apparmor: add an optional profile attachment string for profiles

Add the ability to take in and report a human readable profile attachment string for profiles so that attachment specifications can be easily inspected. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2013-07-11 00:17:43 -0400
committer: John Johansen <john.johansen@canonical.com> 2013-08-14 14:42:07 -0400
commit: 556d0be74b19cb6288e5eb2f3216eac247d87968 (patch)
tree: a97b609d53713c4c2b534da7a5e1e62639939e11 /security/apparmor
parent: 0d259f043f5f60f74c4fd020aac190cb6450e918 (diff)
4 files changed, 40 insertions, 0 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 0fdd08c6ea59..d6329aa7aa98 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -290,6 +290,34 @@ static const struct file_operations aa_fs_profmode_fops = {
        .release        = aa_fs_seq_profile_release,
 };
+static int aa_fs_seq_profattach_show(struct seq_file *seq, void *v)
+{
+        struct aa_replacedby *r = seq->private;
+        struct aa_profile *profile = aa_get_profile_rcu(&r->profile);
+        if (profile->attach)
+                seq_printf(seq, "%s\n", profile->attach);
+        else if (profile->xmatch)
+                seq_puts(seq, "<unknown>\n");
+        else
+                seq_printf(seq, "%s\n", profile->base.name);
+        aa_put_profile(profile);
+        return 0;
+}
+static int aa_fs_seq_profattach_open(struct inode *inode, struct file *file)
+{
+        return aa_fs_seq_profile_open(inode, file, aa_fs_seq_profattach_show);
+}
+static const struct file_operations aa_fs_profattach_fops = {
+        .owner          = THIS_MODULE,
+        .open           = aa_fs_seq_profattach_open,
+        .read           = seq_read,
+        .llseek         = seq_lseek,
+        .release        = aa_fs_seq_profile_release,
+};
 /** fns to setup dynamic per profile/namespace files **/
 void __aa_fs_profile_rmdir(struct aa_profile *profile)
 {
@@ -385,6 +413,12 @@ int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
                goto fail;
        profile->dents[AAFS_PROF_MODE] = dent;
+        dent = create_profile_file(dir, "attach", profile,
+                                   &aa_fs_profattach_fops);
+        if (IS_ERR(dent))
+                goto fail;
+        profile->dents[AAFS_PROF_ATTACH] = dent;
        list_for_each_entry(child, &profile->base.profiles, base.list) {
                error = __aa_fs_profile_mkdir(child, prof_child_dir(profile));
                if (error)
diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
index 2494e112f2bf..f91712cf1b30 100644
--- a/security/apparmor/include/apparmorfs.h
+++ b/security/apparmor/include/apparmorfs.h
@@ -81,6 +81,7 @@ enum aafs_prof_type {
        AAFS_PROF_PROFS,
        AAFS_PROF_NAME,
        AAFS_PROF_MODE,
+        AAFS_PROF_ATTACH,
        AAFS_PROF_SIZEOF,
 };
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 5c72231d1c42..59b36372ae40 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -165,6 +165,7 @@ struct aa_replacedby {
 * @ns: namespace the profile is in
 * @replacedby: is set to the profile that replaced this profile
 * @rename: optional profile name that this profile renamed
+ * @attach: human readable attachment string
 * @xmatch: optional extended matching for unconfined executables names
 * @xmatch_len: xmatch prefix len, used to determine xmatch priority
 * @audit: the auditing mode of the profile
@@ -204,6 +205,7 @@ struct aa_profile {
        struct aa_replacedby *replacedby;
        const char *rename;
+        const char *attach;
        struct aa_dfa *xmatch;
        int xmatch_len;
        enum audit_mode audit;
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index cac0aa075787..bdaef2e1b2a0 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -492,6 +492,9 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
        /* profile renaming is optional */
        (void) unpack_str(e, &profile->rename, "rename");
+        /* attachment string is optional */
+        (void) unpack_str(e, &profile->attach, "attach");
        /* xmatch is optional and may be NULL */
        profile->xmatch = unpack_dfa(e);
        if (IS_ERR(profile->xmatch)) {
author	John Johansen <john.johansen@canonical.com>	2013-07-11 00:17:43 -0400
committer	John Johansen <john.johansen@canonical.com>	2013-08-14 14:42:07 -0400
commit	556d0be74b19cb6288e5eb2f3216eac247d87968 (patch)
tree	a97b609d53713c4c2b534da7a5e1e62639939e11 /security/apparmor
parent	0d259f043f5f60f74c4fd020aac190cb6450e918 (diff)

