aboutsummaryrefslogtreecommitdiffstats
path: root/security/apparmor/include
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2013-02-18 19:10:34 -0500
committerJohn Johansen <john.johansen@canonical.com>2013-04-28 03:37:13 -0400
commita4987857d2c958b93b2faafe0811eea1a63ff59a (patch)
treeaa140446d01ddecc209415720ef77dc9c7777ca2 /security/apparmor/include
parent180a6f5965a49535a7704c07691a6d1209904971 (diff)
apparmor: remove sid from profiles
The sid is not going to be a direct property of a profile anymore, instead it will be directly related to the label, and the profile will pickup a label back reference. For null-profiles replace the use of sid with a per namespace unique id. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
Diffstat (limited to 'security/apparmor/include')
-rw-r--r--security/apparmor/include/policy.h4
-rw-r--r--security/apparmor/include/sid.h4
2 files changed, 5 insertions, 3 deletions
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 95979c431e26..b25491a3046a 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -105,6 +105,7 @@ struct aa_ns_acct {
105 * @acct: accounting for the namespace 105 * @acct: accounting for the namespace
106 * @unconfined: special unconfined profile for the namespace 106 * @unconfined: special unconfined profile for the namespace
107 * @sub_ns: list of namespaces under the current namespace. 107 * @sub_ns: list of namespaces under the current namespace.
108 * @uniq_null: uniq value used for null learning profiles
108 * 109 *
109 * An aa_namespace defines the set profiles that are searched to determine 110 * An aa_namespace defines the set profiles that are searched to determine
110 * which profile to attach to a task. Profiles can not be shared between 111 * which profile to attach to a task. Profiles can not be shared between
@@ -127,6 +128,7 @@ struct aa_namespace {
127 struct aa_ns_acct acct; 128 struct aa_ns_acct acct;
128 struct aa_profile *unconfined; 129 struct aa_profile *unconfined;
129 struct list_head sub_ns; 130 struct list_head sub_ns;
131 atomic_t uniq_null;
130}; 132};
131 133
132/* struct aa_policydb - match engine for a policy 134/* struct aa_policydb - match engine for a policy
@@ -148,7 +150,6 @@ struct aa_policydb {
148 * @rename: optional profile name that this profile renamed 150 * @rename: optional profile name that this profile renamed
149 * @xmatch: optional extended matching for unconfined executables names 151 * @xmatch: optional extended matching for unconfined executables names
150 * @xmatch_len: xmatch prefix len, used to determine xmatch priority 152 * @xmatch_len: xmatch prefix len, used to determine xmatch priority
151 * @sid: the unique security id number of this profile
152 * @audit: the auditing mode of the profile 153 * @audit: the auditing mode of the profile
153 * @mode: the enforcement mode of the profile 154 * @mode: the enforcement mode of the profile
154 * @flags: flags controlling profile behavior 155 * @flags: flags controlling profile behavior
@@ -184,7 +185,6 @@ struct aa_profile {
184 185
185 struct aa_dfa *xmatch; 186 struct aa_dfa *xmatch;
186 int xmatch_len; 187 int xmatch_len;
187 u32 sid;
188 enum audit_mode audit; 188 enum audit_mode audit;
189 enum profile_mode mode; 189 enum profile_mode mode;
190 u32 flags; 190 u32 flags;
diff --git a/security/apparmor/include/sid.h b/security/apparmor/include/sid.h
index 020db35c3010..513ca0e48965 100644
--- a/security/apparmor/include/sid.h
+++ b/security/apparmor/include/sid.h
@@ -16,7 +16,9 @@
16 16
17#include <linux/types.h> 17#include <linux/types.h>
18 18
19struct aa_profile; 19/* sid value that will not be allocated */
20#define AA_SID_INVALID 0
21#define AA_SID_ALLOC AA_SID_INVALID
20 22
21u32 aa_alloc_sid(void); 23u32 aa_alloc_sid(void);
22void aa_free_sid(u32 sid); 24void aa_free_sid(u32 sid);
generated by cgit v1.2.2 (git 2.25.0) at 2026-03-01 00:10:09 -0500