From: John Johansen <john.johansen@canonical.com>
Date: Sat, 10 Jun 2017 00:11:17 +0000 (-0700)
Subject: apparmor: add domain label stacking info to apparmorfs
X-Git-Tag: v4.14-rc2~6^2~42
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=40cde7fcc344bc77c1ec9d291dcc35ab12f078aa;p=platform%2Fkernel%2Flinux-exynos.git

apparmor: add domain label stacking info to apparmorfs

Now that the domain label transition is complete advertise it to
userspace.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index e460f2d..6310bf1 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -1138,6 +1138,40 @@ static const struct file_operations seq_ns_ ##NAME ##_fops = {	      \
 	.release	= single_release,				      \
 }									      \
 
+static int seq_ns_stacked_show(struct seq_file *seq, void *v)
+{
+	struct aa_label *label;
+
+	label = begin_current_label_crit_section();
+	seq_printf(seq, "%s\n", label->size > 1 ? "yes" : "no");
+	end_current_label_crit_section(label);
+
+	return 0;
+}
+
+static int seq_ns_nsstacked_show(struct seq_file *seq, void *v)
+{
+	struct aa_label *label;
+	struct aa_profile *profile;
+	struct label_it it;
+	int count = 1;
+
+	label = begin_current_label_crit_section();
+
+	if (label->size > 1) {
+		label_for_each(it, label, profile)
+			if (profile->ns != labels_ns(label)) {
+				count++;
+				break;
+			}
+	}
+
+	seq_printf(seq, "%s\n", count > 1 ? "yes" : "no");
+	end_current_label_crit_section(label);
+
+	return 0;
+}
+
 static int seq_ns_level_show(struct seq_file *seq, void *v)
 {
 	struct aa_label *label;
@@ -1160,6 +1194,8 @@ static int seq_ns_name_show(struct seq_file *seq, void *v)
 	return 0;
 }
 
+SEQ_NS_FOPS(stacked);
+SEQ_NS_FOPS(nsstacked);
 SEQ_NS_FOPS(level);
 SEQ_NS_FOPS(name);
 
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 99ed83c..c68839a 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -92,6 +92,8 @@ enum audit_type {
 #define OP_CHANGE_HAT "change_hat"
 #define OP_CHANGE_PROFILE "change_profile"
 #define OP_CHANGE_ONEXEC "change_onexec"
+#define OP_STACK "stack"
+#define OP_STACK_ONEXEC "stack_onexec"
 
 #define OP_SETPROCATTR "setprocattr"
 #define OP_SETRLIMIT "setrlimit"
diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h
index 255aa40..bab5810 100644
--- a/security/apparmor/include/domain.h
+++ b/security/apparmor/include/domain.h
@@ -27,6 +27,7 @@ struct aa_domain {
 #define AA_CHANGE_TEST 1
 #define AA_CHANGE_CHILD 2
 #define AA_CHANGE_ONEXEC  4
+#define AA_CHANGE_STACK 8
 
 int apparmor_bprm_set_creds(struct linux_binprm *bprm);
 int apparmor_bprm_secureexec(struct linux_binprm *bprm);