summaryrefslogtreecommitdiffstats
path: root/security/apparmor/policy.c
diff options
context:
space:
mode:
authorMatthew Garrett <mjg59@google.com>2018-02-08 21:37:19 +0100
committerJohn Johansen <john.johansen@canonical.com>2018-02-09 20:30:02 +0100
commit8e51f9087f4024d20f70f4d9831e1f45d8088331 (patch)
treea466a6dfa9ffd57b9919b89931bc18fbddb1517e /security/apparmor/policy.c
parentapparmor: cleanup: simplify code to get ns symlink name (diff)
downloadlinux-8e51f9087f4024d20f70f4d9831e1f45d8088331.tar.xz
linux-8e51f9087f4024d20f70f4d9831e1f45d8088331.zip
apparmor: Add support for attaching profiles via xattr, presence and value
Make it possible to tie Apparmor profiles to the presence of one or more extended attributes, and optionally their values. An example usecase for this is to automatically transition to a more privileged Apparmor profile if an executable has a valid IMA signature, which can then be appraised by the IMA subsystem. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/policy.c')
-rw-r--r--security/apparmor/policy.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index a8e096a88e62..7fee546ba10d 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -210,6 +210,7 @@ static void aa_free_data(void *ptr, void *arg)
void aa_free_profile(struct aa_profile *profile)
{
struct rhashtable *rht;
+ int i;
AA_DEBUG("%s(%p)\n", __func__, profile);
@@ -227,6 +228,13 @@ void aa_free_profile(struct aa_profile *profile)
aa_free_cap_rules(&profile->caps);
aa_free_rlimit_rules(&profile->rlimits);
+ for (i = 0; i < profile->xattr_count; i++) {
+ kzfree(profile->xattrs[i]);
+ kzfree(profile->xattr_values[i]);
+ }
+ kzfree(profile->xattrs);
+ kzfree(profile->xattr_lens);
+ kzfree(profile->xattr_values);
kzfree(profile->dirname);
aa_put_dfa(profile->xmatch);
aa_put_dfa(profile->policy.dfa);