Commit 22fac8a0 authored by John Johansen's avatar John Johansen
Browse files

apparmor: add user mode flag 



Allow the profile to contain a user mode prompt flag. This works similar
to complain mode but will try to send messages to a userspace daemon.
If the daemon is not present or timesout regular informent will occur.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 8c4b785a

security/apparmor/include/policy.h

+3 −0
Original line number Diff line number Diff line
@@ -44,6 +44,8 @@ extern const char *const aa_profile_mode_names[]; 


#define COMPLAIN_MODE(_profile)	PROFILE_MODE((_profile), APPARMOR_COMPLAIN)



#define USER_MODE(_profile)	PROFILE_MODE((_profile), APPARMOR_USER)



#define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL)



#define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
@@ -67,6 +69,7 @@ enum profile_mode { 
	APPARMOR_COMPLAIN,	/* allow and log access violations */

	APPARMOR_KILL,		/* kill task on access violation */

	APPARMOR_UNCONFINED,	/* profile set to unconfined */

	APPARMOR_USER,		/* modified complain mode to userspace */

};

security/apparmor/include/policy_unpack.h

+1 −0
Original line number Diff line number Diff line
@@ -36,6 +36,7 @@ struct aa_load_ent *aa_load_ent_alloc(void); 
#define PACKED_MODE_COMPLAIN	1

#define PACKED_MODE_KILL	2

#define PACKED_MODE_UNCONFINED	3

#define PACKED_MODE_USER	4



struct aa_ns;

security/apparmor/lib.c

+2 −5
Original line number Diff line number Diff line
@@ -327,11 +327,8 @@ void aa_apply_modes_to_perms(struct aa_profile *profile, struct aa_perms *perms) 
		perms->kill = ALL_PERMS_MASK;

	else if (COMPLAIN_MODE(profile))

		perms->complain = ALL_PERMS_MASK;

/*

 *  TODO:

 *	else if (PROMPT_MODE(profile))

 *		perms->prompt = ALL_PERMS_MASK;

 */

	else if (USER_MODE(profile))

		perms->prompt = ALL_PERMS_MASK;

}



/**

security/apparmor/policy.c

+1 −0
Original line number Diff line number Diff line
@@ -94,6 +94,7 @@ const char *const aa_profile_mode_names[] = { 
	"complain",

	"kill",

	"unconfined",

	"user",

};

security/apparmor/policy_unpack.c

+2 −0
Original line number Diff line number Diff line
@@ -761,6 +761,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) 
	} else if (tmp == PACKED_MODE_UNCONFINED) {

		profile->mode = APPARMOR_UNCONFINED;

		profile->label.flags |= FLAG_UNCONFINED;

	} else if (tmp == PACKED_MODE_USER) {

		profile->mode = APPARMOR_USER;

	} else {

		goto fail;

	}