From f4e764a0e945d7945dee901c6322f2f6e3315325 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Fri, 9 Jun 2017 17:11:17 -0700
Subject: [PATCH 62/65] apparmor: add domain label stacking info to apparmorfs
Git-commit: 40cde7fcc344bc77c1ec9d291dcc35ab12f078aa
Patch-mainline: v4.13-rc1
References: FATE#323500
Now that the domain label transition is complete advertise it to
userspace.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
---
security/apparmor/apparmorfs.c | 36 ++++++++++++++++++++++++++++++++++++
security/apparmor/include/audit.h | 2 ++
security/apparmor/include/domain.h | 1 +
3 files changed, 39 insertions(+)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index e460f2d8337d..6310bf1485b6 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -1138,6 +1138,40 @@ static const struct file_operations seq_ns_ ##NAME ##_fops = { \
.release = single_release, \
} \
+static int seq_ns_stacked_show(struct seq_file *seq, void *v)
+{
+ struct aa_label *label;
+
+ label = begin_current_label_crit_section();
+ seq_printf(seq, "%s\n", label->size > 1 ? "yes" : "no");
+ end_current_label_crit_section(label);
+
+ return 0;
+}
+
+static int seq_ns_nsstacked_show(struct seq_file *seq, void *v)
+{
+ struct aa_label *label;
+ struct aa_profile *profile;
+ struct label_it it;
+ int count = 1;
+
+ label = begin_current_label_crit_section();
+
+ if (label->size > 1) {
+ label_for_each(it, label, profile)
+ if (profile->ns != labels_ns(label)) {
+ count++;
+ break;
+ }
+ }
+
+ seq_printf(seq, "%s\n", count > 1 ? "yes" : "no");
+ end_current_label_crit_section(label);
+
+ return 0;
+}
+
static int seq_ns_level_show(struct seq_file *seq, void *v)
{
struct aa_label *label;
@@ -1160,6 +1194,8 @@ static int seq_ns_name_show(struct seq_file *seq, void *v)
return 0;
}
+SEQ_NS_FOPS(stacked);
+SEQ_NS_FOPS(nsstacked);
SEQ_NS_FOPS(level);
SEQ_NS_FOPS(name);
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 99ed83cf6941..c68839a44351 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -92,6 +92,8 @@ enum audit_type {
#define OP_CHANGE_HAT "change_hat"
#define OP_CHANGE_PROFILE "change_profile"
#define OP_CHANGE_ONEXEC "change_onexec"
+#define OP_STACK "stack"
+#define OP_STACK_ONEXEC "stack_onexec"
#define OP_SETPROCATTR "setprocattr"
#define OP_SETRLIMIT "setrlimit"
diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h
index 255aa40ec1d1..bab5810b6e9a 100644
--- a/security/apparmor/include/domain.h
+++ b/security/apparmor/include/domain.h
@@ -27,6 +27,7 @@ struct aa_domain {
#define AA_CHANGE_TEST 1
#define AA_CHANGE_CHILD 2
#define AA_CHANGE_ONEXEC 4
+#define AA_CHANGE_STACK 8
int apparmor_bprm_set_creds(struct linux_binprm *bprm);
int apparmor_bprm_secureexec(struct linux_binprm *bprm);
--
2.12.3