apparmor: add user mode flag
Allow the profile to contain a user mode prompt flag. This works similar to complain mode but will try to send messages to a userspace daemon. If the daemon is not present or timesout regular informent will occur. Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
Родитель
8c4b785a86
Коммит
22fac8a051
|
|
@ -44,6 +44,8 @@ extern const char *const aa_profile_mode_names[];
|
||||||
|
|
||||||
#define COMPLAIN_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_COMPLAIN)
|
#define COMPLAIN_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_COMPLAIN)
|
||||||
|
|
||||||
|
#define USER_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_USER)
|
||||||
|
|
||||||
#define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL)
|
#define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL)
|
||||||
|
|
||||||
#define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
|
#define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
|
||||||
|
|
@ -67,6 +69,7 @@ enum profile_mode {
|
||||||
APPARMOR_COMPLAIN, /* allow and log access violations */
|
APPARMOR_COMPLAIN, /* allow and log access violations */
|
||||||
APPARMOR_KILL, /* kill task on access violation */
|
APPARMOR_KILL, /* kill task on access violation */
|
||||||
APPARMOR_UNCONFINED, /* profile set to unconfined */
|
APPARMOR_UNCONFINED, /* profile set to unconfined */
|
||||||
|
APPARMOR_USER, /* modified complain mode to userspace */
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -36,6 +36,7 @@ struct aa_load_ent *aa_load_ent_alloc(void);
|
||||||
#define PACKED_MODE_COMPLAIN 1
|
#define PACKED_MODE_COMPLAIN 1
|
||||||
#define PACKED_MODE_KILL 2
|
#define PACKED_MODE_KILL 2
|
||||||
#define PACKED_MODE_UNCONFINED 3
|
#define PACKED_MODE_UNCONFINED 3
|
||||||
|
#define PACKED_MODE_USER 4
|
||||||
|
|
||||||
struct aa_ns;
|
struct aa_ns;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -327,11 +327,8 @@ void aa_apply_modes_to_perms(struct aa_profile *profile, struct aa_perms *perms)
|
||||||
perms->kill = ALL_PERMS_MASK;
|
perms->kill = ALL_PERMS_MASK;
|
||||||
else if (COMPLAIN_MODE(profile))
|
else if (COMPLAIN_MODE(profile))
|
||||||
perms->complain = ALL_PERMS_MASK;
|
perms->complain = ALL_PERMS_MASK;
|
||||||
/*
|
else if (USER_MODE(profile))
|
||||||
* TODO:
|
perms->prompt = ALL_PERMS_MASK;
|
||||||
* else if (PROMPT_MODE(profile))
|
|
||||||
* perms->prompt = ALL_PERMS_MASK;
|
|
||||||
*/
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -94,6 +94,7 @@ const char *const aa_profile_mode_names[] = {
|
||||||
"complain",
|
"complain",
|
||||||
"kill",
|
"kill",
|
||||||
"unconfined",
|
"unconfined",
|
||||||
|
"user",
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -761,6 +761,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
|
||||||
} else if (tmp == PACKED_MODE_UNCONFINED) {
|
} else if (tmp == PACKED_MODE_UNCONFINED) {
|
||||||
profile->mode = APPARMOR_UNCONFINED;
|
profile->mode = APPARMOR_UNCONFINED;
|
||||||
profile->label.flags |= FLAG_UNCONFINED;
|
profile->label.flags |= FLAG_UNCONFINED;
|
||||||
|
} else if (tmp == PACKED_MODE_USER) {
|
||||||
|
profile->mode = APPARMOR_USER;
|
||||||
} else {
|
} else {
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче