[11/13] AppArmor: Allow loading of policy containing generic policy dfa

Submitted by John Johansen on Aug. 11, 2011, 5:02 a.m.

Details

Message ID 1313038967-19941-12-git-send-email-john.johansen@canonical.com
State New
Headers show

Commit Message

John Johansen Aug. 11, 2011, 5:02 a.m.
The policy dfa when present contains the state machine encapsulating all
rule types for the profile.  The specific rules sections then contain
references into the policy dfa and the permission mappings for that rule
type.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/apparmorfs-24.c  |    2 +-
 security/apparmor/include/policy.h |    4 ++++
 security/apparmor/policy.c         |    1 +
 security/apparmor/policy_unpack.c  |   11 +++++++++++
 4 files changed, 17 insertions(+), 1 deletions(-)

Patch hide | download patch | download mbox

diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
index dc8c744..c74d6d5 100644
--- a/security/apparmor/apparmorfs-24.c
+++ b/security/apparmor/apparmorfs-24.c
@@ -35,7 +35,7 @@  static ssize_t aa_matching_read(struct file *file, char __user *buf,
 				size_t size, loff_t *ppos)
 {
 	const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
-	    "user::other";
+	    "user::other dbus";
 
 	return simple_read_from_buffer(buf, size, ppos, matching,
 				       sizeof(matching) - 1);
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 6776929..6b55de7 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -181,6 +181,10 @@  struct aa_profile {
 	u32 path_flags;
 	int size;
 
+	/* Generic policy DFA specific rule types will be subsections of it */
+	struct aa_dfa *policy;
+	unsigned int policy_start;
+
 	struct aa_file_rules file;
 	struct aa_caps caps;
 	struct aa_net net;
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 4d5ce13..41ceaa4 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -750,6 +750,7 @@  static void free_profile(struct aa_profile *profile)
 
 	aa_free_sid(profile->sid);
 	aa_put_dfa(profile->xmatch);
+	aa_put_dfa(profile->policy);
 
 	aa_put_profile(profile->replacedby);
 
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index f4874c4..632f8ec 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -605,6 +605,17 @@  static struct aa_profile *unpack_profile(struct aa_ext *e)
 	profile->net.allow[AF_UNIX] = 0xffff;
 	profile->net.allow[AF_NETLINK] = 0xffff;
 
+	/* generic policy dfa - optional and may be NULL */
+	profile->policy = unpack_dfa(e);
+	if (IS_ERR(profile->policy)) {
+		error = PTR_ERR(profile->policy);
+		profile->policy = NULL;
+		goto fail;
+	}
+	if (!unpack_u32(e, &profile->policy_start, "policy_start"))
+		/* default start state */
+		profile->policy_start = DFA_START;
+
 	/* get file rules */
 	profile->file.dfa = unpack_dfa(e);
 	if (IS_ERR(profile->file.dfa)) {