apparmor: revalidate files during exec

Instead of running file revalidation lazily when read/write are called
copy selinux and revalidate the file table on exec. This avoids
extra mediation overhead in read/write and also prevents file handles
being passed through to a grand child unchecked.

Signed-off-by: John Johansen <john.johansen@canonical.com>

2 files changed, 3 insertions, 0 deletions

diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 1aeb8550fb82..d548261dd1b7 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -69,6 +69,7 @@ enum audit_type {
 #define OP_FLOCK "file_lock"
 #define OP_FMMAP "file_mmap"
 #define OP_FMPROT "file_mprotect"
+#define OP_INHERIT "file_inherit"
 
 #define OP_CREATE "create"
 #define OP_POST_CREATE "post_create"
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index 19c483850770..df76c208473a 100644
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -186,6 +186,8 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
 int aa_file_perm(const char *op, struct aa_profile *profile, struct file *file,
 		 u32 request);
 
+void aa_inherit_files(const struct cred *cred, struct files_struct *files);
+
 static inline void aa_free_file_rules(struct aa_file_rules *rules)
 {
 	aa_put_dfa(rules->dfa);