Commit 22fac8a0 authored by John Johansen's avatar John Johansen

apparmor: add user mode flag

Allow the profile to contain a user mode prompt flag. This works similar
to complain mode but will try to send messages to a userspace daemon.
If the daemon is not present or timesout regular informent will occur.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 8c4b785a
...@@ -44,6 +44,8 @@ extern const char *const aa_profile_mode_names[]; ...@@ -44,6 +44,8 @@ extern const char *const aa_profile_mode_names[];
#define COMPLAIN_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_COMPLAIN) #define COMPLAIN_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_COMPLAIN)
#define USER_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_USER)
#define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL) #define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL)
#define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT) #define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
...@@ -67,6 +69,7 @@ enum profile_mode { ...@@ -67,6 +69,7 @@ enum profile_mode {
APPARMOR_COMPLAIN, /* allow and log access violations */ APPARMOR_COMPLAIN, /* allow and log access violations */
APPARMOR_KILL, /* kill task on access violation */ APPARMOR_KILL, /* kill task on access violation */
APPARMOR_UNCONFINED, /* profile set to unconfined */ APPARMOR_UNCONFINED, /* profile set to unconfined */
APPARMOR_USER, /* modified complain mode to userspace */
}; };
......
...@@ -36,6 +36,7 @@ struct aa_load_ent *aa_load_ent_alloc(void); ...@@ -36,6 +36,7 @@ struct aa_load_ent *aa_load_ent_alloc(void);
#define PACKED_MODE_COMPLAIN 1 #define PACKED_MODE_COMPLAIN 1
#define PACKED_MODE_KILL 2 #define PACKED_MODE_KILL 2
#define PACKED_MODE_UNCONFINED 3 #define PACKED_MODE_UNCONFINED 3
#define PACKED_MODE_USER 4
struct aa_ns; struct aa_ns;
......
...@@ -327,11 +327,8 @@ void aa_apply_modes_to_perms(struct aa_profile *profile, struct aa_perms *perms) ...@@ -327,11 +327,8 @@ void aa_apply_modes_to_perms(struct aa_profile *profile, struct aa_perms *perms)
perms->kill = ALL_PERMS_MASK; perms->kill = ALL_PERMS_MASK;
else if (COMPLAIN_MODE(profile)) else if (COMPLAIN_MODE(profile))
perms->complain = ALL_PERMS_MASK; perms->complain = ALL_PERMS_MASK;
/* else if (USER_MODE(profile))
* TODO: perms->prompt = ALL_PERMS_MASK;
* else if (PROMPT_MODE(profile))
* perms->prompt = ALL_PERMS_MASK;
*/
} }
/** /**
......
...@@ -94,6 +94,7 @@ const char *const aa_profile_mode_names[] = { ...@@ -94,6 +94,7 @@ const char *const aa_profile_mode_names[] = {
"complain", "complain",
"kill", "kill",
"unconfined", "unconfined",
"user",
}; };
......
...@@ -761,6 +761,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) ...@@ -761,6 +761,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
} else if (tmp == PACKED_MODE_UNCONFINED) { } else if (tmp == PACKED_MODE_UNCONFINED) {
profile->mode = APPARMOR_UNCONFINED; profile->mode = APPARMOR_UNCONFINED;
profile->label.flags |= FLAG_UNCONFINED; profile->label.flags |= FLAG_UNCONFINED;
} else if (tmp == PACKED_MODE_USER) {
profile->mode = APPARMOR_USER;
} else { } else {
goto fail; goto fail;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment