mode)
 {
-	return common_perm_path(OP_CHMOD, path, AA_MAY_CHMOD);
+	return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
 }
 
 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
 {
-	return common_perm_path(OP_CHOWN, path, AA_MAY_CHOWN);
+	return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
 }
 
 static int apparmor_inode_getattr(const struct path *path)
 {
-	return common_perm_path(OP_GETATTR, path, AA_MAY_META_READ);
+	return common_perm_cond(OP_GETATTR, path, AA_MAY_META_READ);
 }
 
 static int apparmor_file_open(struct file *file, const struct cred *cred)
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
@@ -825,7 +825,8 @@ int aa_unpack(struct aa_loaddata *udata, struct list_head *lh,
 		if (error)
 			goto fail_profile;
 
-		error = aa_calc_profile_hash(profile, e.version, start,
+		if (aa_g_hash_policy)
+			error = aa_calc_profile_hash(profile, e.version, start,
 						     e.pos - start);
 		if (error)
 			goto fail_profile;
@@ -841,11 +842,13 @@ int aa_unpack(struct aa_loaddata *udata, struct list_head *lh,
 		list_add_tail(&ent->list, lh);
 	}
 	udata->abi = e.version & K_ABI_MASK;
-	udata->hash = aa_calc_hash(udata->data, udata->size);
-	if (IS_ERR(udata->hash)) {
-		error = PTR_ERR(udata->hash);
-		udata->hash = NULL;
-		goto fail;
+	if (aa_g_hash_policy) {
+		udata->hash = aa_calc_hash(udata->data, udata->size);
+		if (IS_ERR(udata->hash)) {
+			error = PTR_ERR(udata->hash);
+			udata->hash = NULL;
+			goto fail;
+		}
 	}
 	return 0;
 

Original file line number	Diff line number	Diff line change
`@@ -166,42 +166,42 @@ static int common_perm(const char op, const struct path path, u32 mask,`
`166`	`166`	`}`
`167`	`167`
`168`	`168`	`/**`
`169`		`- * common_perm_dir_dentry - common permission wrapper when path is dir, dentry`
	`169`	`+ * common_perm_cond - common permission wrapper around inode cond`
`170`	`170`	`* @op: operation being checked`
`171`		`- * @dir: directory of the dentry (NOT NULL)`
`172`		`- * @dentry: dentry to check (NOT NULL)`
	`171`	`+ * @path: location to check (NOT NULL)`
`173`	`172`	`* @mask: requested permissions mask`
`174`		`- * @cond: conditional info for the permission request (NOT NULL)`
`175`	`173`	`*`
`176`	`174`	`* Returns: %0 else error code if error or permission denied`
`177`	`175`	`*/`
`178`		`-static int common_perm_dir_dentry(const char op, const struct path dir,`
`179`		`- struct dentry *dentry, u32 mask,`
`180`		`- struct path_cond *cond)`
	`176`	`+static int common_perm_cond(const char op, const struct path path, u32 mask)`
`181`	`177`	`{`
`182`		`- struct path path = { .mnt = dir->mnt, .dentry = dentry };`
	`178`	`+ struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,`
	`179`	`+ d_backing_inode(path->dentry)->i_mode`
	`180`	`+ };`
`183`	`181`
`184`		`- return common_perm(op, &path, mask, cond);`
	`182`	`+ if (!path_mediated_fs(path->dentry))`
	`183`	`+ return 0;`
	`184`	`+`
	`185`	`+ return common_perm(op, path, mask, &cond);`
`185`	`186`	`}`
`186`	`187`
`187`	`188`	`/**`
`188`		`- * common_perm_path - common permission wrapper when mnt, dentry`
	`189`	`+ * common_perm_dir_dentry - common permission wrapper when path is dir, dentry`
`189`	`190`	`* @op: operation being checked`
`190`		`- * @path: location to check (NOT NULL)`
	`191`	`+ * @dir: directory of the dentry (NOT NULL)`
	`192`	`+ * @dentry: dentry to check (NOT NULL)`
`191`	`193`	`* @mask: requested permissions mask`
	`194`	`+ * @cond: conditional info for the permission request (NOT NULL)`
`192`	`195`	`*`
`193`	`196`	`* Returns: %0 else error code if error or permission denied`
`194`	`197`	`*/`
`195`		`-static inline int common_perm_path(const char op, const struct path path,`
`196`		`- u32 mask)`
	`198`	`+static int common_perm_dir_dentry(const char op, const struct path dir,`
	`199`	`+ struct dentry *dentry, u32 mask,`
	`200`	`+ struct path_cond *cond)`
`197`	`201`	`{`
`198`		`- struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,`
`199`		`- d_backing_inode(path->dentry)->i_mode`
`200`		`- };`
`201`		`- if (!path_mediated_fs(path->dentry))`
`202`		`- return 0;`
	`202`	`+ struct path path = { .mnt = dir->mnt, .dentry = dentry };`
`203`	`203`
`204`		`- return common_perm(op, path, mask, &cond);`
	`204`	`+ return common_perm(op, &path, mask, cond);`
`205`	`205`	`}`
`206`	`206`
`207`	`207`	`/**`
`@@ -274,7 +274,7 @@ static int apparmor_path_mknod(const struct path dir, struct dentry dentry,`
`274`	`274`
`275`	`275`	`static int apparmor_path_truncate(const struct path *path)`
`276`	`276`	`{`
`277`		`- return common_perm_path(OP_TRUNC, path, MAY_WRITE \| AA_MAY_META_WRITE);`
	`277`	`+ return common_perm_cond(OP_TRUNC, path, MAY_WRITE \| AA_MAY_META_WRITE);`
`278`	`278`	`}`
`279`	`279`
`280`	`280`	`static int apparmor_path_symlink(const struct path dir, struct dentry dentry,`
`@@ -333,17 +333,17 @@ static int apparmor_path_rename(const struct path old_dir, struct dentry old_d`
`333`	`333`
`334`	`334`	`static int apparmor_path_chmod(const struct path *path, umode_t mode)`
`335`	`335`	`{`
`336`		`- return common_perm_path(OP_CHMOD, path, AA_MAY_CHMOD);`
	`336`	`+ return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);`
`337`	`337`	`}`
`338`	`338`
`339`	`339`	`static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)`
`340`	`340`	`{`
`341`		`- return common_perm_path(OP_CHOWN, path, AA_MAY_CHOWN);`
	`341`	`+ return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);`
`342`	`342`	`}`
`343`	`343`
`344`	`344`	`static int apparmor_inode_getattr(const struct path *path)`
`345`	`345`	`{`
`346`		`- return common_perm_path(OP_GETATTR, path, AA_MAY_META_READ);`
	`346`	`+ return common_perm_cond(OP_GETATTR, path, AA_MAY_META_READ);`
`347`	`347`	`}`
`348`	`348`
`349`	`349`	`static int apparmor_file_open(struct file file, const struct cred cred)`