mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-01 06:45:38 +00:00
Code Issues Releases Wiki Activity

Add the ability to specify ptrace rules

Browse Source 
ptrace rules currently take the form of

  ptrace [<ptrace_perms>] [<peer_profile_name>],
  ptrace_perm := read|trace|readby|tracedby
  ptrace_perms := ptrace_perm | '(' ptrace_perm+ ')'

After having used the cross check (permission needed in both profiles)
I am not sure it is correct for ptrace.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
John Johansen
2014-04-23 11:38:04 -07:00
parent 559f0a72fa
commit a1a7c78755
10 changed files with 320 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
parser/parser_regex.c
View File

@@ -674,6 +674,7 @@ static const char *mediates_file = CLASS_STR(AA_CLASS_FILE);
static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT);
static const char *mediates_dbus = CLASS_STR(AA_CLASS_DBUS);
static const char *mediates_signal = CLASS_STR(AA_CLASS_SIGNAL);
static const char *mediates_ptrace = CLASS_STR(AA_CLASS_PTRACE);
int process_profile_policydb(Profile *prof)
{
@@ -703,6 +704,9 @@ int process_profile_policydb(Profile *prof)
if (kernel_supports_signal &&
!prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, dfaflags))
goto out;
if (kernel_supports_ptrace &&
!prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, dfaflags))
goto out;
if (prof->policy.rules->rule_count > 0) {
prof->policy.dfa = prof->policy.rules->create_dfa(&prof->policy.size, dfaflags);