[apparmor] [PATCH 22/27] apparmor: add an optional profile attachment string

[John Johansen]

Add the ability to take in a report a human readable profile attachment
string.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 security/apparmor/apparmorfs.c         |    9 +++++++++
 security/apparmor/include/apparmorfs.h |    1 +
 security/apparmor/include/policy.h     |    2 ++
 security/apparmor/policy_unpack.c      |    3 +++
 4 files changed, 15 insertions(+)

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 2a73768..e935266 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -336,6 +336,15 @@ int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
 		goto fail;
 	profile->dents[AAFS_PROF_MODE] = dent;
 
+	if (profile->attach) {
+		dent = securityfs_create_file("attach", S_IFREG | 0444, dir,
+					      &profile->attach,
+					      &aa_fs_seq_string_fops);
+		if (IS_ERR(dent))
+			goto fail;
+		profile->dents[AAFS_PROF_ATTACH] = dent;
+	}
+
 	list_for_each_entry(child, &profile->base.profiles, base.list) {
 		error = __aa_fs_profile_mkdir(child, profile->dents[AAFS_PROF_PROFS]);
 		if (error)
diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
index 1ab7efd..00259a1 100644
--- a/security/apparmor/include/apparmorfs.h
+++ b/security/apparmor/include/apparmorfs.h
@@ -76,6 +76,7 @@ enum aafs_prof_type {
 	AAFS_PROF_PROFS,
 	AAFS_PROF_NAME,
 	AAFS_PROF_MODE,
+	AAFS_PROF_ATTACH,
 	AAFS_PROF_SIZE,
 };
 
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 07fc7b0..b422c99 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -156,6 +156,7 @@ struct aa_policydb {
  * @ns: namespace the profile is in
  * @replacedby: is set to the profile that replaced this profile
  * @rename: optional profile name that this profile renamed
+ * @attach: human readable attachment string
  * @xmatch: optional extended matching for unconfined executables names
  * @xmatch_len: xmatch prefix len, used to determine xmatch priority
  * @audit: the auditing mode of the profile
@@ -194,6 +195,7 @@ struct aa_profile {
 	struct aa_profile __rcu *replacedby;
 	const char *rename;
 
+	const char *attach;
 	struct aa_dfa *xmatch;
 	int xmatch_len;
 	enum audit_mode audit;
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 9da2506..fd3c2a2 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -491,6 +491,9 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
 	/* profile renaming is optional */
 	(void) unpack_str(e, &profile->rename, "rename");
 
+	/* attachment string is optional */
+	(void) unpack_str(e, &profile->attach, "attach");
+
 	/* xmatch is optional and may be NULL */
 	profile->xmatch = unpack_dfa(e);
 	if (IS_ERR(profile->xmatch)) {
-- 
1.7.10.4