[apparmor] [PATCH 3/3] AppArmor: export known rlimit names/value mappings in securityfs
Kees Cook
kees at ubuntu.com
Sat Dec 31 09:07:15 UTC 2011
Since the parser needs to know which rlimits are known to the kernel,
export the name/value mappings via the "rlimit" subdirectory in the
securityfs "features" directory.
Signed-off-by: Kees Cook <kees at ubuntu.com>
---
security/apparmor/Makefile | 4 ++--
security/apparmor/apparmorfs.c | 19 ++++++++++++++++++-
security/apparmor/include/resource.h | 2 ++
3 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
index 2dafe50..b877b4e 100644
--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
@@ -36,11 +36,11 @@ cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ;\
# to
# RLIMIT_STACK,
quiet_cmd_make-rlim = GEN $@
-cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
+cmd_make-rlim = echo "const char *rlim_names[RLIM_NLIMITS] = {" > $@ ;\
sed $< >> $@ -r -n \
-e 's/^\# ?define[ \t]+(RLIMIT_([A-Z0-9_]+)).*/[\1] = "\L\2",/p';\
echo "};" >> $@ ;\
- echo "static const int rlim_map[] = {" >> $@ ;\
+ echo "static const int rlim_map[RLIM_NLIMITS] = {" >> $@ ;\
sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
echo "};" >> $@
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index e7ed75a..671f412 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -25,9 +25,11 @@
#include "include/audit.h"
#include "include/context.h"
#include "include/policy.h"
+#include "include/resource.h"
enum aa_fs_value {
AA_FS_TYPE_BOOLEAN,
+ AA_FS_TYPE_INTEGER,
AA_FS_TYPE_U64,
AA_FS_TYPE_FOPS,
AA_FS_TYPE_DIR,
@@ -42,6 +44,7 @@ struct aa_fs_entry {
enum aa_fs_value v_type;
union {
bool boolean;
+ int integer;
unsigned long u64;
struct aa_fs_entry *files;
} v;
@@ -177,6 +180,9 @@ static int aa_fs_seq_show(struct seq_file *seq, void *v)
seq_printf(seq, "%s\n", fs_file->v.boolean ?
"yes" : "no");
break;
+ case AA_FS_TYPE_INTEGER:
+ seq_printf(seq, "%d\n", fs_file->v.integer);
+ break;
case AA_FS_TYPE_U64:
seq_printf(seq, "%#08lx\n", fs_file->v.u64);
break;
@@ -217,6 +223,8 @@ static const struct file_operations aa_fs_seq_file_ops = {
#define AA_FS_DIR(_name, _value) \
{ .name = (_name), .v_type = AA_FS_TYPE_DIR, .v.files = (_value) }
+static struct aa_fs_entry aa_fs_entry_rlimit[RLIM_NLIMITS + 1] = { };
+
static struct aa_fs_entry aa_fs_entry_features[] = {
AA_FS_FILE_BOOLEAN("change_hat", 1),
AA_FS_FILE_BOOLEAN("change_hatv", 1),
@@ -224,6 +232,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = {
AA_FS_FILE_BOOLEAN("change_profile", 1),
AA_FS_FILE_BOOLEAN("namespaces", 1),
AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
+ AA_FS_DIR("rlimit", aa_fs_entry_rlimit),
{ }
};
@@ -346,7 +355,7 @@ void __init aa_destroy_aafs(void)
*/
int __init aa_create_aafs(void)
{
- int error;
+ int error, limit;
if (!apparmor_initialized)
return 0;
@@ -356,6 +365,14 @@ int __init aa_create_aafs(void)
return -EEXIST;
}
+ /* Populate rlimit name table. */
+ for (limit = 0; limit < RLIM_NLIMITS; ++limit) {
+ aa_fs_entry_rlimit[limit].name = rlim_names[limit];
+ aa_fs_entry_rlimit[limit].v_type = AA_FS_TYPE_INTEGER;
+ aa_fs_entry_rlimit[limit].v.integer = limit;
+ aa_fs_entry_rlimit[limit].file_ops = &aa_fs_seq_file_ops;
+ }
+
/* Populate fs tree. */
error = aafs_create_dir(&aa_fs_entry, NULL);
if (error)
diff --git a/security/apparmor/include/resource.h b/security/apparmor/include/resource.h
index 02baec7..665c413 100644
--- a/security/apparmor/include/resource.h
+++ b/security/apparmor/include/resource.h
@@ -32,6 +32,8 @@ struct aa_rlimit {
struct rlimit limits[RLIM_NLIMITS];
};
+extern const char *rlim_names[RLIM_NLIMITS];
+
int aa_map_resource(int resource);
int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *,
unsigned int resource, struct rlimit *new_rlim);
--
1.7.2.3
--
Kees Cook
More information about the AppArmor
mailing list