]> git.pld-linux.org Git - packages/kernel.git/blob - 0009-apparmor-add-support-for-absolute-root-view-based-la.patch
projects / packages / kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
- rel 2; apparmor is back (upstream merged all apparmor patches, so upcoming 4.14...
[packages/kernel.git] / 0009-apparmor-add-support-for-absolute-root-view-based-la.patch
1 From 6b092bbbf9e17b10f709d11b3bc2d7e493617934 Mon Sep 17 00:00:00 2001
2 From: John Johansen <john.johansen@canonical.com>
3 Date: Sun, 6 Aug 2017 05:39:08 -0700
4 Subject: [PATCH 09/17] apparmor: add support for absolute root view based
5  labels
6
7 With apparmor policy virtualization based on policy namespace View's
8 we don't generally want/need absolute root based views, however there
9 are cases like debugging and some secid based conversions where
10 using a root based view is important.
11
12 Signed-off-by: John Johansen <john.johansen@canonical.com>
13 Acked-by: Seth Arnold <seth.arnold@canonical.com>
14 (cherry picked from commit eadfbf0898eda94cee0d982626aa24a3146db48b)
15 ---
16  security/apparmor/include/label.h |  1 +
17  security/apparmor/label.c         | 10 +++++++++-
18  2 files changed, 10 insertions(+), 1 deletion(-)
19
20 diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
21 index 9a283b722755..af22dcbbcb8a 100644
22 --- a/security/apparmor/include/label.h
23 +++ b/security/apparmor/include/label.h
24 @@ -310,6 +310,7 @@ bool aa_update_label_name(struct aa_ns *ns, struct aa_label *label, gfp_t gfp);
25  #define FLAG_SHOW_MODE 1
26  #define FLAG_VIEW_SUBNS 2
27  #define FLAG_HIDDEN_UNCONFINED 4
28 +#define FLAG_ABS_ROOT 8
29  int aa_label_snxprint(char *str, size_t size, struct aa_ns *view,
30                       struct aa_label *label, int flags);
31  int aa_label_asxprint(char **strp, struct aa_ns *ns, struct aa_label *label,
32 diff --git a/security/apparmor/label.c b/security/apparmor/label.c
33 index 38be7a89cc31..52b4ef14840d 100644
34 --- a/security/apparmor/label.c
35 +++ b/security/apparmor/label.c
36 @@ -1607,8 +1607,13 @@ int aa_label_snxprint(char *str, size_t size, struct aa_ns *ns,
37         AA_BUG(!str && size != 0);
38         AA_BUG(!label);
39  
40 -       if (!ns)
41 +       if (flags & FLAG_ABS_ROOT) {
42 +               ns = root_ns;
43 +               len = snprintf(str, size, "=");
44 +               update_for_len(total, len, size, str);
45 +       } else if (!ns) {
46                 ns = labels_ns(label);
47 +       }
48  
49         label_for_each(i, label, profile) {
50                 if (aa_ns_visible(ns, profile->ns, flags & FLAG_VIEW_SUBNS)) {
51 @@ -1868,6 +1873,9 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
52                 if (*str == '&')
53                         str++;
54         }
55 +       if (*str == '=')
56 +               base = &root_ns->unconfined->label;
57 +
58         error = vec_setup(profile, vec, len, gfp);
59         if (error)
60                 return ERR_PTR(error);
61 -- 
62 2.11.0
63
The Linux kernel (the core of the Linux operating system)
This page took 0.033475 seconds and 4 git commands to generate.