[apparmor] RFC [patch 6/10] Add stub rules to indicate compilation support for given features

[John Johansen]

Add stub rules to indicate compilation support for given features.

Policy enforcement needs to be able to support older userspaces and
compilers that don't know about new features. The absence of a feature
in the policydb indicates that feature mediation is not present for
it.

We add stub rules, that provide a none 0 start state for features that
are supported at compile time. This can be used by the kernel to
indicate that it should enforce a given feature. This does not indicate
the feature is allowed, in an abscence of other rules for the feature
the feature will be denied.

Signed-off-by: John Johansen <john.johansen at canonical.com>




---
 parser/parser_regex.c |   20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

--- 2.9-test.orig/parser/parser_regex.c
+++ 2.9-test/parser/parser_regex.c
@@ -673,6 +673,12 @@
 	return TRUE;
 }
 
+#define MAKE_STR(X) #X
+#define CLASS_STR(X) "\\d" MAKE_STR(X)
+
+static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT);
+static const char *mediates_dbus =  CLASS_STR(AA_CLASS_DBUS);
+
 int process_profile_policydb(Profile *prof)
 {
 	int error = -1;
@@ -684,6 +690,20 @@
 	if (!post_process_policydb_ents(prof))
 		goto out;
 
+	/* insert entries to show indicate what compiler/policy expects
+	 * to be supported
+	 */
+
+	if (kernel_supports_mount &&
+	    !aare_add_rule(prof->policy.rules, mediates_mount, 0, AA_MAY_READ, 0, dfaflags)) {
+		prof->policy.count++;
+		goto out;
+	}
+	if (kernel_supports_dbus &&
+	    !aare_add_rule(prof->policy.rules, mediates_dbus, 0, AA_MAY_READ, 0, dfaflags)) {
+		prof->policy.count++;
+		goto out;
+	}
 	if (prof->policy.count > 0) {
 		prof->policy.dfa = aare_create_dfa(prof->policy.rules,
 						  &prof->policy.size,