diff options
author | William Hua <william.hua@canonical.com> | 2017-01-16 01:49:28 +0100 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2017-01-16 10:18:51 +0100 |
commit | e025be0f26d5597b0a2bdfa65145a0171e77b614 (patch) | |
tree | 0f9300ae3893d6af776466d12fe22a739d01d75d /security/apparmor/include/policy.h | |
parent | apparmor: update cap audit to check SECURITY_CAP_NOAUDIT (diff) | |
download | linux-e025be0f26d5597b0a2bdfa65145a0171e77b614.tar.xz linux-e025be0f26d5597b0a2bdfa65145a0171e77b614.zip |
apparmor: support querying extended trusted helper extra data
Allow a profile to carry extra data that can be queried via userspace.
This provides a means to store extra data in a profile that a trusted
helper can extract and use from live policy.
Signed-off-by: William Hua <william.hua@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/include/policy.h')
-rw-r--r-- | security/apparmor/include/policy.h | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index a5a997896836..93b1b1f440d3 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -18,6 +18,7 @@ #include <linux/capability.h> #include <linux/cred.h> #include <linux/kref.h> +#include <linux/rhashtable.h> #include <linux/sched.h> #include <linux/slab.h> #include <linux/socket.h> @@ -98,6 +99,19 @@ struct aa_proxy { struct aa_profile __rcu *profile; }; +/* struct aa_data - generic data structure + * key: name for retrieving this data + * size: size of data in bytes + * data: binary data + * head: reserved for rhashtable + */ +struct aa_data { + char *key; + u32 size; + char *data; + struct rhash_head head; +}; + /* struct aa_profile - basic confinement data * @base - base components of the profile (name, refcount, lists, lock ...) @@ -122,6 +136,7 @@ struct aa_proxy { * * @dents: dentries for the profiles file entries in apparmorfs * @dirname: name of the profile dir in apparmorfs + * @data: hashtable for free-form policy aa_data * * The AppArmor profile contains the basic confinement data. Each profile * has a name, and exists in a namespace. The @name and @exec_match are @@ -165,6 +180,7 @@ struct aa_profile { unsigned char *hash; char *dirname; struct dentry *dents[AAFS_PROF_SIZEOF]; + struct rhashtable *data; }; extern enum profile_mode aa_g_profile_mode; |