mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-01 06:45:38 +00:00
Code Issues Releases Wiki Activity

Add the ability to mediate signals.

Browse Source 
Add signal rules and make sure the parser encodes support for them
if the supported feature set reports supporting them.

The current format of the signal rule is

  [audit] [deny] signal [<signal_perms>] [<signal_set>] <target_profile>,

  signal_perm  := 'send'|'receive'|'r'|'w'|'rw'
  signal_perms := <signal_perm> | '(' <signal_perm> ([,]<signal_perm>)* ')'
  signal := ("hup"|"int"|"quit"|"ill"|"trap"|"abrt"|"bus"|"fpe"|"kill"|
             "usr1"|"segv"|"usr2"|"pipe"|"alrm"|"term"|"tkflt"|"chld"|
             "cont"|"stop"|"stp"|"ttin"|"ttou"|"urg"|"xcpu"|"xfsz"|"vtalrm"|
             "prof"|"winch"|"io"|"pwr"|"sys"|"emt"|"exists")
  signal_set   := set=<signal> | '(' <signal> ([,]<signal>)* ')'


it does not currently follow the peer=() format, and there is some question
as to whether it should or not. Input welcome.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
John Johansen
2014-04-23 11:35:29 -07:00
parent b10965b78e
commit b222731c4f
11 changed files with 476 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
parser/parser_regex.c
View File

@@ -43,8 +43,6 @@ enum error_type {
e_parse_error,
};
/* match any char except \000 0 or more times */
const char *default_match_pattern = "[^\\000]*";
/* Filters out multiple slashes (except if the first two are slashes,
* that's a distinct namespace in linux) and trailing slashes.
@@ -675,6 +673,7 @@ int post_process_policydb_ents(Profile *prof)
static const char *mediates_file = CLASS_STR(AA_CLASS_FILE);
static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT);
static const char *mediates_dbus = CLASS_STR(AA_CLASS_DBUS);
static const char *mediates_signal = CLASS_STR(AA_CLASS_SIGNAL);
int process_profile_policydb(Profile *prof)
{
@@ -701,6 +700,10 @@ int process_profile_policydb(Profile *prof)
if (kernel_supports_dbus &&
!prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, dfaflags))
goto out;
if (kernel_supports_signal &&
!prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, dfaflags))
goto out;
if (prof->policy.rules->rule_count > 0) {
prof->policy.dfa = prof->policy.rules->create_dfa(&prof->policy.size, dfaflags);
delete prof->policy.rules;