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 0fdd08c6ea59..d6329aa7aa98 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c
@@ -290,6 +290,34 @@ static const struct file_operations aa_fs_profmode_fops = {
290	.release = aa_fs_seq_profile_release,	290	.release = aa_fs_seq_profile_release,
291	};	291	};
292		292
		293	static int aa_fs_seq_profattach_show(struct seq_file seq, void v)
		294	{
		295	struct aa_replacedby *r = seq->private;
		296	struct aa_profile *profile = aa_get_profile_rcu(&r->profile);
		297	if (profile->attach)
		298	seq_printf(seq, "%s\n", profile->attach);
		299	else if (profile->xmatch)
		300	seq_puts(seq, "<unknown>\n");
		301	else
		302	seq_printf(seq, "%s\n", profile->base.name);
		303	aa_put_profile(profile);
		304
		305	return 0;
		306	}
		307
		308	static int aa_fs_seq_profattach_open(struct inode inode, struct file file)
		309	{
		310	return aa_fs_seq_profile_open(inode, file, aa_fs_seq_profattach_show);
		311	}
		312
		313	static const struct file_operations aa_fs_profattach_fops = {
		314	.owner = THIS_MODULE,
		315	.open = aa_fs_seq_profattach_open,
		316	.read = seq_read,
		317	.llseek = seq_lseek,
		318	.release = aa_fs_seq_profile_release,
		319	};
		320
293	/ fns to setup dynamic per profile/namespace files /	321	/ fns to setup dynamic per profile/namespace files /
294	void __aa_fs_profile_rmdir(struct aa_profile *profile)	322	void __aa_fs_profile_rmdir(struct aa_profile *profile)
295	{	323	{
@@ -385,6 +413,12 @@ int __aa_fs_profile_mkdir(struct aa_profile profile, struct dentry parent)
385	goto fail;	413	goto fail;
386	profile->dents[AAFS_PROF_MODE] = dent;	414	profile->dents[AAFS_PROF_MODE] = dent;
387		415
		416	dent = create_profile_file(dir, "attach", profile,
		417	&aa_fs_profattach_fops);
		418	if (IS_ERR(dent))
		419	goto fail;
		420	profile->dents[AAFS_PROF_ATTACH] = dent;
		421
388	list_for_each_entry(child, &profile->base.profiles, base.list) {	422	list_for_each_entry(child, &profile->base.profiles, base.list) {
389	error = __aa_fs_profile_mkdir(child, prof_child_dir(profile));	423	error = __aa_fs_profile_mkdir(child, prof_child_dir(profile));
390	if (error)	424	if (error)


diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h index 2494e112f2bf..f91712cf1b30 100644 --- a/security/apparmor/include/apparmorfs.h +++ b/security/apparmor/include/apparmorfs.h
@@ -81,6 +81,7 @@ enum aafs_prof_type {
81	AAFS_PROF_PROFS,	81	AAFS_PROF_PROFS,
82	AAFS_PROF_NAME,	82	AAFS_PROF_NAME,
83	AAFS_PROF_MODE,	83	AAFS_PROF_MODE,
		84	AAFS_PROF_ATTACH,
84	AAFS_PROF_SIZEOF,	85	AAFS_PROF_SIZEOF,
85	};	86	};
86		87


diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index 5c72231d1c42..59b36372ae40 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h
@@ -165,6 +165,7 @@ struct aa_replacedby {
165	* @ns: namespace the profile is in	165	* @ns: namespace the profile is in
166	* @replacedby: is set to the profile that replaced this profile	166	* @replacedby: is set to the profile that replaced this profile
167	* @rename: optional profile name that this profile renamed	167	* @rename: optional profile name that this profile renamed
		168	* @attach: human readable attachment string
168	* @xmatch: optional extended matching for unconfined executables names	169	* @xmatch: optional extended matching for unconfined executables names
169	* @xmatch_len: xmatch prefix len, used to determine xmatch priority	170	* @xmatch_len: xmatch prefix len, used to determine xmatch priority
170	* @audit: the auditing mode of the profile	171	* @audit: the auditing mode of the profile
@@ -204,6 +205,7 @@ struct aa_profile {
204	struct aa_replacedby *replacedby;	205	struct aa_replacedby *replacedby;
205	const char *rename;	206	const char *rename;
206		207
		208	const char *attach;
207	struct aa_dfa *xmatch;	209	struct aa_dfa *xmatch;
208	int xmatch_len;	210	int xmatch_len;
209	enum audit_mode audit;	211	enum audit_mode audit;


diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index cac0aa075787..bdaef2e1b2a0 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c
@@ -492,6 +492,9 @@ static struct aa_profile unpack_profile(struct aa_ext e)
492	/* profile renaming is optional */	492	/* profile renaming is optional */
493	(void) unpack_str(e, &profile->rename, "rename");	493	(void) unpack_str(e, &profile->rename, "rename");
494		494
		495	/* attachment string is optional */
		496	(void) unpack_str(e, &profile->attach, "attach");
		497
495	/* xmatch is optional and may be NULL */	498	/* xmatch is optional and may be NULL */
496	profile->xmatch = unpack_dfa(e);	499	profile->xmatch = unpack_dfa(e);
497	if (IS_ERR(profile->xmatch)) {	500	if (IS_ERR(profile->xmatch)) {