[apparmor] [PATCH] export set of capabilities supported by the apparmor module

Sat, 20 Jul 2013 02:00:22 -0700 

so yet another patch that has just been sitting in the queue, mostly
waiting on the userspace feature buffer size fix that rolled out a while ago.

---

apparmor: export set of capabilities supported by the apparmor module

This exports the set of capability names as generated by the kernel
so that the policy compiler can support capability names as keywords
dynamically when the kernel picks up new capabilities.

Signed-off-by: John Johansen <john.johan...@canonical.com>

diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
index 5706b74..0831e04 100644
--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
@@ -18,7 +18,11 @@ quiet_cmd_make-caps = GEN     $@
 cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\
        sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \
        -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\
-       echo "};" >> $@
+       echo "};" >> $@ ;\
+       echo -n '\#define AA_FS_CAPS_MASK "' >> $@ ;\
+       sed $< -r -n -e '/CAP_FS_MASK/d' \
+           -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' | \
+            tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
 
 
 # Build a lower case string table of rlimit names.
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 7a26608..d708a55 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -773,6 +773,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = {
        AA_FS_DIR("file",                       aa_fs_entry_file),
        AA_FS_FILE_U64("capability",            VFS_CAP_FLAGS_MASK),
        AA_FS_DIR("rlimit",                     aa_fs_entry_rlimit),
+       AA_FS_DIR("caps",                       aa_fs_entry_caps),
        { }
 };
 
diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
index 887a5e9..84d1f5f 100644
--- a/security/apparmor/capability.c
+++ b/security/apparmor/capability.c
@@ -27,6 +27,11 @@
  */
 #include "capability_names.h"
 
+struct aa_fs_entry aa_fs_entry_caps[] = {
+       AA_FS_FILE_STRING("mask", AA_FS_CAPS_MASK),
+       { }
+};
+
 struct audit_cache {
        struct aa_profile *profile;
        kernel_cap_t caps;
diff --git a/security/apparmor/include/capability.h 
b/security/apparmor/include/capability.h
index c24d295..2e7c9d6 100644
--- a/security/apparmor/include/capability.h
+++ b/security/apparmor/include/capability.h
@@ -17,6 +17,8 @@
 
 #include <linux/sched.h>
 
+#include "apparmorfs.h"
+
 struct aa_profile;
 
 /* aa_caps - confinement data for capabilities
@@ -34,6 +36,8 @@ struct aa_caps {
        kernel_cap_t extended;
 };
 
+extern struct aa_fs_entry aa_fs_entry_caps[];
+
 int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap,
               int audit);
 

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to