mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-23 12:43:55 +08:00
898127c34e
AppArmor routines for controling domain transitions, which can occur at exec or through self directed change_profile/change_hat calls. Unconfined tasks are checked at exec against the profiles in the confining profile namespace to determine if a profile should be attached to the task. Confined tasks execs are controlled by the profile which provides rules determining which execs are allowed and if so which profiles should be transitioned to. Self directed domain transitions allow a task to request transition to a given profile. If the transition is allowed then the profile will be applied, either immeditately or at exec time depending on the request. Immeditate self directed transitions have several security limitations but have uses in setting up stub transition profiles and other limited cases. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
37 lines
1.0 KiB
C
37 lines
1.0 KiB
C
/*
|
|
* AppArmor security module
|
|
*
|
|
* This file contains AppArmor security domain transition function definitions.
|
|
*
|
|
* Copyright (C) 1998-2008 Novell/SUSE
|
|
* Copyright 2009-2010 Canonical Ltd.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation, version 2 of the
|
|
* License.
|
|
*/
|
|
|
|
#include <linux/binfmts.h>
|
|
#include <linux/types.h>
|
|
|
|
#ifndef __AA_DOMAIN_H
|
|
#define __AA_DOMAIN_H
|
|
|
|
struct aa_domain {
|
|
int size;
|
|
char **table;
|
|
};
|
|
|
|
int apparmor_bprm_set_creds(struct linux_binprm *bprm);
|
|
int apparmor_bprm_secureexec(struct linux_binprm *bprm);
|
|
void apparmor_bprm_committing_creds(struct linux_binprm *bprm);
|
|
void apparmor_bprm_committed_creds(struct linux_binprm *bprm);
|
|
|
|
void aa_free_domain_entries(struct aa_domain *domain);
|
|
int aa_change_hat(const char *hats[], int count, u64 token, bool permtest);
|
|
int aa_change_profile(const char *ns_name, const char *name, bool onexec,
|
|
bool permtest);
|
|
|
|
#endif /* __AA_DOMAIN_H */
|