apparmor: add support for force complain flag to support learning mode
authorJohn Johansen <john.johansen@canonical.com>
Mon, 16 Jan 2017 08:42:38 +0000 (00:42 -0800)
committerJohn Johansen <john.johansen@canonical.com>
Mon, 16 Jan 2017 09:18:31 +0000 (01:18 -0800)
Signed-off-by: John Johansen <john.johansen@canonical.com>
security/apparmor/policy_unpack.c

index fe73117cd9409b48b5902c41862ee809fbfaac1e..c836a9c8b6ff515dee7e71c81f59aa5b54733984 100644 (file)
@@ -29,6 +29,8 @@
 #include "include/policy.h"
 #include "include/policy_unpack.h"
 
+#define FORCE_COMPLAIN_FLAG 0x800
+
 /*
  * The AppArmor interface treats data as a type byte followed by the
  * actual data.  The interface has the notion of a a named entry
@@ -514,7 +516,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
                profile->flags |= PFLAG_HAT;
        if (!unpack_u32(e, &tmp, NULL))
                goto fail;
-       if (tmp == PACKED_MODE_COMPLAIN)
+       if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG))
                profile->mode = APPARMOR_COMPLAIN;
        else if (tmp == PACKED_MODE_KILL)
                profile->mode = APPARMOR_KILL;