apparmor: allow label to carry debug flags

Allow labels to have debug flags that can be used to trigger debug output
only from profiles/labels that are marked. This can help reduce debug
output by allowing debug to be target to a specific confinement condition.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
index 9101c2c..860484c 100644 (file)
--- a/security/apparmor/include/label.h
+++ b/security/apparmor/include/label.h
@@ -92,6 +92,8 @@ enum label_flags {
        FLAG_STALE = 0x800,             /* replaced/removed */
        FLAG_RENAMED = 0x1000,          /* label has renaming in it */
        FLAG_REVOKED = 0x2000,          /* label has revocation in it */
+       FLAG_DEBUG1 = 0x4000,
+       FLAG_DEBUG2 = 0x8000,
 
        /* These flags must correspond with PATH_flags */
        /* TODO: add new path flags */

diff --git a/security/apparmor/include/path.h b/security/apparmor/include/path.h
index 44a7945..3431899 100644 (file)
--- a/security/apparmor/include/path.h
+++ b/security/apparmor/include/path.h
@@ -17,8 +17,8 @@ enum path_flags {
        PATH_CHROOT_REL = 0x8,          /* do path lookup relative to chroot */
        PATH_CHROOT_NSCONNECT = 0x10,   /* connect paths that are at ns root */
 
-       PATH_DELEGATE_DELETED = 0x08000, /* delegate deleted files */
-       PATH_MEDIATE_DELETED = 0x10000,  /* mediate deleted paths */
+       PATH_DELEGATE_DELETED = 0x10000, /* delegate deleted files */
+       PATH_MEDIATE_DELETED = 0x20000,  /* mediate deleted paths */
 };
 
 int aa_path_name(const struct path *path, int flags, char *buffer,

diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 232d3d9..639b5b2 100644 (file)
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -48,6 +48,10 @@ extern const char *const aa_profile_mode_names[];
 
 #define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
 
+#define CHECK_DEBUG1(_profile) ((_profile)->label.flags & FLAG_DEBUG1)
+
+#define CHECK_DEBUG2(_profile) ((_profile)->label.flags & FLAG_DEBUG2)
+
 #define profile_is_stale(_profile) (label_is_stale(&(_profile)->label))
 
 #define on_list_rcu(X) (!list_empty(X) && (X)->prev != LIST_POISON2)

diff --git a/security/apparmor/include/policy_unpack.h b/security/apparmor/include/policy_unpack.h
index e0e1ca7..eb5f7d7 100644 (file)
--- a/security/apparmor/include/policy_unpack.h
+++ b/security/apparmor/include/policy_unpack.h
@@ -28,6 +28,8 @@ void aa_load_ent_free(struct aa_load_ent *ent);
 struct aa_load_ent *aa_load_ent_alloc(void);
 
 #define PACKED_FLAG_HAT                1
+#define PACKED_FLAG_DEBUG1     2
+#define PACKED_FLAG_DEBUG2     4
 
 #define PACKED_MODE_ENFORCE    0
 #define PACKED_MODE_COMPLAIN   1

diff --git a/security/apparmor/label.c b/security/apparmor/label.c
index a658b67..0f36ee9 100644 (file)
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -197,18 +197,18 @@ static bool vec_is_stale(struct aa_profile **vec, int n)
        return false;
 }
 
-static bool vec_unconfined(struct aa_profile **vec, int n)
+static long union_vec_flags(struct aa_profile **vec, int n, long mask)
 {
+       long u = 0;
        int i;
 
        AA_BUG(!vec);
 
        for (i = 0; i < n; i++) {
-               if (!profile_unconfined(vec[i]))
-                       return false;
+               u |= vec[i]->label.flags & mask;
        }
 
-       return true;
+       return u;
 }
 
 static int sort_cmp(const void *a, const void *b)
@@ -1097,8 +1097,8 @@ static struct aa_label *label_merge_insert(struct aa_label *new,
                else if (k == b->size)
                        return aa_get_label(b);
        }
-       if (vec_unconfined(new->vec, new->size))
-               new->flags |= FLAG_UNCONFINED;
+       new->flags |= union_vec_flags(new->vec, new->size, FLAG_UNCONFINED |
+                                             FLAG_DEBUG1 | FLAG_DEBUG2);
        ls = labels_set(new);
        write_lock_irqsave(&ls->lock, flags);
        label = __label_insert(labels_set(new), new, false);

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 302fecf..55d31ba 100644 (file)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -748,6 +748,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
                goto fail;
        if (tmp & PACKED_FLAG_HAT)
                profile->label.flags |= FLAG_HAT;
+       if (tmp & PACKED_FLAG_DEBUG1)
+               profile->label.flags |= FLAG_DEBUG1;
+       if (tmp & PACKED_FLAG_DEBUG2)
+               profile->label.flags |= FLAG_DEBUG2;
        if (!unpack_u32(e, &tmp, NULL))
                goto fail;
        if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) {