diff options
author | Matthew Garrett <mjg59@google.com> | 2018-02-08 21:37:19 +0100 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2018-02-09 20:30:02 +0100 |
commit | 8e51f9087f4024d20f70f4d9831e1f45d8088331 (patch) | |
tree | a466a6dfa9ffd57b9919b89931bc18fbddb1517e /security/apparmor/policy.c | |
parent | apparmor: cleanup: simplify code to get ns symlink name (diff) | |
download | linux-8e51f9087f4024d20f70f4d9831e1f45d8088331.tar.xz linux-8e51f9087f4024d20f70f4d9831e1f45d8088331.zip |
apparmor: Add support for attaching profiles via xattr, presence and value
Make it possible to tie Apparmor profiles to the presence of one or more
extended attributes, and optionally their values. An example usecase for
this is to automatically transition to a more privileged Apparmor profile
if an executable has a valid IMA signature, which can then be appraised
by the IMA subsystem.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/policy.c')
-rw-r--r-- | security/apparmor/policy.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index a8e096a88e62..7fee546ba10d 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -210,6 +210,7 @@ static void aa_free_data(void *ptr, void *arg) void aa_free_profile(struct aa_profile *profile) { struct rhashtable *rht; + int i; AA_DEBUG("%s(%p)\n", __func__, profile); @@ -227,6 +228,13 @@ void aa_free_profile(struct aa_profile *profile) aa_free_cap_rules(&profile->caps); aa_free_rlimit_rules(&profile->rlimits); + for (i = 0; i < profile->xattr_count; i++) { + kzfree(profile->xattrs[i]); + kzfree(profile->xattr_values[i]); + } + kzfree(profile->xattrs); + kzfree(profile->xattr_lens); + kzfree(profile->xattr_values); kzfree(profile->dirname); aa_put_dfa(profile->xmatch); aa_put_dfa(profile->policy.dfa); |