mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-06 09:21:00 +01:00
923fc92c7a
- fix split init so that apparmor can be enabled at the boot command line. The init was broken so that apparmor couldn't be enabled unless enabled by default. M apparmor-fix-lock-letter.diff - fix the lock letter being reported (z -> k) and update some comments A apparmor-create-append.diff - fix semanitc bug where full write perms were needed to create a new file, where only append is needed. M fix-link-subset.diff - partial fix of link subset A no-safex-link-subset.diff - more link subset fixes A audit-log-type-in-syslog.diff - fix audit type being missing when messages go to syslog. This patch is needed for apparmor to work when messages go to syslog instead of auditd. This patch can be dropped when upstream includes the patch to report audit number when reporting to syslog A audit-uid.diff - report the fsuid to the log A hat_perm.diff - setup to use hat permissions instead of just profile search for 2.3 A apparmor-failed-name-error.diff - fix a bug where on failed name resolution no error or information is output. It now reports info in the status field and includes an error_code A extend-x-mods.diff - extend the x-mods in preparation of audit ctl A apparmor-secondary-accept.diff - extend the dfa to have a second accept table used for audit ctl A apparmor-audit-flags2.diff - extend apparmor to support audit ctl of individual permissions. - finish fixing link-subset A fix-change_profile-namespace.diff - Not applied, ignore
72 lines
2.3 KiB
Diff
72 lines
2.3 KiB
Diff
---
|
|
security/apparmor/apparmor.h | 43 ++++++++++++++++++++++++++++---------------
|
|
1 file changed, 28 insertions(+), 15 deletions(-)
|
|
|
|
--- a/security/apparmor/apparmor.h
|
|
+++ b/security/apparmor/apparmor.h
|
|
@@ -26,25 +26,33 @@
|
|
#define AA_MAY_LINK 0x0010
|
|
#define AA_MAY_LOCK 0x0020
|
|
#define AA_EXEC_MMAP 0x0040
|
|
-#define AA_EXEC_UNSAFE 0x0080
|
|
-#define AA_EXEC_MOD_0 0x0100
|
|
-#define AA_EXEC_MOD_1 0x0200
|
|
+#define AA_MAY_MOUNT 0x0080 /* no direct audit mapping */
|
|
+#define AA_EXEC_UNSAFE 0x0100
|
|
+#define AA_EXEC_MOD_0 0x0200
|
|
+#define AA_EXEC_MOD_1 0x0400
|
|
+#define AA_EXEC_MOD_2 0x0800
|
|
+#define AA_EXEC_MOD_3 0x1000
|
|
+#define AA_EXEC_MOD_4 0x2000
|
|
+
|
|
#define AA_BASE_PERMS (MAY_READ | MAY_WRITE | MAY_EXEC | \
|
|
MAY_APPEND | AA_MAY_LINK | \
|
|
AA_MAY_LOCK | AA_EXEC_MMAP | \
|
|
- AA_EXEC_UNSAFE | AA_EXEC_MOD_0 | \
|
|
- AA_EXEC_MOD_1)
|
|
-#define AA_LINK_SUBSET_TEST 0x0020
|
|
-
|
|
-#define AA_EXEC_UNCONFINED 0
|
|
-#define AA_EXEC_INHERIT AA_EXEC_MOD_0
|
|
-#define AA_EXEC_PROFILE AA_EXEC_MOD_1
|
|
-#define AA_EXEC_PIX (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
|
|
-
|
|
-#define AA_EXEC_MODIFIERS (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
|
|
+ AA_MAY_MOUNT | AA_EXEC_UNSAFE | \
|
|
+ AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
|
|
+ AA_EXEC_MOD_2 | AA_EXEC_MOD_3 | \
|
|
+ AA_EXEC_MOD_4)
|
|
+
|
|
+#define AA_EXEC_UNCONFINED AA_EXEC_MOD_0
|
|
+#define AA_EXEC_INHERIT AA_EXEC_MOD_1
|
|
+#define AA_EXEC_PROFILE (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
|
|
+#define AA_EXEC_PIX AA_EXEC_MOD_2
|
|
+
|
|
+#define AA_EXEC_MODIFIERS (AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
|
|
+ AA_EXEC_MOD_2 | AA_EXEC_MOD_3 | \
|
|
+ AA_EXEC_MOD_4)
|
|
|
|
#define AA_USER_SHIFT 0
|
|
-#define AA_OTHER_SHIFT 10
|
|
+#define AA_OTHER_SHIFT 14
|
|
|
|
#define AA_USER_PERMS (AA_BASE_PERMS << AA_USER_SHIFT)
|
|
#define AA_OTHER_PERMS (AA_BASE_PERMS << AA_OTHER_SHIFT)
|
|
@@ -68,11 +76,16 @@
|
|
#define AA_ALL_EXEC_MODS (AA_USER_EXEC_MODS | \
|
|
AA_OTHER_EXEC_MODS)
|
|
|
|
+/* overloaded permissions for link pairs */
|
|
+#define AA_LINK_SUBSET_TEST 0x0020
|
|
+
|
|
/* shared permissions that are not duplicated in user::other */
|
|
+#define AA_AUDIT_FIELD 0x10000000
|
|
#define AA_CHANGE_HAT 0x20000000
|
|
#define AA_CHANGE_PROFILE 0x40000000
|
|
|
|
-#define AA_SHARED_PERMS (AA_CHANGE_HAT | AA_CHANGE_PROFILE)
|
|
+#define AA_SHARED_PERMS (AA_CHANGE_HAT | AA_CHANGE_PROFILE | \
|
|
+ AA_AUDIT_FIELD)
|
|
|
|
#define AA_VALID_PERM_MASK (AA_FILE_PERMS | AA_SHARED_PERMS)
|
|
|