apparmor: add stacked domain labels interface
authorJohn Johansen <john.johansen@canonical.com>
Sat, 10 Jun 2017 00:22:50 +0000 (17:22 -0700)
committerJohn Johansen <john.johansen@canonical.com>
Sun, 11 Jun 2017 00:11:48 +0000 (17:11 -0700)
Update the user interface to support the stacked change_profile transition.

Signed-off-by: John Johansen <john.johansen@canonical.com>
security/apparmor/apparmorfs.c
security/apparmor/lsm.c

index 6310bf1485b6017831e6c69101bb6c8f7679ee28..229845009a95c0768eb0ce2523c8278b7c4490f6 100644 (file)
@@ -2132,6 +2132,7 @@ static struct aa_sfs_entry aa_sfs_entry_domain[] = {
        AA_SFS_FILE_BOOLEAN("change_hatv",      1),
        AA_SFS_FILE_BOOLEAN("change_onexec",    1),
        AA_SFS_FILE_BOOLEAN("change_profile",   1),
+       AA_SFS_FILE_BOOLEAN("stack",            1),
        AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap",      1),
        AA_SFS_FILE_STRING("version", "1.2"),
        { }
@@ -2175,6 +2176,8 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = {
 
 static struct aa_sfs_entry aa_sfs_entry_apparmor[] = {
        AA_SFS_FILE_FOPS(".access", 0640, &aa_sfs_access),
+       AA_SFS_FILE_FOPS(".stacked", 0444, &seq_ns_stacked_fops),
+       AA_SFS_FILE_FOPS(".ns_stacked", 0444, &seq_ns_nsstacked_fops),
        AA_SFS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops),
        AA_SFS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops),
        AA_SFS_FILE_FOPS("profiles", 0440, &aa_sfs_profiles_fops),
index 0f7c5c2be732c2c3cb34495ec8a974ef2b1a1af6..867bcd154c7e632942185a4b609f24197bf0f4ec 100644 (file)
@@ -580,11 +580,16 @@ static int apparmor_setprocattr(const char *name, void *value,
                        error = aa_change_profile(args, AA_CHANGE_NOFLAGS);
                } else if (strcmp(command, "permprofile") == 0) {
                        error = aa_change_profile(args, AA_CHANGE_TEST);
+               } else if (strcmp(command, "stack") == 0) {
+                       error = aa_change_profile(args, AA_CHANGE_STACK);
                } else
                        goto fail;
        } else if (strcmp(name, "exec") == 0) {
                if (strcmp(command, "exec") == 0)
                        error = aa_change_profile(args, AA_CHANGE_ONEXEC);
+               else if (strcmp(command, "stack") == 0)
+                       error = aa_change_profile(args, (AA_CHANGE_ONEXEC |
+                                                        AA_CHANGE_STACK));
                else
                        goto fail;
        } else