From patchwork Thu Aug 11 19:59:47 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [2/3] AppArmor: Allow loading of policy containing generic policy dfa Date: Thu, 11 Aug 2011 09:59:47 -0000 From: John Johansen X-Patchwork-Id: 109679 Message-Id: <1313092788-31164-3-git-send-email-john.johansen@canonical.com> To: kernel-team@lists.ubuntu.com The policy dfa when present contains the state machine encapsulating all rule types for the profile. The specific rules sections then contain references into the policy dfa and the permission mappings for that rule type. Signed-off-by: John Johansen --- security/apparmor/apparmorfs-24.c | 2 +- security/apparmor/include/policy.h | 4 ++++ security/apparmor/policy.c | 1 + security/apparmor/policy_unpack.c | 11 +++++++++++ 4 files changed, 17 insertions(+), 1 deletions(-) diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c index dc8c744..c74d6d5 100644 --- a/security/apparmor/apparmorfs-24.c +++ b/security/apparmor/apparmorfs-24.c @@ -35,7 +35,7 @@ static ssize_t aa_matching_read(struct file *file, char __user *buf, size_t size, loff_t *ppos) { const char matching[] = "pattern=aadfa audit perms=crwxamlk/ " - "user::other"; + "user::other dbus"; return simple_read_from_buffer(buf, size, ppos, matching, sizeof(matching) - 1); diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index 6776929..6b55de7 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -181,6 +181,10 @@ struct aa_profile { u32 path_flags; int size; + /* Generic policy DFA specific rule types will be subsections of it */ + struct aa_dfa *policy; + unsigned int policy_start; + struct aa_file_rules file; struct aa_caps caps; struct aa_net net; diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index 4d5ce13..41ceaa4 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -750,6 +750,7 @@ static void free_profile(struct aa_profile *profile) aa_free_sid(profile->sid); aa_put_dfa(profile->xmatch); + aa_put_dfa(profile->policy); aa_put_profile(profile->replacedby); diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index f4874c4..632f8ec 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -605,6 +605,17 @@ static struct aa_profile *unpack_profile(struct aa_ext *e) profile->net.allow[AF_UNIX] = 0xffff; profile->net.allow[AF_NETLINK] = 0xffff; + /* generic policy dfa - optional and may be NULL */ + profile->policy = unpack_dfa(e); + if (IS_ERR(profile->policy)) { + error = PTR_ERR(profile->policy); + profile->policy = NULL; + goto fail; + } + if (!unpack_u32(e, &profile->policy_start, "policy_start")) + /* default start state */ + profile->policy_start = DFA_START; + /* get file rules */ profile->file.dfa = unpack_dfa(e); if (IS_ERR(profile->file.dfa)) {