summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2019-12-18 00:40:41 +0100
committerJohn Johansen <john.johansen@canonical.com>2022-10-03 23:49:03 +0200
commit22fac8a051191113becc0da62bf88b0ba8ce6c08 (patch)
treebd80b87a3408b9ddcbbcfe9ce767af0edcb1468c
parentapparmor: add mediation class information to auditing (diff)
downloadlinux-22fac8a051191113becc0da62bf88b0ba8ce6c08.tar.xz
linux-22fac8a051191113becc0da62bf88b0ba8ce6c08.zip
apparmor: add user mode flag
Allow the profile to contain a user mode prompt flag. This works similar to complain mode but will try to send messages to a userspace daemon. If the daemon is not present or timesout regular informent will occur. Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r--security/apparmor/include/policy.h3
-rw-r--r--security/apparmor/include/policy_unpack.h1
-rw-r--r--security/apparmor/lib.c7
-rw-r--r--security/apparmor/policy.c1
-rw-r--r--security/apparmor/policy_unpack.c2
5 files changed, 9 insertions, 5 deletions
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index a28a662a0622..9fc5d7fa36e8 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -44,6 +44,8 @@ extern const char *const aa_profile_mode_names[];
#define COMPLAIN_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_COMPLAIN)
+#define USER_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_USER)
+
#define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL)
#define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
@@ -67,6 +69,7 @@ enum profile_mode {
APPARMOR_COMPLAIN, /* allow and log access violations */
APPARMOR_KILL, /* kill task on access violation */
APPARMOR_UNCONFINED, /* profile set to unconfined */
+ APPARMOR_USER, /* modified complain mode to userspace */
};
diff --git a/security/apparmor/include/policy_unpack.h b/security/apparmor/include/policy_unpack.h
index cdfbc8a54a9d..1e10e360a0ec 100644
--- a/security/apparmor/include/policy_unpack.h
+++ b/security/apparmor/include/policy_unpack.h
@@ -36,6 +36,7 @@ struct aa_load_ent *aa_load_ent_alloc(void);
#define PACKED_MODE_COMPLAIN 1
#define PACKED_MODE_KILL 2
#define PACKED_MODE_UNCONFINED 3
+#define PACKED_MODE_USER 4
struct aa_ns;
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index 768cc182e9ca..b0fcec893274 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -327,11 +327,8 @@ void aa_apply_modes_to_perms(struct aa_profile *profile, struct aa_perms *perms)
perms->kill = ALL_PERMS_MASK;
else if (COMPLAIN_MODE(profile))
perms->complain = ALL_PERMS_MASK;
-/*
- * TODO:
- * else if (PROMPT_MODE(profile))
- * perms->prompt = ALL_PERMS_MASK;
- */
+ else if (USER_MODE(profile))
+ perms->prompt = ALL_PERMS_MASK;
}
/**
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 6222236de021..3c3a5263695d 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -94,6 +94,7 @@ const char *const aa_profile_mode_names[] = {
"complain",
"kill",
"unconfined",
+ "user",
};
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 4bf33bd0ca69..04e9fca250df 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -761,6 +761,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
} else if (tmp == PACKED_MODE_UNCONFINED) {
profile->mode = APPARMOR_UNCONFINED;
profile->label.flags |= FLAG_UNCONFINED;
+ } else if (tmp == PACKED_MODE_USER) {
+ profile->mode = APPARMOR_USER;
} else {
goto fail;
}