[apparmor] [PATCH] export set of capabilities supported by the apparmor module
Seth Arnold
seth.arnold at canonical.com
Tue Jul 23 22:19:13 UTC 2013
On Sat, Jul 20, 2013 at 01:58:52AM -0700, John Johansen wrote:
> so yet another patch that has just been sitting in the queue, mostly
> waiting on the userspace feature buffer size fix that rolled out a while ago.
>
> ---
>
> apparmor: export set of capabilities supported by the apparmor module
>
> This exports the set of capability names as generated by the kernel
> so that the policy compiler can support capability names as keywords
> dynamically when the kernel picks up new capabilities.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
>
> diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
> index 5706b74..0831e04 100644
> --- a/security/apparmor/Makefile
> +++ b/security/apparmor/Makefile
> @@ -18,7 +18,11 @@ quiet_cmd_make-caps = GEN $@
> cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\
> sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \
> -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\
> - echo "};" >> $@
> + echo "};" >> $@ ;\
> + echo -n '\#define AA_FS_CAPS_MASK "' >> $@ ;\
> + sed $< -r -n -e '/CAP_FS_MASK/d' \
> + -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' | \
> + tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
>
>
> # Build a lower case string table of rlimit names.
> diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
> index 7a26608..d708a55 100644
> --- a/security/apparmor/apparmorfs.c
> +++ b/security/apparmor/apparmorfs.c
> @@ -773,6 +773,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = {
> AA_FS_DIR("file", aa_fs_entry_file),
> AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
> AA_FS_DIR("rlimit", aa_fs_entry_rlimit),
> + AA_FS_DIR("caps", aa_fs_entry_caps),
> { }
> };
>
> diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
> index 887a5e9..84d1f5f 100644
> --- a/security/apparmor/capability.c
> +++ b/security/apparmor/capability.c
> @@ -27,6 +27,11 @@
> */
> #include "capability_names.h"
>
> +struct aa_fs_entry aa_fs_entry_caps[] = {
> + AA_FS_FILE_STRING("mask", AA_FS_CAPS_MASK),
> + { }
> +};
> +
> struct audit_cache {
> struct aa_profile *profile;
> kernel_cap_t caps;
> diff --git a/security/apparmor/include/capability.h b/security/apparmor/include/capability.h
> index c24d295..2e7c9d6 100644
> --- a/security/apparmor/include/capability.h
> +++ b/security/apparmor/include/capability.h
> @@ -17,6 +17,8 @@
>
> #include <linux/sched.h>
>
> +#include "apparmorfs.h"
> +
> struct aa_profile;
>
> /* aa_caps - confinement data for capabilities
> @@ -34,6 +36,8 @@ struct aa_caps {
> kernel_cap_t extended;
> };
>
> +extern struct aa_fs_entry aa_fs_entry_caps[];
> +
> int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap,
> int audit);
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130723/2d19ec77/attachment-0001.pgp>
More information about the AppArmor
mailing list