@@ -35,7 +35,7 @@ static ssize_t aa_matching_read(struct file *file, char __user *buf,
size_t size, loff_t *ppos)
{
const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
- "user::other";
+ "user::other dbus";
return simple_read_from_buffer(buf, size, ppos, matching,
sizeof(matching) - 1);
@@ -181,6 +181,10 @@ struct aa_profile {
u32 path_flags;
int size;
+ /* Generic policy DFA specific rule types will be subsections of it */
+ struct aa_dfa *policy;
+ unsigned int policy_start;
+
struct aa_file_rules file;
struct aa_caps caps;
struct aa_net net;
@@ -750,6 +750,7 @@ static void free_profile(struct aa_profile *profile)
aa_free_sid(profile->sid);
aa_put_dfa(profile->xmatch);
+ aa_put_dfa(profile->policy);
aa_put_profile(profile->replacedby);
@@ -605,6 +605,17 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
profile->net.allow[AF_UNIX] = 0xffff;
profile->net.allow[AF_NETLINK] = 0xffff;
+ /* generic policy dfa - optional and may be NULL */
+ profile->policy = unpack_dfa(e);
+ if (IS_ERR(profile->policy)) {
+ error = PTR_ERR(profile->policy);
+ profile->policy = NULL;
+ goto fail;
+ }
+ if (!unpack_u32(e, &profile->policy_start, "policy_start"))
+ /* default start state */
+ profile->policy_start = DFA_START;
+
/* get file rules */
profile->file.dfa = unpack_dfa(e);
if (IS_ERR(profile->file.dfa)) {
The policy dfa when present contains the state machine encapsulating all rule types for the profile. The specific rules sections then contain references into the policy dfa and the permission mappings for that rule type. Signed-off-by: John Johansen <john.johansen@canonical.com> --- security/apparmor/apparmorfs-24.c | 2 +- security/apparmor/include/policy.h | 4 ++++ security/apparmor/policy.c | 1 + security/apparmor/policy_unpack.c | 11 +++++++++++ 4 files changed, 17 insertions(+), 1 deletions(-)