AppArmor: compatibility patch for v5 network controll

Add compatibility for v5 network rules. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2010-10-04 18:03:36 -0400
committer: Leann Ogasawara <leann.ogasawara@canonical.com> 2011-08-30 13:15:04 -0400
commit: cdb102170c3c9792bca317df2dcb63692c4135bb (patch)
tree: fdd71f97807fe867bac6cb8aa477e399b0797315 /security/apparmor/include
parent: 77cbe5c70a0ab7e18d1f8b2af428554b92e8ed65 (diff)
2 files changed, 43 insertions, 0 deletions
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
new file mode 100644
index 00000000000..3c7d5993ccf
--- /dev/null
+++ b/security/apparmor/include/net.h
@@ -0,0 +1,40 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#ifndef __AA_NET_H
+#define __AA_NET_H
+#include <net/sock.h>
+/* struct aa_net - network confinement data
+ * @allowed: basic network families permissions
+ * @audit_network: which network permissions to force audit
+ * @quiet_network: which network permissions to quiet rejects
+ */
+struct aa_net {
+        u16 allow[AF_MAX];
+        u16 audit[AF_MAX];
+        u16 quiet[AF_MAX];
+};
+extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
+                       int type, int protocol, struct sock *sk);
+extern int aa_revalidate_sk(int op, struct sock *sk);
+static inline void aa_free_net_rules(struct aa_net *new)
+{
+        /* NOP */
+}
+#endif /* __AA_NET_H */
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index aeda5cf5690..67769294ffb 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -27,6 +27,7 @@
 #include "capability.h"
 #include "domain.h"
 #include "file.h"
+#include "net.h"
 #include "resource.h"
 extern const char *profile_mode_names[];
@@ -145,6 +146,7 @@ struct aa_namespace {
 * @size: the memory consumed by this profiles rules
 * @file: The set of rules governing basic file access and domain transitions
 * @caps: capabilities for the profile
+ * @net: network controls for the profile
 * @rlimits: rlimits for the profile
 *
 * The AppArmor profile contains the basic confinement data.  Each profile
@@ -181,6 +183,7 @@ struct aa_profile {
        struct aa_file_rules file;
        struct aa_caps caps;
+        struct aa_net net;
        struct aa_rlimit rlimits;
 };
author	John Johansen <john.johansen@canonical.com>	2010-10-04 18:03:36 -0400
committer	Leann Ogasawara <leann.ogasawara@canonical.com>	2011-08-30 13:15:04 -0400
commit	cdb102170c3c9792bca317df2dcb63692c4135bb (patch)
tree	fdd71f97807fe867bac6cb8aa477e399b0797315 /security/apparmor/include
parent	77cbe5c70a0ab7e18d1f8b2af428554b92e8ed65 (diff)

diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h new file mode 100644 index 00000000000..3c7d5993ccf --- /dev/null +++ b/security/apparmor/include/net.h
@@ -0,0 +1,40 @@
		1	/*
		2	* AppArmor security module
		3	*
		4	* This file contains AppArmor network mediation definitions.
		5	*
		6	* Copyright (C) 1998-2008 Novell/SUSE
		7	* Copyright 2009-2010 Canonical Ltd.
		8	*
		9	* This program is free software; you can redistribute it and/or
		10	* modify it under the terms of the GNU General Public License as
		11	* published by the Free Software Foundation, version 2 of the
		12	* License.
		13	*/
		14
		15	#ifndef __AA_NET_H
		16	#define __AA_NET_H
		17
		18	#include <net/sock.h>
		19
		20	/* struct aa_net - network confinement data
		21	* @allowed: basic network families permissions
		22	* @audit_network: which network permissions to force audit
		23	* @quiet_network: which network permissions to quiet rejects
		24	*/
		25	struct aa_net {
		26	u16 allow[AF_MAX];
		27	u16 audit[AF_MAX];
		28	u16 quiet[AF_MAX];
		29	};
		30
		31	extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
		32	int type, int protocol, struct sock *sk);
		33	extern int aa_revalidate_sk(int op, struct sock *sk);
		34
		35	static inline void aa_free_net_rules(struct aa_net *new)
		36	{
		37	/* NOP */
		38	}
		39
		40	#endif /* __AA_NET_H */


diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index aeda5cf5690..67769294ffb 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h
@@ -27,6 +27,7 @@
27	#include "capability.h"	27	#include "capability.h"
28	#include "domain.h"	28	#include "domain.h"
29	#include "file.h"	29	#include "file.h"
		30	#include "net.h"
30	#include "resource.h"	31	#include "resource.h"
31		32
32	extern const char *profile_mode_names[];	33	extern const char *profile_mode_names[];
@@ -145,6 +146,7 @@ struct aa_namespace {
145	* @size: the memory consumed by this profiles rules	146	* @size: the memory consumed by this profiles rules
146	* @file: The set of rules governing basic file access and domain transitions	147	* @file: The set of rules governing basic file access and domain transitions
147	* @caps: capabilities for the profile	148	* @caps: capabilities for the profile
		149	* @net: network controls for the profile
148	* @rlimits: rlimits for the profile	150	* @rlimits: rlimits for the profile
149	*	151	*
150	* The AppArmor profile contains the basic confinement data. Each profile	152	* The AppArmor profile contains the basic confinement data. Each profile
@@ -181,6 +183,7 @@ struct aa_profile {
181		183
182	struct aa_file_rules file;	184	struct aa_file_rules file;
183	struct aa_caps caps;	185	struct aa_caps caps;
		186	struct aa_net net;
184	struct aa_rlimit rlimits;	187	struct aa_rlimit rlimits;
185	};	188	};
186		189