projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f872af7)
apparmor: add support for absolute root view based labels
authorJohn Johansen <john.johansen@canonical.com>
Sun, 6 Aug 2017 12:39:08 +0000 (05:39 -0700)
committerJohn Johansen <john.johansen@canonical.com>
Fri, 22 Sep 2017 20:00:58 +0000 (13:00 -0700)
With apparmor policy virtualization based on policy namespace View's
we don't generally want/need absolute root based views, however there
are cases like debugging and some secid based conversions where
using a root based view is important.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
security/apparmor/include/label.h patch | blob | history
security/apparmor/label.c patch | blob | history

diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
index 9a283b722755786a2e213e591323d101d7b30816..af22dcbbcb8aa165d16d1769aba7e92eb5965ada 100644 (file)
--- a/security/apparmor/include/label.h
+++ b/security/apparmor/include/label.h
@@ -310,6 +310,7 @@ bool aa_update_label_name(struct aa_ns *ns, struct aa_label *label, gfp_t gfp);
 #define FLAG_SHOW_MODE 1
 #define FLAG_VIEW_SUBNS 2
 #define FLAG_HIDDEN_UNCONFINED 4
+#define FLAG_ABS_ROOT 8
 int aa_label_snxprint(char *str, size_t size, struct aa_ns *view,
                      struct aa_label *label, int flags);
 int aa_label_asxprint(char **strp, struct aa_ns *ns, struct aa_label *label,
diff --git a/security/apparmor/label.c b/security/apparmor/label.c
index 38be7a89cc31efe70c12619fa184036ad1cfb926..52b4ef14840d4bf86339b8b5022103b2aee0ab35 100644 (file)
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -1607,8 +1607,13 @@ int aa_label_snxprint(char *str, size_t size, struct aa_ns *ns,
        AA_BUG(!str && size != 0);
        AA_BUG(!label);
 
-       if (!ns)
+       if (flags & FLAG_ABS_ROOT) {
+               ns = root_ns;
+               len = snprintf(str, size, "=");
+               update_for_len(total, len, size, str);
+       } else if (!ns) {
                ns = labels_ns(label);
+       }
 
        label_for_each(i, label, profile) {
                if (aa_ns_visible(ns, profile->ns, flags & FLAG_VIEW_SUBNS)) {
@@ -1868,6 +1873,9 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
                if (*str == '&')
                        str++;
        }
+       if (*str == '=')
+               base = &root_ns->unconfined->label;
+
        error = vec_setup(profile, vec, len, gfp);
        if (error)
                return ERR_PTR(error);
John Crispins staging tree