summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorMaxime Bélair <maxime.belair@canonical.com>2025-07-21 16:46:44 +0200
committerJohn Johansen <john.johansen@canonical.com>2026-01-29 01:27:53 -0800
commit8d34e16f7f2b51f880957f2caadaae731ee28867 (patch)
tree91ad60bf09fabbeba5d2a07e40eca78938ba18fc /security
parent3d28e2397af7a89ac3de33c686ed404cda59b5d5 (diff)
apparmor: userns: Add support for execpath in userns
This new field allows reliable identification of the binary that triggered a denial since the existing field (comm) only gives the name of the binary, not its path. Thus comm doesn't work for binaries outside of $PATH or works unreliably when two binaries have the same name. Additionally comm can be modified by a program, for example, comm="(tor)" or comm=4143504920506F6C6C6572 (= ACPI Poller). Signed-off-by: Maxime Bélair <maxime.belair@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/task.c32
1 files changed, 32 insertions, 0 deletions
diff --git a/security/apparmor/task.c b/security/apparmor/task.c
index c9bc9cc69475..0db0e81b4600 100644
--- a/security/apparmor/task.c
+++ b/security/apparmor/task.c
@@ -15,6 +15,7 @@
#include <linux/gfp.h>
#include <linux/ptrace.h>
+#include "include/path.h"
#include "include/audit.h"
#include "include/cred.h"
#include "include/policy.h"
@@ -300,16 +301,47 @@ int aa_may_ptrace(const struct cred *tracer_cred, struct aa_label *tracer,
xrequest, &sa));
}
+static const char *get_current_exe_path(char *buffer, int buffer_size)
+{
+ struct file *exe_file;
+ struct path p;
+ const char *path_str;
+
+ exe_file = get_task_exe_file(current);
+ if (!exe_file)
+ return ERR_PTR(-ENOENT);
+ p = exe_file->f_path;
+ path_get(&p);
+
+ if (aa_path_name(&p, FLAG_VIEW_SUBNS, buffer, &path_str, NULL, NULL))
+ return ERR_PTR(-ENOMEM);
+
+ fput(exe_file);
+ path_put(&p);
+
+ return path_str;
+}
+
/* call back to audit ptrace fields */
static void audit_ns_cb(struct audit_buffer *ab, void *va)
{
struct apparmor_audit_data *ad = aad_of_va(va);
+ char *buffer;
+ const char *path;
if (ad->request & AA_USERNS_CREATE)
audit_log_format(ab, " requested=\"userns_create\"");
if (ad->denied & AA_USERNS_CREATE)
audit_log_format(ab, " denied=\"userns_create\"");
+
+ buffer = aa_get_buffer(false);
+ if (!buffer)
+ return; // OOM
+ path = get_current_exe_path(buffer, aa_g_path_max);
+ if (!IS_ERR(path))
+ audit_log_format(ab, " execpath=\"%s\"", path);
+ aa_put_buffer(buffer);
}
int aa_profile_ns_perm(struct aa_profile *profile,