kernel/linux.git/security/apparmor/include/policy.h, branch v6.4.15

apparmor: refactor code that alloc null profiles

2022-10-25T05:35:36+00:00

Bother unconfined and learning profiles use the null profile as their base. Refactor so they are share a common base routine. This doesn't save much atm but will be important when the feature set of the parent is inherited. Signed-off-by: John Johansen

apparmor: rework profile->rules to be a list

2022-10-03T21:49:04+00:00

Convert profile->rules to a list as the next step towards supporting multiple rulesets in a profile. For this step only support a single list entry item. The logic for iterating the list will come as a separate step. Signed-off-by: John Johansen

apparmor: refactor profile rules and attachments

2022-10-03T21:49:04+00:00

In preparation for moving from a single set of rules and a single attachment to multiple rulesets and attachments separate from the profile refactor attachment information and ruleset info into their own structures. Signed-off-by: John Johansen

apparmor: add the ability for policy to specify a permission table

2022-10-03T21:49:03+00:00

Currently permissions are encoded in the dfa accept entries that are then mapped to an internal permission structure. This limits the permissions that userspace can specify, so allow userspace to directly specify the permission table. Signed-off-by: John Johansen

apparmor: add user mode flag

2022-10-03T21:49:03+00:00

Allow the profile to contain a user mode prompt flag. This works similar to complain mode but will try to send messages to a userspace daemon. If the daemon is not present or timesout regular informent will occur. Signed-off-by: John Johansen

apparmor: extend permissions to support a label and tag string

2022-10-03T21:49:03+00:00

add indexes for label and tag entries. Rename the domain table to the str_table as its a shared string table with label and tags. Signed-off-by: John Johansen

apparmor: preparse for state being more than just an integer

2022-10-03T21:49:03+00:00

Convert from an unsigned int to a state_t for state position. This is a step in prepping for the state position carrying some additional flags, and a limited form of backtracking to support variables. Signed-off-by: John Johansen

apparmor: convert policy lookup to use accept as an index

2022-10-03T21:49:03+00:00

Remap polidydb dfa accept table from embedded perms to an index, and then move the perm lookup to use the accept entry as an index into the perm table. This is done so that the perm table can be separated from the dfa, allowing dfa accept to index to share expanded permission sets. Signed-off-by: John Johansen

apparmor: convert xmatch to using the new shared policydb struct

2022-10-03T21:49:03+00:00

continue permission unification by converting xmatch to use the policydb struct that is used by the other profile dfas. Signed-off-by: John Johansen

apparmor: combine file_rules and aa_policydb into a single shared struct

2022-10-03T21:49:03+00:00

file_rules and policydb are almost the same and will need the same features in the future so combine them. Signed-off-by: John Johansen