diff options
author | John Johansen <john.johansen@canonical.com> | 2019-12-17 15:40:41 -0800 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2022-10-03 14:49:03 -0700 |
commit | 22fac8a051191113becc0da62bf88b0ba8ce6c08 (patch) | |
tree | bd80b87a3408b9ddcbbcfe9ce767af0edcb1468c /security/apparmor | |
parent | 8c4b785a86be1219f7d50f7b38266c454d6a9bbc (diff) |
apparmor: add user mode flag
Allow the profile to contain a user mode prompt flag. This works similar
to complain mode but will try to send messages to a userspace daemon.
If the daemon is not present or timesout regular informent will occur.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor')
-rw-r--r-- | security/apparmor/include/policy.h | 3 | ||||
-rw-r--r-- | security/apparmor/include/policy_unpack.h | 1 | ||||
-rw-r--r-- | security/apparmor/lib.c | 7 | ||||
-rw-r--r-- | security/apparmor/policy.c | 1 | ||||
-rw-r--r-- | security/apparmor/policy_unpack.c | 2 |
5 files changed, 9 insertions, 5 deletions
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index a28a662a0622..9fc5d7fa36e8 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -44,6 +44,8 @@ extern const char *const aa_profile_mode_names[]; #define COMPLAIN_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_COMPLAIN) +#define USER_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_USER) + #define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL) #define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT) @@ -67,6 +69,7 @@ enum profile_mode { APPARMOR_COMPLAIN, /* allow and log access violations */ APPARMOR_KILL, /* kill task on access violation */ APPARMOR_UNCONFINED, /* profile set to unconfined */ + APPARMOR_USER, /* modified complain mode to userspace */ }; diff --git a/security/apparmor/include/policy_unpack.h b/security/apparmor/include/policy_unpack.h index cdfbc8a54a9d..1e10e360a0ec 100644 --- a/security/apparmor/include/policy_unpack.h +++ b/security/apparmor/include/policy_unpack.h @@ -36,6 +36,7 @@ struct aa_load_ent *aa_load_ent_alloc(void); #define PACKED_MODE_COMPLAIN 1 #define PACKED_MODE_KILL 2 #define PACKED_MODE_UNCONFINED 3 +#define PACKED_MODE_USER 4 struct aa_ns; diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c index 768cc182e9ca..b0fcec893274 100644 --- a/security/apparmor/lib.c +++ b/security/apparmor/lib.c @@ -327,11 +327,8 @@ void aa_apply_modes_to_perms(struct aa_profile *profile, struct aa_perms *perms) perms->kill = ALL_PERMS_MASK; else if (COMPLAIN_MODE(profile)) perms->complain = ALL_PERMS_MASK; -/* - * TODO: - * else if (PROMPT_MODE(profile)) - * perms->prompt = ALL_PERMS_MASK; - */ + else if (USER_MODE(profile)) + perms->prompt = ALL_PERMS_MASK; } /** diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index 6222236de021..3c3a5263695d 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -94,6 +94,7 @@ const char *const aa_profile_mode_names[] = { "complain", "kill", "unconfined", + "user", }; diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 4bf33bd0ca69..04e9fca250df 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -761,6 +761,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) } else if (tmp == PACKED_MODE_UNCONFINED) { profile->mode = APPARMOR_UNCONFINED; profile->label.flags |= FLAG_UNCONFINED; + } else if (tmp == PACKED_MODE_USER) { + profile->mode = APPARMOR_USER; } else { goto fail; } |