diff options
| author | John Johansen <john.johansen@canonical.com> | 2023-08-09 00:26:36 -0700 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2023-10-18 15:48:44 -0700 |
| commit | 2d9da9b188b8cd3b579d7ef5ba5d334be9dd38fc (patch) | |
| tree | 3ddeaaf865425ba25becb5d22aa6173a59894298 /security/apparmor/apparmorfs.c | |
| parent | e105d8079f82819f4773c4853dc199e195fedf40 (diff) | |
apparmor: allow restricting unprivileged change_profile
unprivileged unconfined can use change_profile to alter the confinement
set by the mac admin.
Allow restricting unprivileged unconfined by still allowing change_profile
but stacking the change against unconfined. This allows unconfined to
still apply system policy but allows the task to enter the new confinement.
If unprivileged unconfined is required a sysctl is provided to switch
to the previous behavior.
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/apparmorfs.c')
| -rw-r--r-- | security/apparmor/apparmorfs.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index b123abbc43d8..6d0848f10ff0 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -2341,6 +2341,11 @@ static struct aa_sfs_entry aa_sfs_entry_domain[] = { { } }; +static struct aa_sfs_entry aa_sfs_entry_unconfined[] = { + AA_SFS_FILE_BOOLEAN("change_profile", 1), + { } +}; + static struct aa_sfs_entry aa_sfs_entry_versions[] = { AA_SFS_FILE_BOOLEAN("v5", 1), AA_SFS_FILE_BOOLEAN("v6", 1), @@ -2358,6 +2363,7 @@ static struct aa_sfs_entry aa_sfs_entry_policy[] = { AA_SFS_FILE_U64("outofband", MAX_OOB_SUPPORTED), AA_SFS_FILE_U64("permstable32_version", 1), AA_SFS_FILE_STRING("permstable32", PERMS32STR), + AA_SFS_DIR("unconfined_restrictions", aa_sfs_entry_unconfined), { } }; |