apparmor: Add support for attaching profiles via xattr, presence and value

Make it possible to tie Apparmor profiles to the presence of one or more extended attributes, and optionally their values. An example usecase for this is to automatically transition to a more privileged Apparmor profile if an executable has a valid IMA signature, which can then be appraised by the IMA subsystem. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
author: Matthew Garrett <mjg59@google.com> 2018-02-08 23:37:19 +0300
committer: John Johansen <john.johansen@canonical.com> 2018-02-09 22:30:02 +0300
commit: 8e51f9087f4024d20f70f4d9831e1f45d8088331 (patch)
tree: a466a6dfa9ffd57b9919b89931bc18fbddb1517e /security/apparmor/include
parent: a0781209cb894e5115bb00c269b1d94c4b632d6a (diff)
download: linux-8e51f9087f4024d20f70f4d9831e1f45d8088331.tar.xz
1 files changed, 6 insertions, 0 deletions
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 17fe41a9cac3..02bde92ebb5c 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -148,6 +148,12 @@ struct aa_profile {
 	struct aa_policydb policy;
 	struct aa_file_rules file;
 	struct aa_caps caps;
+
+	int xattr_count;
+	char **xattrs;
+	size_t *xattr_lens;
+	char **xattr_values;
+
 	struct aa_rlimit rlimits;
 
 	struct aa_loaddata *rawdata;
author	Matthew Garrett <mjg59@google.com>	2018-02-08 23:37:19 +0300
committer	John Johansen <john.johansen@canonical.com>	2018-02-09 22:30:02 +0300
commit	8e51f9087f4024d20f70f4d9831e1f45d8088331 (patch)
tree	a466a6dfa9ffd57b9919b89931bc18fbddb1517e /security/apparmor/include
parent	a0781209cb894e5115bb00c269b1d94c4b632d6a (diff)
download	linux-8e51f9087f4024d20f70f4d9831e1f45d8088331.tar.xz