Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 556d0be7 authored by John Johansen's avatar John Johansen
Browse files

apparmor: add an optional profile attachment string for profiles 



Add the ability to take in and report a human readable profile attachment
string for profiles so that attachment specifications can be easily
inspected.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
parent 0d259f04

security/apparmor/apparmorfs.c

+34 −0
Original line number Diff line number Diff line
@@ -290,6 +290,34 @@ static const struct file_operations aa_fs_profmode_fops = { 
	.release	= aa_fs_seq_profile_release,

};



static int aa_fs_seq_profattach_show(struct seq_file *seq, void *v)

{

	struct aa_replacedby *r = seq->private;

	struct aa_profile *profile = aa_get_profile_rcu(&r->profile);

	if (profile->attach)

		seq_printf(seq, "%s\n", profile->attach);

	else if (profile->xmatch)

		seq_puts(seq, "<unknown>\n");

	else

		seq_printf(seq, "%s\n", profile->base.name);

	aa_put_profile(profile);



	return 0;

}



static int aa_fs_seq_profattach_open(struct inode *inode, struct file *file)

{

	return aa_fs_seq_profile_open(inode, file, aa_fs_seq_profattach_show);

}



static const struct file_operations aa_fs_profattach_fops = {

	.owner		= THIS_MODULE,

	.open		= aa_fs_seq_profattach_open,

	.read		= seq_read,

	.llseek		= seq_lseek,

	.release	= aa_fs_seq_profile_release,

};



/** fns to setup dynamic per profile/namespace files **/

void __aa_fs_profile_rmdir(struct aa_profile *profile)

{
@@ -385,6 +413,12 @@ int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) 
		goto fail;

	profile->dents[AAFS_PROF_MODE] = dent;



	dent = create_profile_file(dir, "attach", profile,

				   &aa_fs_profattach_fops);

	if (IS_ERR(dent))

		goto fail;

	profile->dents[AAFS_PROF_ATTACH] = dent;



	list_for_each_entry(child, &profile->base.profiles, base.list) {

		error = __aa_fs_profile_mkdir(child, prof_child_dir(profile));

		if (error)

security/apparmor/include/apparmorfs.h

+1 −0
Original line number Diff line number Diff line
@@ -81,6 +81,7 @@ enum aafs_prof_type { 
	AAFS_PROF_PROFS,

	AAFS_PROF_NAME,

	AAFS_PROF_MODE,

	AAFS_PROF_ATTACH,

	AAFS_PROF_SIZEOF,

};

security/apparmor/include/policy.h

+2 −0
Original line number Diff line number Diff line
@@ -165,6 +165,7 @@ struct aa_replacedby { 
 * @ns: namespace the profile is in

 * @replacedby: is set to the profile that replaced this profile

 * @rename: optional profile name that this profile renamed

 * @attach: human readable attachment string

 * @xmatch: optional extended matching for unconfined executables names

 * @xmatch_len: xmatch prefix len, used to determine xmatch priority

 * @audit: the auditing mode of the profile
@@ -204,6 +205,7 @@ struct aa_profile { 
	struct aa_replacedby *replacedby;

	const char *rename;



	const char *attach;

	struct aa_dfa *xmatch;

	int xmatch_len;

	enum audit_mode audit;

security/apparmor/policy_unpack.c

+3 −0
Original line number Diff line number Diff line
@@ -492,6 +492,9 @@ static struct aa_profile *unpack_profile(struct aa_ext *e) 
	/* profile renaming is optional */

	(void) unpack_str(e, &profile->rename, "rename");



	/* attachment string is optional */

	(void) unpack_str(e, &profile->attach, "attach");



	/* xmatch is optional and may be NULL */

	profile->xmatch = unpack_dfa(e);

	if (IS_ERR(profile->xmatch)) {