diff options
author | Kees Cook <kees@outflux.net> | 2012-01-26 16:29:21 -0800 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2012-02-27 11:38:17 -0800 |
commit | e74abcf3359d0130e99a6511ac484a3ea9e6e988 (patch) | |
tree | 53b512c463f58546f810f7db876b81bebf4c786a | |
parent | 9acd494be9387b0608612cd139967201dd7a4e12 (diff) | |
download | op-kernel-dev-e74abcf3359d0130e99a6511ac484a3ea9e6e988.zip op-kernel-dev-e74abcf3359d0130e99a6511ac484a3ea9e6e988.tar.gz |
AppArmor: add initial "features" directory to securityfs
This adds the "features" subdirectory to the AppArmor securityfs
to display boolean features flags and the known capability mask.
Signed-off-by: Kees Cook <kees@ubuntu.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r-- | security/apparmor/apparmorfs.c | 51 | ||||
-rw-r--r-- | security/apparmor/include/apparmorfs.h | 14 |
2 files changed, 65 insertions, 0 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 1e22bb3..f30dada 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -18,6 +18,7 @@ #include <linux/seq_file.h> #include <linux/uaccess.h> #include <linux/namei.h> +#include <linux/capability.h> #include "include/apparmor.h" #include "include/apparmorfs.h" @@ -142,12 +143,62 @@ static const struct file_operations aa_fs_profile_remove = { .llseek = default_llseek, }; +static int aa_fs_seq_show(struct seq_file *seq, void *v) +{ + struct aa_fs_entry *fs_file = seq->private; + + if (!fs_file) + return 0; + + switch (fs_file->v_type) { + case AA_FS_TYPE_BOOLEAN: + seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no"); + break; + case AA_FS_TYPE_U64: + seq_printf(seq, "%#08lx\n", fs_file->v.u64); + break; + default: + /* Ignore unpritable entry types. */ + break; + } + + return 0; +} + +static int aa_fs_seq_open(struct inode *inode, struct file *file) +{ + return single_open(file, aa_fs_seq_show, inode->i_private); +} + +const struct file_operations aa_fs_seq_file_ops = { + .owner = THIS_MODULE, + .open = aa_fs_seq_open, + .read = seq_read, + .llseek = seq_lseek, + .release = single_release, +}; + /** Base file system setup **/ +static struct aa_fs_entry aa_fs_entry_domain[] = { + AA_FS_FILE_BOOLEAN("change_hat", 1), + AA_FS_FILE_BOOLEAN("change_hatv", 1), + AA_FS_FILE_BOOLEAN("change_onexec", 1), + AA_FS_FILE_BOOLEAN("change_profile", 1), + { } +}; + +static struct aa_fs_entry aa_fs_entry_features[] = { + AA_FS_DIR("domain", aa_fs_entry_domain), + AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), + { } +}; + static struct aa_fs_entry aa_fs_entry_apparmor[] = { AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load), AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace), AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove), + AA_FS_DIR("features", aa_fs_entry_features), { } }; diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h index 4fdf02f..16e6545 100644 --- a/security/apparmor/include/apparmorfs.h +++ b/security/apparmor/include/apparmorfs.h @@ -16,6 +16,8 @@ #define __AA_APPARMORFS_H enum aa_fs_type { + AA_FS_TYPE_BOOLEAN, + AA_FS_TYPE_U64, AA_FS_TYPE_FOPS, AA_FS_TYPE_DIR, }; @@ -28,11 +30,23 @@ struct aa_fs_entry { umode_t mode; enum aa_fs_type v_type; union { + bool boolean; + unsigned long u64; struct aa_fs_entry *files; } v; const struct file_operations *file_ops; }; +extern const struct file_operations aa_fs_seq_file_ops; + +#define AA_FS_FILE_BOOLEAN(_name, _value) \ + { .name = (_name), .mode = 0444, \ + .v_type = AA_FS_TYPE_BOOLEAN, .v.boolean = (_value), \ + .file_ops = &aa_fs_seq_file_ops } +#define AA_FS_FILE_U64(_name, _value) \ + { .name = (_name), .mode = 0444, \ + .v_type = AA_FS_TYPE_U64, .v.u64 = (_value), \ + .file_ops = &aa_fs_seq_file_ops } #define AA_FS_FILE_FOPS(_name, _mode, _fops) \ { .name = (_name), .v_type = AA_FS_TYPE_FOPS, \ .mode = (_mode), .file_ops = (_fops) } |