Since the parser needs to know which rlimits are known to the kernel, export the name/value mappings via the "rlimit" subdirectory in the securityfs "features" directory.
Signed-off-by: Kees Cook <[email protected]> --- security/apparmor/Makefile | 4 ++-- security/apparmor/apparmorfs.c | 19 ++++++++++++++++++- security/apparmor/include/resource.h | 2 ++ 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile index 2dafe50..b877b4e 100644 --- a/security/apparmor/Makefile +++ b/security/apparmor/Makefile @@ -36,11 +36,11 @@ cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ;\ # to # RLIMIT_STACK, quiet_cmd_make-rlim = GEN $@ -cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\ +cmd_make-rlim = echo "const char *rlim_names[RLIM_NLIMITS] = {" > $@ ;\ sed $< >> $@ -r -n \ -e 's/^\# ?define[ \t]+(RLIMIT_([A-Z0-9_]+)).*/[\1] = "\L\2",/p';\ echo "};" >> $@ ;\ - echo "static const int rlim_map[] = {" >> $@ ;\ + echo "static const int rlim_map[RLIM_NLIMITS] = {" >> $@ ;\ sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\ echo "};" >> $@ diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index e7ed75a..671f412 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -25,9 +25,11 @@ #include "include/audit.h" #include "include/context.h" #include "include/policy.h" +#include "include/resource.h" enum aa_fs_value { AA_FS_TYPE_BOOLEAN, + AA_FS_TYPE_INTEGER, AA_FS_TYPE_U64, AA_FS_TYPE_FOPS, AA_FS_TYPE_DIR, @@ -42,6 +44,7 @@ struct aa_fs_entry { enum aa_fs_value v_type; union { bool boolean; + int integer; unsigned long u64; struct aa_fs_entry *files; } v; @@ -177,6 +180,9 @@ static int aa_fs_seq_show(struct seq_file *seq, void *v) seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no"); break; + case AA_FS_TYPE_INTEGER: + seq_printf(seq, "%d\n", fs_file->v.integer); + break; case AA_FS_TYPE_U64: seq_printf(seq, "%#08lx\n", fs_file->v.u64); break; @@ -217,6 +223,8 @@ static const struct file_operations aa_fs_seq_file_ops = { #define AA_FS_DIR(_name, _value) \ { .name = (_name), .v_type = AA_FS_TYPE_DIR, .v.files = (_value) } +static struct aa_fs_entry aa_fs_entry_rlimit[RLIM_NLIMITS + 1] = { }; + static struct aa_fs_entry aa_fs_entry_features[] = { AA_FS_FILE_BOOLEAN("change_hat", 1), AA_FS_FILE_BOOLEAN("change_hatv", 1), @@ -224,6 +232,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = { AA_FS_FILE_BOOLEAN("change_profile", 1), AA_FS_FILE_BOOLEAN("namespaces", 1), AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), + AA_FS_DIR("rlimit", aa_fs_entry_rlimit), { } }; @@ -346,7 +355,7 @@ void __init aa_destroy_aafs(void) */ int __init aa_create_aafs(void) { - int error; + int error, limit; if (!apparmor_initialized) return 0; @@ -356,6 +365,14 @@ int __init aa_create_aafs(void) return -EEXIST; } + /* Populate rlimit name table. */ + for (limit = 0; limit < RLIM_NLIMITS; ++limit) { + aa_fs_entry_rlimit[limit].name = rlim_names[limit]; + aa_fs_entry_rlimit[limit].v_type = AA_FS_TYPE_INTEGER; + aa_fs_entry_rlimit[limit].v.integer = limit; + aa_fs_entry_rlimit[limit].file_ops = &aa_fs_seq_file_ops; + } + /* Populate fs tree. */ error = aafs_create_dir(&aa_fs_entry, NULL); if (error) diff --git a/security/apparmor/include/resource.h b/security/apparmor/include/resource.h index 02baec7..665c413 100644 --- a/security/apparmor/include/resource.h +++ b/security/apparmor/include/resource.h @@ -32,6 +32,8 @@ struct aa_rlimit { struct rlimit limits[RLIM_NLIMITS]; }; +extern const char *rlim_names[RLIM_NLIMITS]; + int aa_map_resource(int resource); int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *, unsigned int resource, struct rlimit *new_rlim); -- 1.7.2.3 -- Kees Cook -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
