Commit c1ed5da1 authored by John Johansen's avatar John Johansen

apparmor: allow label to carry debug flags

Allow labels to have debug flags that can be used to trigger debug output
only from profiles/labels that are marked. This can help reduce debug
output by allowing debug to be target to a specific confinement condition.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 2504db20
...@@ -92,6 +92,8 @@ enum label_flags { ...@@ -92,6 +92,8 @@ enum label_flags {
FLAG_STALE = 0x800, /* replaced/removed */ FLAG_STALE = 0x800, /* replaced/removed */
FLAG_RENAMED = 0x1000, /* label has renaming in it */ FLAG_RENAMED = 0x1000, /* label has renaming in it */
FLAG_REVOKED = 0x2000, /* label has revocation in it */ FLAG_REVOKED = 0x2000, /* label has revocation in it */
FLAG_DEBUG1 = 0x4000,
FLAG_DEBUG2 = 0x8000,
/* These flags must correspond with PATH_flags */ /* These flags must correspond with PATH_flags */
/* TODO: add new path flags */ /* TODO: add new path flags */
......
...@@ -17,8 +17,8 @@ enum path_flags { ...@@ -17,8 +17,8 @@ enum path_flags {
PATH_CHROOT_REL = 0x8, /* do path lookup relative to chroot */ PATH_CHROOT_REL = 0x8, /* do path lookup relative to chroot */
PATH_CHROOT_NSCONNECT = 0x10, /* connect paths that are at ns root */ PATH_CHROOT_NSCONNECT = 0x10, /* connect paths that are at ns root */
PATH_DELEGATE_DELETED = 0x08000, /* delegate deleted files */ PATH_DELEGATE_DELETED = 0x10000, /* delegate deleted files */
PATH_MEDIATE_DELETED = 0x10000, /* mediate deleted paths */ PATH_MEDIATE_DELETED = 0x20000, /* mediate deleted paths */
}; };
int aa_path_name(const struct path *path, int flags, char *buffer, int aa_path_name(const struct path *path, int flags, char *buffer,
......
...@@ -48,6 +48,10 @@ extern const char *const aa_profile_mode_names[]; ...@@ -48,6 +48,10 @@ extern const char *const aa_profile_mode_names[];
#define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT) #define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
#define CHECK_DEBUG1(_profile) ((_profile)->label.flags & FLAG_DEBUG1)
#define CHECK_DEBUG2(_profile) ((_profile)->label.flags & FLAG_DEBUG2)
#define profile_is_stale(_profile) (label_is_stale(&(_profile)->label)) #define profile_is_stale(_profile) (label_is_stale(&(_profile)->label))
#define on_list_rcu(X) (!list_empty(X) && (X)->prev != LIST_POISON2) #define on_list_rcu(X) (!list_empty(X) && (X)->prev != LIST_POISON2)
......
...@@ -28,6 +28,8 @@ void aa_load_ent_free(struct aa_load_ent *ent); ...@@ -28,6 +28,8 @@ void aa_load_ent_free(struct aa_load_ent *ent);
struct aa_load_ent *aa_load_ent_alloc(void); struct aa_load_ent *aa_load_ent_alloc(void);
#define PACKED_FLAG_HAT 1 #define PACKED_FLAG_HAT 1
#define PACKED_FLAG_DEBUG1 2
#define PACKED_FLAG_DEBUG2 4
#define PACKED_MODE_ENFORCE 0 #define PACKED_MODE_ENFORCE 0
#define PACKED_MODE_COMPLAIN 1 #define PACKED_MODE_COMPLAIN 1
......
...@@ -197,18 +197,18 @@ static bool vec_is_stale(struct aa_profile **vec, int n) ...@@ -197,18 +197,18 @@ static bool vec_is_stale(struct aa_profile **vec, int n)
return false; return false;
} }
static bool vec_unconfined(struct aa_profile **vec, int n) static long union_vec_flags(struct aa_profile **vec, int n, long mask)
{ {
long u = 0;
int i; int i;
AA_BUG(!vec); AA_BUG(!vec);
for (i = 0; i < n; i++) { for (i = 0; i < n; i++) {
if (!profile_unconfined(vec[i])) u |= vec[i]->label.flags & mask;
return false;
} }
return true; return u;
} }
static int sort_cmp(const void *a, const void *b) static int sort_cmp(const void *a, const void *b)
...@@ -1097,8 +1097,8 @@ static struct aa_label *label_merge_insert(struct aa_label *new, ...@@ -1097,8 +1097,8 @@ static struct aa_label *label_merge_insert(struct aa_label *new,
else if (k == b->size) else if (k == b->size)
return aa_get_label(b); return aa_get_label(b);
} }
if (vec_unconfined(new->vec, new->size)) new->flags |= union_vec_flags(new->vec, new->size, FLAG_UNCONFINED |
new->flags |= FLAG_UNCONFINED; FLAG_DEBUG1 | FLAG_DEBUG2);
ls = labels_set(new); ls = labels_set(new);
write_lock_irqsave(&ls->lock, flags); write_lock_irqsave(&ls->lock, flags);
label = __label_insert(labels_set(new), new, false); label = __label_insert(labels_set(new), new, false);
......
...@@ -748,6 +748,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) ...@@ -748,6 +748,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
goto fail; goto fail;
if (tmp & PACKED_FLAG_HAT) if (tmp & PACKED_FLAG_HAT)
profile->label.flags |= FLAG_HAT; profile->label.flags |= FLAG_HAT;
if (tmp & PACKED_FLAG_DEBUG1)
profile->label.flags |= FLAG_DEBUG1;
if (tmp & PACKED_FLAG_DEBUG2)
profile->label.flags |= FLAG_DEBUG2;
if (!unpack_u32(e, &tmp, NULL)) if (!unpack_u32(e, &tmp, NULL))
goto fail; goto fail;
if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) { if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment