]>
Commit | Line | Data |
---|---|---|
daaa955e AM |
1 | From 6b092bbbf9e17b10f709d11b3bc2d7e493617934 Mon Sep 17 00:00:00 2001 |
2 | From: John Johansen <john.johansen@canonical.com> | |
3 | Date: Sun, 6 Aug 2017 05:39:08 -0700 | |
4 | Subject: [PATCH 09/17] apparmor: add support for absolute root view based | |
5 | labels | |
6 | ||
7 | With apparmor policy virtualization based on policy namespace View's | |
8 | we don't generally want/need absolute root based views, however there | |
9 | are cases like debugging and some secid based conversions where | |
10 | using a root based view is important. | |
11 | ||
12 | Signed-off-by: John Johansen <john.johansen@canonical.com> | |
13 | Acked-by: Seth Arnold <seth.arnold@canonical.com> | |
14 | (cherry picked from commit eadfbf0898eda94cee0d982626aa24a3146db48b) | |
15 | --- | |
16 | security/apparmor/include/label.h | 1 + | |
17 | security/apparmor/label.c | 10 +++++++++- | |
18 | 2 files changed, 10 insertions(+), 1 deletion(-) | |
19 | ||
20 | diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h | |
21 | index 9a283b722755..af22dcbbcb8a 100644 | |
22 | --- a/security/apparmor/include/label.h | |
23 | +++ b/security/apparmor/include/label.h | |
24 | @@ -310,6 +310,7 @@ bool aa_update_label_name(struct aa_ns *ns, struct aa_label *label, gfp_t gfp); | |
25 | #define FLAG_SHOW_MODE 1 | |
26 | #define FLAG_VIEW_SUBNS 2 | |
27 | #define FLAG_HIDDEN_UNCONFINED 4 | |
28 | +#define FLAG_ABS_ROOT 8 | |
29 | int aa_label_snxprint(char *str, size_t size, struct aa_ns *view, | |
30 | struct aa_label *label, int flags); | |
31 | int aa_label_asxprint(char **strp, struct aa_ns *ns, struct aa_label *label, | |
32 | diff --git a/security/apparmor/label.c b/security/apparmor/label.c | |
33 | index 38be7a89cc31..52b4ef14840d 100644 | |
34 | --- a/security/apparmor/label.c | |
35 | +++ b/security/apparmor/label.c | |
36 | @@ -1607,8 +1607,13 @@ int aa_label_snxprint(char *str, size_t size, struct aa_ns *ns, | |
37 | AA_BUG(!str && size != 0); | |
38 | AA_BUG(!label); | |
39 | ||
40 | - if (!ns) | |
41 | + if (flags & FLAG_ABS_ROOT) { | |
42 | + ns = root_ns; | |
43 | + len = snprintf(str, size, "="); | |
44 | + update_for_len(total, len, size, str); | |
45 | + } else if (!ns) { | |
46 | ns = labels_ns(label); | |
47 | + } | |
48 | ||
49 | label_for_each(i, label, profile) { | |
50 | if (aa_ns_visible(ns, profile->ns, flags & FLAG_VIEW_SUBNS)) { | |
51 | @@ -1868,6 +1873,9 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str, | |
52 | if (*str == '&') | |
53 | str++; | |
54 | } | |
55 | + if (*str == '=') | |
56 | + base = &root_ns->unconfined->label; | |
57 | + | |
58 | error = vec_setup(profile, vec, len, gfp); | |
59 | if (error) | |
60 | return ERR_PTR(error); | |
61 | -- | |
62 | 2.11.0 | |
63 |