Add stub rules to indicate compilation support for given features. Policy enforcement needs to be able to support older userspaces and compilers that don't know about new features. The absence of a feature in the policydb indicates that feature mediation is not present for it.
We add stub rules, that provide a none 0 start state for features that are supported at compile time. This can be used by the kernel to indicate that it should enforce a given feature. This does not indicate the feature is allowed, in an abscence of other rules for the feature the feature will be denied. Signed-off-by: John Johansen <[email protected]> --- parser/parser_regex.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) --- 2.9-test.orig/parser/parser_regex.c +++ 2.9-test/parser/parser_regex.c @@ -673,6 +673,12 @@ return TRUE; } +#define MAKE_STR(X) #X +#define CLASS_STR(X) "\\d" MAKE_STR(X) + +static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT); +static const char *mediates_dbus = CLASS_STR(AA_CLASS_DBUS); + int process_profile_policydb(Profile *prof) { int error = -1; @@ -684,6 +690,20 @@ if (!post_process_policydb_ents(prof)) goto out; + /* insert entries to show indicate what compiler/policy expects + * to be supported + */ + + if (kernel_supports_mount && + !aare_add_rule(prof->policy.rules, mediates_mount, 0, AA_MAY_READ, 0, dfaflags)) { + prof->policy.count++; + goto out; + } + if (kernel_supports_dbus && + !aare_add_rule(prof->policy.rules, mediates_dbus, 0, AA_MAY_READ, 0, dfaflags)) { + prof->policy.count++; + goto out; + } if (prof->policy.count > 0) { prof->policy.dfa = aare_create_dfa(prof->policy.rules, &prof->policy.size, -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
