[apparmor] [PATCH 18/18] apparmor: add an optional profile attachment string
Seth Arnold
seth.arnold at gmail.com
Fri Jul 27 07:56:51 UTC 2012
NAK
AAFS_PROF_MODE saves the wrong dent.
-----Original Message-----
From: John Johansen <john.johansen at canonical.com>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Thu, 26 Jul 2012 21:28:16
To: <apparmor at lists.ubuntu.com>
Subject: [apparmor] [PATCH 18/18] apparmor: add an optional profile
attachment string
Add the ability to take in a report a human readable profile attachment
string.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
security/apparmor/apparmorfs.c | 10 ++++++++++
security/apparmor/include/apparmorfs.h | 1 +
security/apparmor/include/policy.h | 2 ++
security/apparmor/policy_unpack.c | 3 +++
4 files changed, 16 insertions(+)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 76d107f..dcbc12c 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -277,6 +277,16 @@ int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
&profile->mode, &aa_fs_seq_mode_fops);
if (IS_ERR(dent))
goto fail;
+
+ if (profile->attach) {
+ dent = securityfs_create_file("attach", S_IFREG | 0444, dir,
+ &profile->attach,
+ &aa_fs_seq_string_fops);
+ if (IS_ERR(dent))
+ goto fail;
+ profile->dents[AAFS_PROF_ATTACH] = dent;
+ }
+
profile->dents[AAFS_PROF_MODE] = dent;
list_for_each_entry(child, &profile->base.profiles, base.list) {
diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
index e08869a..1dbf9a3 100644
--- a/security/apparmor/include/apparmorfs.h
+++ b/security/apparmor/include/apparmorfs.h
@@ -78,6 +78,7 @@ enum aafs_prof_type {
AAFS_PROF_PROFS,
AAFS_PROF_NAME,
AAFS_PROF_MODE,
+ AAFS_PROF_ATTACH,
AAFS_PROF_LEN,
};
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 6dc51c9..2ba5b74 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -149,6 +149,7 @@ struct aa_policydb {
* @ns: namespace the profile is in
* @replacedby: is set to the profile that replaced this profile
* @rename: optional profile name that this profile renamed
+ * @attach: human readable attachment string
* @xmatch: optional extended matching for unconfined executables names
* @xmatch_len: xmatch prefix len, used to determine xmatch priority
* @sid: the unique security id number of this profile
@@ -188,6 +189,7 @@ struct aa_profile {
struct aa_profile *replacedby;
const char *rename;
+ const char *attach;
struct aa_dfa *xmatch;
int xmatch_len;
u32 sid;
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 142e26a..1dd590b 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -492,6 +492,9 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
/* profile renaming is optional */
(void) unpack_str(e, &profile->rename, "rename");
+ /* attachment string is optional */
+ (void) unpack_str(e, &profile->attach, "attach");
+
/* xmatch is optional and may be NULL */
profile->xmatch = unpack_dfa(e);
if (IS_ERR(profile->xmatch)) {
--
1.7.10.4
--
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
More information about the AppArmor
mailing list