apparmor: add an optional profile attachment string for profiles

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Add the ability to take in and report a human readable profile attachment
string for profiles so that attachment specifications can be easily
inspected.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

John Johansen 12 years ago 556d0be7 0d259f04

+40

4 changed files

expand all

security

apparmor

apparmorfs.c

include

apparmorfs.h

policy.h

policy_unpack.c

+34

security/apparmor/apparmorfs.c

··· 290 290 .release = aa_fs_seq_profile_release, 291 291 }; 292 292 293 + static int aa_fs_seq_profattach_show(struct seq_file *seq, void *v) 294 + { 295 + struct aa_replacedby *r = seq->private; 296 + struct aa_profile *profile = aa_get_profile_rcu(&r->profile); 297 + if (profile->attach) 298 + seq_printf(seq, "%s\n", profile->attach); 299 + else if (profile->xmatch) 300 + seq_puts(seq, "<unknown>\n"); 301 + else 302 + seq_printf(seq, "%s\n", profile->base.name); 303 + aa_put_profile(profile); 304 + 305 + return 0; 306 + } 307 + 308 + static int aa_fs_seq_profattach_open(struct inode *inode, struct file *file) 309 + { 310 + return aa_fs_seq_profile_open(inode, file, aa_fs_seq_profattach_show); 311 + } 312 + 313 + static const struct file_operations aa_fs_profattach_fops = { 314 + .owner = THIS_MODULE, 315 + .open = aa_fs_seq_profattach_open, 316 + .read = seq_read, 317 + .llseek = seq_lseek, 318 + .release = aa_fs_seq_profile_release, 319 + }; 320 + 293 321 /** fns to setup dynamic per profile/namespace files **/ 294 322 void __aa_fs_profile_rmdir(struct aa_profile *profile) 295 323 { ··· 412 384 if (IS_ERR(dent)) 413 385 goto fail; 414 386 profile->dents[AAFS_PROF_MODE] = dent; 387 + 388 + dent = create_profile_file(dir, "attach", profile, 389 + &aa_fs_profattach_fops); 390 + if (IS_ERR(dent)) 391 + goto fail; 392 + profile->dents[AAFS_PROF_ATTACH] = dent; 415 393 416 394 list_for_each_entry(child, &profile->base.profiles, base.list) { 417 395 error = __aa_fs_profile_mkdir(child, prof_child_dir(profile));

security/apparmor/include/apparmorfs.h

··· 81 81 AAFS_PROF_PROFS, 82 82 AAFS_PROF_NAME, 83 83 AAFS_PROF_MODE, 84 + AAFS_PROF_ATTACH, 84 85 AAFS_PROF_SIZEOF, 85 86 }; 86 87

security/apparmor/include/policy.h

··· 165 165 * @ns: namespace the profile is in 166 166 * @replacedby: is set to the profile that replaced this profile 167 167 * @rename: optional profile name that this profile renamed 168 + * @attach: human readable attachment string 168 169 * @xmatch: optional extended matching for unconfined executables names 169 170 * @xmatch_len: xmatch prefix len, used to determine xmatch priority 170 171 * @audit: the auditing mode of the profile ··· 205 204 struct aa_replacedby *replacedby; 206 205 const char *rename; 207 206 207 + const char *attach; 208 208 struct aa_dfa *xmatch; 209 209 int xmatch_len; 210 210 enum audit_mode audit;

security/apparmor/policy_unpack.c

··· 492 492 /* profile renaming is optional */ 493 493 (void) unpack_str(e, &profile->rename, "rename"); 494 494 495 + /* attachment string is optional */ 496 + (void) unpack_str(e, &profile->attach, "attach"); 497 + 495 498 /* xmatch is optional and may be NULL */ 496 499 profile->xmatch = unpack_dfa(e); 497 500 if (IS_ERR(profile->xmatch)) {