Commit c1ed5da1 authored by John Johansen's avatar John Johansen
Browse files

apparmor: allow label to carry debug flags 



Allow labels to have debug flags that can be used to trigger debug output
only from profiles/labels that are marked. This can help reduce debug
output by allowing debug to be target to a specific confinement condition.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 2504db20

security/apparmor/include/label.h

+2 −0
Original line number Diff line number Diff line
@@ -92,6 +92,8 @@ enum label_flags { 
	FLAG_STALE = 0x800,		/* replaced/removed */

	FLAG_RENAMED = 0x1000,		/* label has renaming in it */

	FLAG_REVOKED = 0x2000,		/* label has revocation in it */

	FLAG_DEBUG1 = 0x4000,

	FLAG_DEBUG2 = 0x8000,



	/* These flags must correspond with PATH_flags */

	/* TODO: add new path flags */

security/apparmor/include/path.h

+2 −2
Original line number Diff line number Diff line
@@ -17,8 +17,8 @@ enum path_flags { 
	PATH_CHROOT_REL = 0x8,		/* do path lookup relative to chroot */

	PATH_CHROOT_NSCONNECT = 0x10,	/* connect paths that are at ns root */



	PATH_DELEGATE_DELETED = 0x08000, /* delegate deleted files */

	PATH_MEDIATE_DELETED = 0x10000,	 /* mediate deleted paths */

	PATH_DELEGATE_DELETED = 0x10000, /* delegate deleted files */

	PATH_MEDIATE_DELETED = 0x20000,	 /* mediate deleted paths */

};



int aa_path_name(const struct path *path, int flags, char *buffer,

security/apparmor/include/policy.h

+4 −0
Original line number Diff line number Diff line
@@ -48,6 +48,10 @@ extern const char *const aa_profile_mode_names[]; 


#define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)



#define CHECK_DEBUG1(_profile) ((_profile)->label.flags & FLAG_DEBUG1)



#define CHECK_DEBUG2(_profile) ((_profile)->label.flags & FLAG_DEBUG2)



#define profile_is_stale(_profile) (label_is_stale(&(_profile)->label))



#define on_list_rcu(X) (!list_empty(X) && (X)->prev != LIST_POISON2)

security/apparmor/include/policy_unpack.h

+2 −0
Original line number Diff line number Diff line
@@ -28,6 +28,8 @@ void aa_load_ent_free(struct aa_load_ent *ent); 
struct aa_load_ent *aa_load_ent_alloc(void);



#define PACKED_FLAG_HAT		1

#define PACKED_FLAG_DEBUG1	2

#define PACKED_FLAG_DEBUG2	4



#define PACKED_MODE_ENFORCE	0

#define PACKED_MODE_COMPLAIN	1

security/apparmor/label.c

+6 −6
Original line number Diff line number Diff line
@@ -197,18 +197,18 @@ static bool vec_is_stale(struct aa_profile **vec, int n) 
	return false;

}



static bool vec_unconfined(struct aa_profile **vec, int n)

static long union_vec_flags(struct aa_profile **vec, int n, long mask)

{

	long u = 0;

	int i;



	AA_BUG(!vec);



	for (i = 0; i < n; i++) {

		if (!profile_unconfined(vec[i]))

			return false;

		u |= vec[i]->label.flags & mask;

	}



	return true;

	return u;

}



static int sort_cmp(const void *a, const void *b)
@@ -1097,8 +1097,8 @@ static struct aa_label *label_merge_insert(struct aa_label *new, 
		else if (k == b->size)

			return aa_get_label(b);

	}

	if (vec_unconfined(new->vec, new->size))

		new->flags |= FLAG_UNCONFINED;

	new->flags |= union_vec_flags(new->vec, new->size, FLAG_UNCONFINED |

					      FLAG_DEBUG1 | FLAG_DEBUG2);

	ls = labels_set(new);

	write_lock_irqsave(&ls->lock, flags);

	label = __label_insert(labels_set(new), new, false);