diff options
author | Matthew Garrett <mjg59@google.com> | 2018-05-24 22:27:46 +0200 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2018-10-03 15:18:38 +0200 |
commit | 9caafbe2b4cf4c635826a2832e93cf648605de8b (patch) | |
tree | 3d09ad1db13f0be16c42f04133101b9a36f777e5 /security/apparmor/include | |
parent | apparmor: Add a wildcard secid (diff) | |
download | linux-9caafbe2b4cf4c635826a2832e93cf648605de8b.tar.xz linux-9caafbe2b4cf4c635826a2832e93cf648605de8b.zip |
apparmor: Parse secmark policy
Add support for parsing secmark policy provided by userspace, and
store that in the overall policy.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/include')
-rw-r--r-- | security/apparmor/include/net.h | 10 | ||||
-rw-r--r-- | security/apparmor/include/policy.h | 3 |
2 files changed, 13 insertions, 0 deletions
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h index ec7228e857a9..7334ac966d01 100644 --- a/security/apparmor/include/net.h +++ b/security/apparmor/include/net.h @@ -83,6 +83,13 @@ struct aa_sk_ctx { __e; \ }) +struct aa_secmark { + u8 audit; + u8 deny; + u32 secid; + char *label; +}; + extern struct aa_sfs_entry aa_sfs_entry_network[]; void audit_net_cb(struct audit_buffer *ab, void *va); @@ -103,4 +110,7 @@ int aa_sk_perm(const char *op, u32 request, struct sock *sk); int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request, struct socket *sock); +int apparmor_secmark_check(struct aa_label *label, char *op, u32 request, + u32 secid, struct sock *sk); + #endif /* __AA_NET_H */ diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index ab64c6b5db5a..8e6707c837be 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -155,6 +155,9 @@ struct aa_profile { struct aa_rlimit rlimits; + int secmark_count; + struct aa_secmark *secmark; + struct aa_loaddata *rawdata; unsigned char *hash; char *dirname; |