apparmor: mediate files when they are received

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 20fa6c77db0590b42e355b25aebced606489a2fe..99ed83cf6941c594b3414136a8dbdc44a9617664 100644 (file)
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -64,6 +64,7 @@ enum audit_type {
 #define OP_GETATTR "getattr"
 #define OP_OPEN "open"
 
+#define OP_FRECEIVE "file_receive"
 #define OP_FPERM "file_perm"
 #define OP_FLOCK "file_lock"
 #define OP_FMMAP "file_mmap"

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 7a986763b2b70a579128f71392636edbb17b9148..0f7c5c2be732c2c3cb34495ec8a974ef2b1a1af6 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -456,6 +456,11 @@ static int common_file_perm(const char *op, struct file *file, u32 mask)
        return error;
 }
 
+static int apparmor_file_receive(struct file *file)
+{
+       return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file));
+}
+
 static int apparmor_file_permission(struct file *file, int mask)
 {
        return common_file_perm(OP_FPERM, file, mask);
@@ -665,6 +670,7 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),
 
        LSM_HOOK_INIT(file_open, apparmor_file_open),
+       LSM_HOOK_INIT(file_receive, apparmor_file_receive),
        LSM_HOOK_INIT(file_permission, apparmor_file_permission),
        LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
        LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),