Add the ability to take in and report a human readable profile attachment
string.
Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-By: Seth Arnold <seth.arn...@canonical.com>
---
security/apparmor/apparmorfs.c | 34 ++++++++++++++++++++++++++++++++
security/apparmor/include/apparmorfs.h | 1 +
security/apparmor/include/policy.h | 2 ++
security/apparmor/policy_unpack.c | 3 +++
4 files changed, 40 insertions(+)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index da1d502..7cdb6a7 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -290,6 +290,34 @@ const struct file_operations aa_fs_profmode_fops = {
.release = aa_fs_seq_profile_release,
};
+static int aa_fs_seq_profattach_show(struct seq_file *seq, void *v)
+{
+ struct aa_replacedby *r = seq->private;
+ struct aa_profile *profile = aa_get_profile_rcu(&r->profile);
+ if (profile->attach)
+ seq_printf(seq, "%s\n", profile->attach);
+ else if (profile->xmatch)
+ seq_printf(seq, "<unknown>\n");
+ else
+ seq_printf(seq, "%s\n", profile->base.name);
+ aa_put_profile(profile);
+
+ return 0;
+}
+
+static int aa_fs_seq_profattach_open(struct inode *inode, struct file *file)
+{
+ return aa_fs_seq_profile_open(inode, file, aa_fs_seq_profattach_show);
+}
+
+const struct file_operations aa_fs_profattach_fops = {
+ .owner = THIS_MODULE,
+ .open = aa_fs_seq_profattach_open,
+ .read = seq_read,
+ .llseek = seq_lseek,
+ .release = aa_fs_seq_profile_release,
+};
+
/** fns to setup dynamic per profile/namespace files **/
void __aa_fs_profile_rmdir(struct aa_profile *profile)
{
@@ -383,6 +411,12 @@ int __aa_fs_profile_mkdir(struct aa_profile *profile,
struct dentry *parent)
goto fail;
profile->dents[AAFS_PROF_MODE] = dent;
+ dent = create_profile_file(dir, "attach", profile,
+ &aa_fs_profattach_fops);
+ if (IS_ERR(dent))
+ goto fail;
+ profile->dents[AAFS_PROF_ATTACH] = dent;
+
list_for_each_entry(child, &profile->base.profiles, base.list) {
error = __aa_fs_profile_mkdir(child, prof_child_dir(profile));
if (error)
diff --git a/security/apparmor/include/apparmorfs.h
b/security/apparmor/include/apparmorfs.h
index 2494e11..f91712c 100644
--- a/security/apparmor/include/apparmorfs.h
+++ b/security/apparmor/include/apparmorfs.h
@@ -81,6 +81,7 @@ enum aafs_prof_type {
AAFS_PROF_PROFS,
AAFS_PROF_NAME,
AAFS_PROF_MODE,
+ AAFS_PROF_ATTACH,
AAFS_PROF_SIZEOF,
};
diff --git a/security/apparmor/include/policy.h
b/security/apparmor/include/policy.h
index 8b7fd45..4bebbbd 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -164,6 +164,7 @@ struct aa_replacedby {
* @ns: namespace the profile is in
* @replacedby: is set to the profile that replaced this profile
* @rename: optional profile name that this profile renamed
+ * @attach: human readable attachment string
* @xmatch: optional extended matching for unconfined executables names
* @xmatch_len: xmatch prefix len, used to determine xmatch priority
* @audit: the auditing mode of the profile
@@ -203,6 +204,7 @@ struct aa_profile {
struct aa_replacedby *replacedby;
const char *rename;
+ const char *attach;
struct aa_dfa *xmatch;
int xmatch_len;
enum audit_mode audit;
diff --git a/security/apparmor/policy_unpack.c
b/security/apparmor/policy_unpack.c
index 99c4f85..9970ff3 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -491,6 +491,9 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
/* profile renaming is optional */
(void) unpack_str(e, &profile->rename, "rename");
+ /* attachment string is optional */
+ (void) unpack_str(e, &profile->attach, "attach");
+
/* xmatch is optional and may be NULL */
profile->xmatch = unpack_dfa(e);
if (IS_ERR(profile->xmatch)) {
--
1.7.10.4
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
