diff options
| author | Kees Cook <kees@outflux.net> | 2012-01-26 19:29:21 -0500 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2012-02-27 14:38:17 -0500 |
| commit | e74abcf3359d0130e99a6511ac484a3ea9e6e988 (patch) | |
| tree | 53b512c463f58546f810f7db876b81bebf4c786a /security/apparmor | |
| parent | 9acd494be9387b0608612cd139967201dd7a4e12 (diff) | |
AppArmor: add initial "features" directory to securityfs
This adds the "features" subdirectory to the AppArmor securityfs
to display boolean features flags and the known capability mask.
Signed-off-by: Kees Cook <kees@ubuntu.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor')
| -rw-r--r-- | security/apparmor/apparmorfs.c | 51 | ||||
| -rw-r--r-- | security/apparmor/include/apparmorfs.h | 14 |
2 files changed, 65 insertions, 0 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 1e22bb3a885..f30dada0dca 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c | |||
| @@ -18,6 +18,7 @@ | |||
| 18 | #include <linux/seq_file.h> | 18 | #include <linux/seq_file.h> |
| 19 | #include <linux/uaccess.h> | 19 | #include <linux/uaccess.h> |
| 20 | #include <linux/namei.h> | 20 | #include <linux/namei.h> |
| 21 | #include <linux/capability.h> | ||
| 21 | 22 | ||
| 22 | #include "include/apparmor.h" | 23 | #include "include/apparmor.h" |
| 23 | #include "include/apparmorfs.h" | 24 | #include "include/apparmorfs.h" |
| @@ -142,12 +143,62 @@ static const struct file_operations aa_fs_profile_remove = { | |||
| 142 | .llseek = default_llseek, | 143 | .llseek = default_llseek, |
| 143 | }; | 144 | }; |
| 144 | 145 | ||
| 146 | static int aa_fs_seq_show(struct seq_file *seq, void *v) | ||
| 147 | { | ||
| 148 | struct aa_fs_entry *fs_file = seq->private; | ||
| 149 | |||
| 150 | if (!fs_file) | ||
| 151 | return 0; | ||
| 152 | |||
| 153 | switch (fs_file->v_type) { | ||
| 154 | case AA_FS_TYPE_BOOLEAN: | ||
| 155 | seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no"); | ||
| 156 | break; | ||
| 157 | case AA_FS_TYPE_U64: | ||
| 158 | seq_printf(seq, "%#08lx\n", fs_file->v.u64); | ||
| 159 | break; | ||
| 160 | default: | ||
| 161 | /* Ignore unpritable entry types. */ | ||
| 162 | break; | ||
| 163 | } | ||
| 164 | |||
| 165 | return 0; | ||
| 166 | } | ||
| 167 | |||
| 168 | static int aa_fs_seq_open(struct inode *inode, struct file *file) | ||
| 169 | { | ||
| 170 | return single_open(file, aa_fs_seq_show, inode->i_private); | ||
| 171 | } | ||
| 172 | |||
| 173 | const struct file_operations aa_fs_seq_file_ops = { | ||
| 174 | .owner = THIS_MODULE, | ||
| 175 | .open = aa_fs_seq_open, | ||
| 176 | .read = seq_read, | ||
| 177 | .llseek = seq_lseek, | ||
| 178 | .release = single_release, | ||
| 179 | }; | ||
| 180 | |||
| 145 | /** Base file system setup **/ | 181 | /** Base file system setup **/ |
| 146 | 182 | ||
| 183 | static struct aa_fs_entry aa_fs_entry_domain[] = { | ||
| 184 | AA_FS_FILE_BOOLEAN("change_hat", 1), | ||
| 185 | AA_FS_FILE_BOOLEAN("change_hatv", 1), | ||
| 186 | AA_FS_FILE_BOOLEAN("change_onexec", 1), | ||
| 187 | AA_FS_FILE_BOOLEAN("change_profile", 1), | ||
| 188 | { } | ||
| 189 | }; | ||
| 190 | |||
| 191 | static struct aa_fs_entry aa_fs_entry_features[] = { | ||
| 192 | AA_FS_DIR("domain", aa_fs_entry_domain), | ||
| 193 | AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), | ||
| 194 | { } | ||
| 195 | }; | ||
| 196 | |||
| 147 | static struct aa_fs_entry aa_fs_entry_apparmor[] = { | 197 | static struct aa_fs_entry aa_fs_entry_apparmor[] = { |
| 148 | AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load), | 198 | AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load), |
| 149 | AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace), | 199 | AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace), |
| 150 | AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove), | 200 | AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove), |
| 201 | AA_FS_DIR("features", aa_fs_entry_features), | ||
| 151 | { } | 202 | { } |
| 152 | }; | 203 | }; |
| 153 | 204 | ||
diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h index 4fdf02f26a3..16e654530f3 100644 --- a/security/apparmor/include/apparmorfs.h +++ b/security/apparmor/include/apparmorfs.h | |||
| @@ -16,6 +16,8 @@ | |||
| 16 | #define __AA_APPARMORFS_H | 16 | #define __AA_APPARMORFS_H |
| 17 | 17 | ||
| 18 | enum aa_fs_type { | 18 | enum aa_fs_type { |
| 19 | AA_FS_TYPE_BOOLEAN, | ||
| 20 | AA_FS_TYPE_U64, | ||
| 19 | AA_FS_TYPE_FOPS, | 21 | AA_FS_TYPE_FOPS, |
| 20 | AA_FS_TYPE_DIR, | 22 | AA_FS_TYPE_DIR, |
| 21 | }; | 23 | }; |
| @@ -28,11 +30,23 @@ struct aa_fs_entry { | |||
| 28 | umode_t mode; | 30 | umode_t mode; |
| 29 | enum aa_fs_type v_type; | 31 | enum aa_fs_type v_type; |
| 30 | union { | 32 | union { |
| 33 | bool boolean; | ||
| 34 | unsigned long u64; | ||
| 31 | struct aa_fs_entry *files; | 35 | struct aa_fs_entry *files; |
| 32 | } v; | 36 | } v; |
| 33 | const struct file_operations *file_ops; | 37 | const struct file_operations *file_ops; |
| 34 | }; | 38 | }; |
| 35 | 39 | ||
| 40 | extern const struct file_operations aa_fs_seq_file_ops; | ||
| 41 | |||
| 42 | #define AA_FS_FILE_BOOLEAN(_name, _value) \ | ||
| 43 | { .name = (_name), .mode = 0444, \ | ||
| 44 | .v_type = AA_FS_TYPE_BOOLEAN, .v.boolean = (_value), \ | ||
| 45 | .file_ops = &aa_fs_seq_file_ops } | ||
| 46 | #define AA_FS_FILE_U64(_name, _value) \ | ||
| 47 | { .name = (_name), .mode = 0444, \ | ||
| 48 | .v_type = AA_FS_TYPE_U64, .v.u64 = (_value), \ | ||
| 49 | .file_ops = &aa_fs_seq_file_ops } | ||
| 36 | #define AA_FS_FILE_FOPS(_name, _mode, _fops) \ | 50 | #define AA_FS_FILE_FOPS(_name, _mode, _fops) \ |
| 37 | { .name = (_name), .v_type = AA_FS_TYPE_FOPS, \ | 51 | { .name = (_name), .v_type = AA_FS_TYPE_FOPS, \ |
| 38 | .mode = (_mode), .file_ops = (_fops) } | 52 | .mode = (_mode), .file_ops = (_fops) } |