From 617a629c08bfffb05249131079d9a38322902e5b Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 24 May 2018 13:27:45 -0700 Subject: apparmor: Add a wildcard secid Reserve a secid value that we can use as a wildcard, allowing us to define policy that's expected to match against all secids. Signed-off-by: Matthew Garrett Signed-off-by: John Johansen --- security/apparmor/include/secid.h | 3 +++ security/apparmor/secid.c | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'security/apparmor') diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h index dee6fa3b6081..fa2062711b63 100644 --- a/security/apparmor/include/secid.h +++ b/security/apparmor/include/secid.h @@ -22,6 +22,9 @@ struct aa_label; /* secid value that will not be allocated */ #define AA_SECID_INVALID 0 +/* secid value that matches any other secid */ +#define AA_SECID_WILDCARD 1 + struct aa_label *aa_secid_to_label(u32 secid); int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c index f2f22d00db18..8c951c493beb 100644 --- a/security/apparmor/secid.c +++ b/security/apparmor/secid.c @@ -32,8 +32,7 @@ * secids - do not pin labels with a refcount. They rely on the label * properly updating/freeing them */ - -#define AA_FIRST_SECID 1 +#define AA_FIRST_SECID 2 static DEFINE_IDR(aa_secids); static DEFINE_SPINLOCK(secid_lock); -- cgit