Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 26b78995 authored by John Johansen's avatar John Johansen
Browse files

apparmor: add support for absolute root view based labels 



With apparmor policy virtualization based on policy namespace View's
we don't generally want/need absolute root based views, however there
are cases like debugging and some secid based conversions where
using a root based view is important.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
parent f872af75

security/apparmor/include/label.h

+1 −0
Original line number Diff line number Diff line
@@ -310,6 +310,7 @@ bool aa_update_label_name(struct aa_ns *ns, struct aa_label *label, gfp_t gfp); 
#define FLAG_SHOW_MODE 1

#define FLAG_VIEW_SUBNS 2

#define FLAG_HIDDEN_UNCONFINED 4

#define FLAG_ABS_ROOT 8

int aa_label_snxprint(char *str, size_t size, struct aa_ns *view,

		      struct aa_label *label, int flags);

int aa_label_asxprint(char **strp, struct aa_ns *ns, struct aa_label *label,

security/apparmor/label.c

+9 −1
Original line number Diff line number Diff line
@@ -1607,8 +1607,13 @@ int aa_label_snxprint(char *str, size_t size, struct aa_ns *ns, 
	AA_BUG(!str && size != 0);

	AA_BUG(!label);



	if (!ns)

	if (flags & FLAG_ABS_ROOT) {

		ns = root_ns;

		len = snprintf(str, size, "=");

		update_for_len(total, len, size, str);

	} else if (!ns) {

		ns = labels_ns(label);

	}



	label_for_each(i, label, profile) {

		if (aa_ns_visible(ns, profile->ns, flags & FLAG_VIEW_SUBNS)) {
@@ -1868,6 +1873,9 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str, 
		if (*str == '&')

			str++;

	}

	if (*str == '=')

		base = &root_ns->unconfined->label;



	error = vec_setup(profile, vec, len, gfp);

	if (error)

		return ERR_PTR(error);