AppArmor: file enforcement routines
authorJohn Johansen <john.johansen@canonical.com>
Thu, 29 Jul 2010 21:48:04 +0000 (14:48 -0700)
committerJames Morris <jmorris@namei.org>
Mon, 2 Aug 2010 05:35:14 +0000 (15:35 +1000)
commit6380bd8ddf613b29f478396308b591867d401de4
tree6d8fc9356a652f8452ccf49e7f79cc700cc2768d
parent63e2b423771ab0bc7ad4d407f3f6517c6d05cdc0
AppArmor: file enforcement routines

AppArmor does files enforcement via pathname matching.  Matching is done
at file open using a dfa match engine.  Permission is against the final
file object not parent directories, ie. the traversal of directories
as part of the file match is implicitly allowed.  In the case of nonexistant
files (creation) permissions are checked against the target file not the
directory.  eg. In case of creating the file /dir/new, permissions are
checked against the match /dir/new not against /dir/.

The permissions for matches are currently stored in the dfa accept table,
but this will change to allow for dfa reuse and also to allow for sharing
of wider accept states.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
security/apparmor/file.c [new file with mode: 0644]
security/apparmor/include/file.h [new file with mode: 0644]