Commit 26b78995 authored by John Johansen's avatar John Johansen

apparmor: add support for absolute root view based labels

With apparmor policy virtualization based on policy namespace View's
we don't generally want/need absolute root based views, however there
are cases like debugging and some secid based conversions where
using a root based view is important.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
parent f872af75
...@@ -310,6 +310,7 @@ bool aa_update_label_name(struct aa_ns *ns, struct aa_label *label, gfp_t gfp); ...@@ -310,6 +310,7 @@ bool aa_update_label_name(struct aa_ns *ns, struct aa_label *label, gfp_t gfp);
#define FLAG_SHOW_MODE 1 #define FLAG_SHOW_MODE 1
#define FLAG_VIEW_SUBNS 2 #define FLAG_VIEW_SUBNS 2
#define FLAG_HIDDEN_UNCONFINED 4 #define FLAG_HIDDEN_UNCONFINED 4
#define FLAG_ABS_ROOT 8
int aa_label_snxprint(char *str, size_t size, struct aa_ns *view, int aa_label_snxprint(char *str, size_t size, struct aa_ns *view,
struct aa_label *label, int flags); struct aa_label *label, int flags);
int aa_label_asxprint(char **strp, struct aa_ns *ns, struct aa_label *label, int aa_label_asxprint(char **strp, struct aa_ns *ns, struct aa_label *label,
......
...@@ -1607,8 +1607,13 @@ int aa_label_snxprint(char *str, size_t size, struct aa_ns *ns, ...@@ -1607,8 +1607,13 @@ int aa_label_snxprint(char *str, size_t size, struct aa_ns *ns,
AA_BUG(!str && size != 0); AA_BUG(!str && size != 0);
AA_BUG(!label); AA_BUG(!label);
if (!ns) if (flags & FLAG_ABS_ROOT) {
ns = root_ns;
len = snprintf(str, size, "=");
update_for_len(total, len, size, str);
} else if (!ns) {
ns = labels_ns(label); ns = labels_ns(label);
}
label_for_each(i, label, profile) { label_for_each(i, label, profile) {
if (aa_ns_visible(ns, profile->ns, flags & FLAG_VIEW_SUBNS)) { if (aa_ns_visible(ns, profile->ns, flags & FLAG_VIEW_SUBNS)) {
...@@ -1868,6 +1873,9 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str, ...@@ -1868,6 +1873,9 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
if (*str == '&') if (*str == '&')
str++; str++;
} }
if (*str == '=')
base = &root_ns->unconfined->label;
error = vec_setup(profile, vec, len, gfp); error = vec_setup(profile, vec, len, gfp);
if (error) if (error)
return ERR_PTR(error); return ERR_PTR(error);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment