summaryrefslogtreecommitdiffstats
path: root/security/apparmor/include
diff options
context:
space:
mode:
authorWilliam Hua <william.hua@canonical.com>2017-01-16 01:49:28 +0100
committerJohn Johansen <john.johansen@canonical.com>2017-01-16 10:18:51 +0100
commite025be0f26d5597b0a2bdfa65145a0171e77b614 (patch)
tree0f9300ae3893d6af776466d12fe22a739d01d75d /security/apparmor/include
parentapparmor: update cap audit to check SECURITY_CAP_NOAUDIT (diff)
downloadlinux-e025be0f26d5597b0a2bdfa65145a0171e77b614.tar.xz
linux-e025be0f26d5597b0a2bdfa65145a0171e77b614.zip
apparmor: support querying extended trusted helper extra data
Allow a profile to carry extra data that can be queried via userspace. This provides a means to store extra data in a profile that a trusted helper can extract and use from live policy. Signed-off-by: William Hua <william.hua@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/include')
-rw-r--r--security/apparmor/include/policy.h16
1 files changed, 16 insertions, 0 deletions
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index a5a997896836..93b1b1f440d3 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -18,6 +18,7 @@
#include <linux/capability.h>
#include <linux/cred.h>
#include <linux/kref.h>
+#include <linux/rhashtable.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/socket.h>
@@ -98,6 +99,19 @@ struct aa_proxy {
struct aa_profile __rcu *profile;
};
+/* struct aa_data - generic data structure
+ * key: name for retrieving this data
+ * size: size of data in bytes
+ * data: binary data
+ * head: reserved for rhashtable
+ */
+struct aa_data {
+ char *key;
+ u32 size;
+ char *data;
+ struct rhash_head head;
+};
+
/* struct aa_profile - basic confinement data
* @base - base components of the profile (name, refcount, lists, lock ...)
@@ -122,6 +136,7 @@ struct aa_proxy {
*
* @dents: dentries for the profiles file entries in apparmorfs
* @dirname: name of the profile dir in apparmorfs
+ * @data: hashtable for free-form policy aa_data
*
* The AppArmor profile contains the basic confinement data. Each profile
* has a name, and exists in a namespace. The @name and @exec_match are
@@ -165,6 +180,7 @@ struct aa_profile {
unsigned char *hash;
char *dirname;
struct dentry *dents[AAFS_PROF_SIZEOF];
+ struct rhashtable *data;
};
extern enum profile_mode aa_g_profile_mode;