kernel/linux.git/security/apparmor/include/apparmorfs.h, branch v6.12.80

apparmor: make export of raw binary profile to userspace optional

2022-07-09T22:13:59+00:00

Embedded systems have limited space and don't need the introspection or checkpoint restore capability provided by exporting the raw profile binary data so make it so make it a config option. This will reduce run time memory use and also speed up policy loads. Signed-off-by: John Johansen

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441

2019-06-05T15:37:17+00:00

Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 315 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Armijn Hemel Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190531190115.503150771@linutronix.de Signed-off-by: Greg Kroah-Hartman

apparmor: add policy revision file interface

2017-06-11T00:11:27+00:00

Add a policy revision file to find the current revision of a ns's policy. There is a revision file per ns, as well as a virtualized global revision file in the base apparmor fs directory. The global revision file when opened will provide the revision of the opening task namespace. The revision file can be waited on via select/poll to detect apparmor policy changes from the last read revision of the opened file. This means that the revision file must be read after the select/poll other wise update data will remain ready for reading. Signed-off-by: John Johansen

apparmor: allow specifying an already created dir to create ns entries in

2017-06-08T19:51:52+00:00

Signed-off-by: John Johansen Reviewed-by: Seth Arnold Reviewed-by: Kees Cook

apparmor: rename apparmor file fns and data to indicate use

2017-06-08T19:51:52+00:00

prefixes are used for fns/data that are not static to apparmorfs.c with the prefixes being aafs - special magic apparmorfs for policy namespace data aa_sfs - for fns/data that go into securityfs aa_fs - for fns/data that may be used in the either of aafs or securityfs Signed-off-by: John Johansen Reviewed-by: Seth Arnold Reviewed-by: Kees Cook

apparmor: move to per loaddata files, instead of replicating in profiles

2017-06-08T19:51:49+00:00

The loaddata sets cover more than just a single profile and should be tracked at the ns level. Move the load data files under the namespace and reference the files from the profiles via a symlink. Signed-off-by: John Johansen Reviewed-by: Seth Arnold Reviewed-by: Kees Cook

apparmor: add per policy ns .load, .replace, .remove interface files

2017-01-16T09:18:44+00:00

Having per policy ns interface files helps with containers restoring policy. Signed-off-by: John Johansen

apparmor: allow introspecting the loaded policy pre internal transform

2017-01-16T09:18:42+00:00

Store loaded policy and allow introspecting it through apparmorfs. This has several uses from debugging, policy validation, and policy checkpoint and restore for containers. Signed-off-by: John Johansen

apparmor: add special .null file used to "close" fds at exec

2017-01-16T09:18:35+00:00

Borrow the special null device file from selinux to "close" fds that don't have sufficient permissions at exec time. Signed-off-by: John Johansen

apparmor: rename namespace to ns to improve code line lengths

2017-01-16T08:42:16+00:00

Signed-off-by: John Johansen