From patchwork Tue Aug 23 09:05:52 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 661785 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3sJPhJ4dCTz9sBc; Tue, 23 Aug 2016 19:06:56 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1bc7fZ-0006c3-GD; Tue, 23 Aug 2016 09:06:53 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1bc7fN-0006TS-Qc for kernel-team@lists.ubuntu.com; Tue, 23 Aug 2016 09:06:41 +0000 Received: from static-50-53-49-26.bvtn.or.frontiernet.net ([50.53.49.26] helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1bc7fN-0006Vm-86 for kernel-team@lists.ubuntu.com; Tue, 23 Aug 2016 09:06:41 +0000 From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH 12/14] UBUNTU: SAUCE: apparmor: special case unconfined when determining the mode Date: Tue, 23 Aug 2016 02:05:52 -0700 Message-Id: <1471943154-14507-13-git-send-email-john.johansen@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1471943154-14507-1-git-send-email-john.johansen@canonical.com> References: <1471943154-14507-1-git-send-email-john.johansen@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com when viewing a stack involving unconfined from across a ns boundary the mode is reported as mixed. Eg. lxc-container-default//&:lxdns1://unconfined (mixed) This is because the unconfined profile is in the special unconfined mode. Which will result in a (mixed) mode for any stack with profiles in enforcing or complain mode. This can however lead to confusion as to what mode is being used as mixed is also used for enforcing stacked with complain. Since unconfined doesn't affect the stack just special case it. BugLink: http://bugs.launchpad.net/bugs/1615890 Signed-off-by: John Johansen --- security/apparmor/label.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/security/apparmor/label.c b/security/apparmor/label.c index c11ca99..ce150a8 100644 --- a/security/apparmor/label.c +++ b/security/apparmor/label.c @@ -1535,25 +1535,31 @@ static const char *label_modename(struct aa_ns *ns, struct aa_label *label, { struct aa_profile *profile; struct label_it i; - const char *modestr = NULL; - int count = 0; + int mode = -1, count = 0; label_for_each(i, label, profile) { if (aa_ns_visible(ns, profile->ns, flags & FLAG_VIEW_SUBNS)) { - const char *tmp_modestr; + if (profile->mode == APPARMOR_UNCONFINED) + /* special case unconfined so stacks with + * unconfined don't report as mixed. ie. + * profile_foo//&:ns1://unconfined (mixed) + */ + continue; count++; - tmp_modestr = aa_profile_mode_names[profile->mode]; - if (!modestr) - modestr = tmp_modestr; - else if (modestr != tmp_modestr) + if (mode == -1) + mode = profile->mode; + else if (mode != profile->mode) return "mixed"; } } if (count == 0) return "-"; + if (mode == -1) + /* everything was unconfined */ + mode = APPARMOR_UNCONFINED; - return modestr; + return aa_profile_mode_names[mode]; } /* if any visible label is not unconfined the display_mode returns true */