apparmor: add user mode flag

Allow the profile to contain a user mode prompt flag. This works similar
to complain mode but will try to send messages to a userspace daemon.
If the daemon is not present or timesout regular informent will occur.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index a28a662a06221591232f62ad5532f5208dce9840..9fc5d7fa36e86db52131c07c7a249c8d0a5198f0 100644 (file)
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -44,6 +44,8 @@ extern const char *const aa_profile_mode_names[];
 
 #define COMPLAIN_MODE(_profile)        PROFILE_MODE((_profile), APPARMOR_COMPLAIN)
 
+#define USER_MODE(_profile)    PROFILE_MODE((_profile), APPARMOR_USER)
+
 #define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL)
 
 #define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
@@ -67,6 +69,7 @@ enum profile_mode {
        APPARMOR_COMPLAIN,      /* allow and log access violations */
        APPARMOR_KILL,          /* kill task on access violation */
        APPARMOR_UNCONFINED,    /* profile set to unconfined */
+       APPARMOR_USER,          /* modified complain mode to userspace */
 };
 
 

diff --git a/security/apparmor/include/policy_unpack.h b/security/apparmor/include/policy_unpack.h
index cdfbc8a54a9d2859e929314b9b0fd2180e7e34f6..1e10e360a0ec14e967cd4320291dc70255f929ce 100644 (file)
--- a/security/apparmor/include/policy_unpack.h
+++ b/security/apparmor/include/policy_unpack.h
@@ -36,6 +36,7 @@ struct aa_load_ent *aa_load_ent_alloc(void);
 #define PACKED_MODE_COMPLAIN   1
 #define PACKED_MODE_KILL       2
 #define PACKED_MODE_UNCONFINED 3
+#define PACKED_MODE_USER       4
 
 struct aa_ns;
 

diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index 768cc182e9cabc2ff51d6e35cdc4dd4f27aabc74..b0fcec89327457702e65aa3f00f3b849ac95b59f 100644 (file)
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -327,11 +327,8 @@ void aa_apply_modes_to_perms(struct aa_profile *profile, struct aa_perms *perms)
                perms->kill = ALL_PERMS_MASK;
        else if (COMPLAIN_MODE(profile))
                perms->complain = ALL_PERMS_MASK;
-/*
- *  TODO:
- *     else if (PROMPT_MODE(profile))
- *             perms->prompt = ALL_PERMS_MASK;
- */
+       else if (USER_MODE(profile))
+               perms->prompt = ALL_PERMS_MASK;
 }
 
 /**

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 6222236de02168dc9ed3cb489d9f105d3b9f3f13..3c3a5263695de024d3226a0dbd7ab29160d8ca07 100644 (file)
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -94,6 +94,7 @@ const char *const aa_profile_mode_names[] = {
        "complain",
        "kill",
        "unconfined",
+       "user",
 };
 
 

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 4bf33bd0ca694ef009d75907c9b72141961fc5f4..04e9fca250df09c6dd69dfa59b00c7d001ff419a 100644 (file)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -761,6 +761,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
        } else if (tmp == PACKED_MODE_UNCONFINED) {
                profile->mode = APPARMOR_UNCONFINED;
                profile->label.flags |= FLAG_UNCONFINED;
+       } else if (tmp == PACKED_MODE_USER) {
+               profile->mode = APPARMOR_USER;
        } else {
                goto fail;
        }