AppArmor: add initial "features" directory to securityfs

This adds the "features" subdirectory to the AppArmor securityfs to display boolean features flags and the known capability mask. Signed-off-by: Kees Cook <[email protected]> Signed-off-by: John Johansen <[email protected]>
quicksilveramalgum · Feb 27, 2012 · e74abcf · e74abcf
1 parent 9acd494
commit e74abcf
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 0 deletions.
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
@@ -18,6 +18,7 @@
 #include <linux/seq_file.h>
 #include <linux/uaccess.h>
 #include <linux/namei.h>
+#include <linux/capability.h>
 
 #include "include/apparmor.h"
 #include "include/apparmorfs.h"
@@ -142,12 +143,62 @@ static const struct file_operations aa_fs_profile_remove = {
 	.llseek = default_llseek,
 };
 
+static int aa_fs_seq_show(struct seq_file *seq, void *v)
+{
+	struct aa_fs_entry *fs_file = seq->private;
+
+	if (!fs_file)
+		return 0;
+
+	switch (fs_file->v_type) {
+	case AA_FS_TYPE_BOOLEAN:
+		seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no");
+		break;
+	case AA_FS_TYPE_U64:
+		seq_printf(seq, "%#08lx\n", fs_file->v.u64);
+		break;
+	default:
+		/* Ignore unpritable entry types. */
+		break;
+	}
+
+	return 0;
+}
+
+static int aa_fs_seq_open(struct inode *inode, struct file *file)
+{
+	return single_open(file, aa_fs_seq_show, inode->i_private);
+}
+
+const struct file_operations aa_fs_seq_file_ops = {
+	.owner		= THIS_MODULE,
+	.open		= aa_fs_seq_open,
+	.read		= seq_read,
+	.llseek		= seq_lseek,
+	.release	= single_release,
+};
+
 /** Base file system setup **/
 
+static struct aa_fs_entry aa_fs_entry_domain[] = {
+	AA_FS_FILE_BOOLEAN("change_hat",	1),
+	AA_FS_FILE_BOOLEAN("change_hatv",	1),
+	AA_FS_FILE_BOOLEAN("change_onexec",	1),
+	AA_FS_FILE_BOOLEAN("change_profile",	1),
+	{ }
+};
+
+static struct aa_fs_entry aa_fs_entry_features[] = {
+	AA_FS_DIR("domain",			aa_fs_entry_domain),
+	AA_FS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),
+	{ }
+};
+
 static struct aa_fs_entry aa_fs_entry_apparmor[] = {
 	AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load),
 	AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace),
 	AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove),
+	AA_FS_DIR("features", aa_fs_entry_features),
 	{ }
 };
 

diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
@@ -16,6 +16,8 @@
 #define __AA_APPARMORFS_H
 
 enum aa_fs_type {
+	AA_FS_TYPE_BOOLEAN,
+	AA_FS_TYPE_U64,
 	AA_FS_TYPE_FOPS,
 	AA_FS_TYPE_DIR,
 };
@@ -28,11 +30,23 @@ struct aa_fs_entry {
 	umode_t mode;
 	enum aa_fs_type v_type;
 	union {
+		bool boolean;
+		unsigned long u64;
 		struct aa_fs_entry *files;
 	} v;
 	const struct file_operations *file_ops;
 };
 
+extern const struct file_operations aa_fs_seq_file_ops;
+
+#define AA_FS_FILE_BOOLEAN(_name, _value) \
+	{ .name = (_name), .mode = 0444, \
+	  .v_type = AA_FS_TYPE_BOOLEAN, .v.boolean = (_value), \
+	  .file_ops = &aa_fs_seq_file_ops }
+#define AA_FS_FILE_U64(_name, _value) \
+	{ .name = (_name), .mode = 0444, \
+	  .v_type = AA_FS_TYPE_U64, .v.u64 = (_value), \
+	  .file_ops = &aa_fs_seq_file_ops }
 #define AA_FS_FILE_FOPS(_name, _mode, _fops) \
 	{ .name = (_name), .v_type = AA_FS_TYPE_FOPS, \
 	  .mode = (_mode), .file_ops = (_fops) }