diff options
author | John Johansen <john.johansen@canonical.com> | 2013-08-14 14:27:32 -0400 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2013-08-14 14:42:07 -0400 |
commit | 84f1f787421cd83bb7dfb34d584586f6a5fe7baa (patch) | |
tree | fbb958c9f7950f64feea732c7d78d0831120d540 /security | |
parent | 29b3822f1e132aa0f115f69730d6e4182df153d4 (diff) |
apparmor: export set of capabilities supported by the apparmor module
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/apparmor/Makefile | 6 | ||||
-rw-r--r-- | security/apparmor/apparmorfs.c | 1 | ||||
-rw-r--r-- | security/apparmor/capability.c | 5 | ||||
-rw-r--r-- | security/apparmor/include/capability.h | 4 |
4 files changed, 15 insertions, 1 deletions
diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile index 5706b74c857f..0831e049072d 100644 --- a/security/apparmor/Makefile +++ b/security/apparmor/Makefile | |||
@@ -18,7 +18,11 @@ quiet_cmd_make-caps = GEN $@ | |||
18 | cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\ | 18 | cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\ |
19 | sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \ | 19 | sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \ |
20 | -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\ | 20 | -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\ |
21 | echo "};" >> $@ | 21 | echo "};" >> $@ ;\ |
22 | echo -n '\#define AA_FS_CAPS_MASK "' >> $@ ;\ | ||
23 | sed $< -r -n -e '/CAP_FS_MASK/d' \ | ||
24 | -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' | \ | ||
25 | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ | ||
22 | 26 | ||
23 | 27 | ||
24 | # Build a lower case string table of rlimit names. | 28 | # Build a lower case string table of rlimit names. |
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 7a26608a5666..d708a55d072f 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c | |||
@@ -773,6 +773,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = { | |||
773 | AA_FS_DIR("file", aa_fs_entry_file), | 773 | AA_FS_DIR("file", aa_fs_entry_file), |
774 | AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), | 774 | AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), |
775 | AA_FS_DIR("rlimit", aa_fs_entry_rlimit), | 775 | AA_FS_DIR("rlimit", aa_fs_entry_rlimit), |
776 | AA_FS_DIR("caps", aa_fs_entry_caps), | ||
776 | { } | 777 | { } |
777 | }; | 778 | }; |
778 | 779 | ||
diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c index 887a5e948945..84d1f5f53877 100644 --- a/security/apparmor/capability.c +++ b/security/apparmor/capability.c | |||
@@ -27,6 +27,11 @@ | |||
27 | */ | 27 | */ |
28 | #include "capability_names.h" | 28 | #include "capability_names.h" |
29 | 29 | ||
30 | struct aa_fs_entry aa_fs_entry_caps[] = { | ||
31 | AA_FS_FILE_STRING("mask", AA_FS_CAPS_MASK), | ||
32 | { } | ||
33 | }; | ||
34 | |||
30 | struct audit_cache { | 35 | struct audit_cache { |
31 | struct aa_profile *profile; | 36 | struct aa_profile *profile; |
32 | kernel_cap_t caps; | 37 | kernel_cap_t caps; |
diff --git a/security/apparmor/include/capability.h b/security/apparmor/include/capability.h index c24d2959ea02..2e7c9d6a2f3b 100644 --- a/security/apparmor/include/capability.h +++ b/security/apparmor/include/capability.h | |||
@@ -17,6 +17,8 @@ | |||
17 | 17 | ||
18 | #include <linux/sched.h> | 18 | #include <linux/sched.h> |
19 | 19 | ||
20 | #include "apparmorfs.h" | ||
21 | |||
20 | struct aa_profile; | 22 | struct aa_profile; |
21 | 23 | ||
22 | /* aa_caps - confinement data for capabilities | 24 | /* aa_caps - confinement data for capabilities |
@@ -34,6 +36,8 @@ struct aa_caps { | |||
34 | kernel_cap_t extended; | 36 | kernel_cap_t extended; |
35 | }; | 37 | }; |
36 | 38 | ||
39 | extern struct aa_fs_entry aa_fs_entry_caps[]; | ||
40 | |||
37 | int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap, | 41 | int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap, |
38 | int audit); | 42 | int audit); |
39 | 43 | ||