tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

apparmor: add support for profiles to define the kill signal

Previously apparmor has only sent SIGKILL but there are cases where
it can be useful to send a different signal. Allow the profile
to optionally specify a different value.

Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 84c455de 2e12c5f0

+34 -6
+1
security/apparmor/apparmorfs.c
··· 2342 2342 AA_SFS_FILE_BOOLEAN("computed_longest_left", 1), 2343 2343 AA_SFS_DIR("attach_conditions", aa_sfs_entry_attach), 2344 2344 AA_SFS_FILE_BOOLEAN("disconnected.path", 1), 2345 + AA_SFS_FILE_BOOLEAN("kill.signal", 1), 2345 2346 AA_SFS_FILE_STRING("version", "1.2"), 2346 2347 { } 2347 2348 };
+1 -1
security/apparmor/audit.c
··· 192 192 aa_audit_msg(type, ad, cb); 193 193 194 194 if (ad->type == AUDIT_APPARMOR_KILL) 195 - (void)send_sig_info(SIGKILL, NULL, 195 + (void)send_sig_info(profile->signal, NULL, 196 196 ad->common.type == LSM_AUDIT_DATA_TASK && 197 197 ad->common.u.tsk ? ad->common.u.tsk : current); 198 198
+3
security/apparmor/include/ipc.h
··· 13 13 14 14 #include <linux/sched.h> 15 15 16 + #define SIGUNKNOWN 0 17 + #define MAXMAPPED_SIG 35 18 + 16 19 int aa_may_signal(const struct cred *subj_cred, struct aa_label *sender, 17 20 const struct cred *target_cred, struct aa_label *target, 18 21 int sig);
+1
security/apparmor/include/policy.h
··· 236 236 enum audit_mode audit; 237 237 long mode; 238 238 u32 path_flags; 239 + int signal; 239 240 const char *disconnected; 240 241 241 242 struct aa_attachment attach;
+1 -5
security/apparmor/include/sig_names.h
··· 1 1 #include <linux/signal.h> 2 - 3 - #define SIGUNKNOWN 0 4 - #define MAXMAPPED_SIG 35 5 - #define MAXMAPPED_SIGNAME (MAXMAPPED_SIG + 1) 6 - #define SIGRT_BASE 128 2 + #include "signal.h" 7 3 8 4 /* provide a mapping of arch signal to internal signal # for mediation 9 5 * those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO
+19
security/apparmor/include/signal.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0-only */ 2 + /* 3 + * AppArmor security module 4 + * 5 + * This file contains AppArmor ipc mediation function definitions. 6 + * 7 + * Copyright 2023 Canonical Ltd. 8 + */ 9 + 10 + #ifndef __AA_SIGNAL_H 11 + #define __AA_SIGNAL_H 12 + 13 + #define SIGUNKNOWN 0 14 + #define MAXMAPPED_SIG 35 15 + 16 + #define MAXMAPPED_SIGNAME (MAXMAPPED_SIG + 1) 17 + #define SIGRT_BASE 128 18 + 19 + #endif /* __AA_SIGNAL_H */
+1
security/apparmor/policy.c
··· 364 364 profile->label.flags |= FLAG_PROFILE; 365 365 profile->label.vec[0] = profile; 366 366 367 + profile->signal = SIGKILL; 367 368 /* refcount released by caller */ 368 369 return profile; 369 370
+7
security/apparmor/policy_unpack.c
··· 29 29 #include "include/policy.h" 30 30 #include "include/policy_unpack.h" 31 31 #include "include/policy_compat.h" 32 + #include "include/signal.h" 32 33 33 34 /* audit callback for unpack fields */ 34 35 static void audit_cb(struct audit_buffer *ab, void *va) ··· 917 916 (void) aa_unpack_strdup(e, &disconnected, "disconnected"); 918 917 profile->disconnected = disconnected; 919 918 919 + /* optional */ 920 + (void) aa_unpack_u32(e, &profile->signal, "kill"); 921 + if (profile->signal < 1 && profile->signal > MAXMAPPED_SIG) { 922 + info = "profile kill.signal invalid value"; 923 + goto fail; 924 + } 920 925 /* per profile debug flags (complain, audit) */ 921 926 if (!aa_unpack_nameX(e, AA_STRUCT, "flags")) { 922 927 info = "profile missing flags";