Patchwork [2/3] AppArmor: Allow loading of policy containing generic policy dfa

login
register
mail settings
Submitter John Johansen
Date Aug. 11, 2011, 7:59 p.m.
Message ID <1313092788-31164-3-git-send-email-john.johansen@canonical.com>
Download mbox | patch
Permalink /patch/109679/
State New
Headers show

Comments

John Johansen - Aug. 11, 2011, 7:59 p.m.
The policy dfa when present contains the state machine encapsulating all
rule types for the profile.  The specific rules sections then contain
references into the policy dfa and the permission mappings for that rule
type.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/apparmorfs-24.c  |    2 +-
 security/apparmor/include/policy.h |    4 ++++
 security/apparmor/policy.c         |    1 +
 security/apparmor/policy_unpack.c  |   11 +++++++++++
 4 files changed, 17 insertions(+), 1 deletions(-)

Patch

diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
index dc8c744..c74d6d5 100644
--- a/security/apparmor/apparmorfs-24.c
+++ b/security/apparmor/apparmorfs-24.c
@@ -35,7 +35,7 @@  static ssize_t aa_matching_read(struct file *file, char __user *buf,
 				size_t size, loff_t *ppos)
 {
 	const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
-	    "user::other";
+	    "user::other dbus";
 
 	return simple_read_from_buffer(buf, size, ppos, matching,
 				       sizeof(matching) - 1);
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 6776929..6b55de7 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -181,6 +181,10 @@  struct aa_profile {
 	u32 path_flags;
 	int size;
 
+	/* Generic policy DFA specific rule types will be subsections of it */
+	struct aa_dfa *policy;
+	unsigned int policy_start;
+
 	struct aa_file_rules file;
 	struct aa_caps caps;
 	struct aa_net net;
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 4d5ce13..41ceaa4 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -750,6 +750,7 @@  static void free_profile(struct aa_profile *profile)
 
 	aa_free_sid(profile->sid);
 	aa_put_dfa(profile->xmatch);
+	aa_put_dfa(profile->policy);
 
 	aa_put_profile(profile->replacedby);
 
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index f4874c4..632f8ec 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -605,6 +605,17 @@  static struct aa_profile *unpack_profile(struct aa_ext *e)
 	profile->net.allow[AF_UNIX] = 0xffff;
 	profile->net.allow[AF_NETLINK] = 0xffff;
 
+	/* generic policy dfa - optional and may be NULL */
+	profile->policy = unpack_dfa(e);
+	if (IS_ERR(profile->policy)) {
+		error = PTR_ERR(profile->policy);
+		profile->policy = NULL;
+		goto fail;
+	}
+	if (!unpack_u32(e, &profile->policy_start, "policy_start"))
+		/* default start state */
+		profile->policy_start = DFA_START;
+
 	/* get file rules */
 	profile->file.dfa = unpack_dfa(e);
 	if (IS_ERR(profile->file.dfa)) {