diff options
author | John Johansen <john.johansen@canonical.com> | 2017-06-09 17:22:50 -0700 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2017-06-10 17:11:48 -0700 |
commit | 6c5fc8f17a2528052bace1d91a3bef003bd1331d (patch) | |
tree | d03ffb8f609d39f2f2a25524ee51c2dde3881ccf /security | |
parent | 40cde7fcc344bc77c1ec9d291dcc35ab12f078aa (diff) | |
download | lwn-6c5fc8f17a2528052bace1d91a3bef003bd1331d.tar.gz lwn-6c5fc8f17a2528052bace1d91a3bef003bd1331d.zip |
apparmor: add stacked domain labels interface
Update the user interface to support the stacked change_profile transition.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/apparmor/apparmorfs.c | 3 | ||||
-rw-r--r-- | security/apparmor/lsm.c | 5 |
2 files changed, 8 insertions, 0 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 6310bf1485b6..229845009a95 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -2132,6 +2132,7 @@ static struct aa_sfs_entry aa_sfs_entry_domain[] = { AA_SFS_FILE_BOOLEAN("change_hatv", 1), AA_SFS_FILE_BOOLEAN("change_onexec", 1), AA_SFS_FILE_BOOLEAN("change_profile", 1), + AA_SFS_FILE_BOOLEAN("stack", 1), AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1), AA_SFS_FILE_STRING("version", "1.2"), { } @@ -2175,6 +2176,8 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = { static struct aa_sfs_entry aa_sfs_entry_apparmor[] = { AA_SFS_FILE_FOPS(".access", 0640, &aa_sfs_access), + AA_SFS_FILE_FOPS(".stacked", 0444, &seq_ns_stacked_fops), + AA_SFS_FILE_FOPS(".ns_stacked", 0444, &seq_ns_nsstacked_fops), AA_SFS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops), AA_SFS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops), AA_SFS_FILE_FOPS("profiles", 0440, &aa_sfs_profiles_fops), diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 0f7c5c2be732..867bcd154c7e 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -580,11 +580,16 @@ static int apparmor_setprocattr(const char *name, void *value, error = aa_change_profile(args, AA_CHANGE_NOFLAGS); } else if (strcmp(command, "permprofile") == 0) { error = aa_change_profile(args, AA_CHANGE_TEST); + } else if (strcmp(command, "stack") == 0) { + error = aa_change_profile(args, AA_CHANGE_STACK); } else goto fail; } else if (strcmp(name, "exec") == 0) { if (strcmp(command, "exec") == 0) error = aa_change_profile(args, AA_CHANGE_ONEXEC); + else if (strcmp(command, "stack") == 0) + error = aa_change_profile(args, (AA_CHANGE_ONEXEC | + AA_CHANGE_STACK)); else goto fail; } else |