From a71ada305801e940ff69c2c58489778760e5148b Mon Sep 17 00:00:00 2001 From: John Johansen Date: Mon, 16 Jan 2017 00:42:45 -0800 Subject: apparmor: add special .null file used to "close" fds at exec Borrow the special null device file from selinux to "close" fds that don't have sufficient permissions at exec time. Signed-off-by: John Johansen --- security/apparmor/include/apparmorfs.h | 2 ++ security/apparmor/include/policy_ns.h | 2 ++ 2 files changed, 4 insertions(+) (limited to 'security/apparmor/include') diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h index 5626bd4..eeeae5b 100644 --- a/security/apparmor/include/apparmorfs.h +++ b/security/apparmor/include/apparmorfs.h @@ -15,6 +15,8 @@ #ifndef __AA_APPARMORFS_H #define __AA_APPARMORFS_H +extern struct path aa_null; + enum aa_fs_type { AA_FS_TYPE_BOOLEAN, AA_FS_TYPE_STRING, diff --git a/security/apparmor/include/policy_ns.h b/security/apparmor/include/policy_ns.h index 820d86d2..89cffdd 100644 --- a/security/apparmor/include/policy_ns.h +++ b/security/apparmor/include/policy_ns.h @@ -44,6 +44,7 @@ struct aa_ns_acct { * @sub_ns: list of namespaces under the current namespace. * @uniq_null: uniq value used for null learning profiles * @uniq_id: a unique id count for the profiles in the namespace + * @level: level of ns within the tree hierarchy * @dents: dentries for the namespaces file entries in apparmorfs * * An aa_ns defines the set profiles that are searched to determine which @@ -66,6 +67,7 @@ struct aa_ns { struct list_head sub_ns; atomic_t uniq_null; long uniq_id; + int level; struct dentry *dents[AAFS_NS_SIZEOF]; }; -- cgit v1.1