Re: [RFC][PATCH 7/11] security: AppArmor - Misc (capabilities, datastructures)

From: Stephen Hemminger
Date: Wed Apr 19 2006 - 15:18:37 EST

Next message: Grzegorz Kulewski: "Re: Linux 2.6.17-rc2"
Previous message: Moore, Robert: "RE: [patch 1/3] acpi: dock driver"
In reply to: Tony Jones: "[RFC][PATCH 7/11] security: AppArmor - Misc (capabilities, data structures)"
Next in thread: Tony Jones: "[RFC][PATCH 6/11] security: AppArmor - Userspace interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 19 Apr 2006 10:50:02 -0700
Tony Jones <tonyj@xxxxxxx> wrote:

> This patch implements three distinct chunks.
> - list management, for profiles loaded into the system (profile_list) and for
> the set of confined tasks (subdomain_list)
> - the proc/pid/attr interface used by userspace for setprofile (forcing
> a task into a new profile) and changehat (switching a task into one of it's
> defined sub profiles). Access to change_hat is normally via code provided
> in libapparmor. See the overview posting for more information in change hat.
> - capability utility functions (for displaying capability names)
>
>
> Signed-off-by: Tony Jones <tonyj@xxxxxxx>
>
> ---
> security/apparmor/capabilities.c | 54 ++++++
> security/apparmor/list.c | 268 +++++++++++++++++++++++++++++++
> security/apparmor/procattr.c | 327 +++++++++++++++++++++++++++++++++++++++
> 3 files changed, 649 insertions(+)
>
> --- /dev/null
> +++ linux-2.6.17-rc1/security/apparmor/capabilities.c
> @@ -0,0 +1,54 @@
> +/*
> + * Copyright (C) 2005 Novell/SUSE
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License as
> + * published by the Free Software Foundation, version 2 of the
> + * License.
> + *
> + * AppArmor capability definitions
> + */
> +
> +#include "apparmor.h"
> +
> +static const char *cap_names[] = {
> + "chown",
> + "dac_override",
> + "dac_read_search",
> + "fowner",
> + "fsetid",
> + "kill",
> + "setgid",
> + "setuid",
> + "setpcap",
> + "linux_immutable",
> + "net_bind_service",
> + "net_broadcast",
> + "net_admin",
> + "net_raw",
> + "ipc_lock",
> + "ipc_owner",
> + "sys_module",
> + "sys_rawio",
> + "sys_chroot",
> + "sys_ptrace",
> + "sys_pacct",
> + "sys_admin",
> + "sys_boot",
> + "sys_nice",
> + "sys_resource",
> + "sys_time",
> + "sys_tty_config",
> + "mknod",
> + "lease"
> +};
> +
> +const char *capability_to_name(unsigned int cap)
> +{
> + const char *name;
> +
> + name = (cap < (sizeof(cap_names) / sizeof(char *))
> + ? cap_names[cap] : "invalid-capability");
> +
> + return name;
> +}
> --- /dev/null
> +++ linux-2.6.17-rc1/security/apparmor/list.c
> @@ -0,0 +1,268 @@
> +/*
> + * Copyright (C) 1998-2005 Novell/SUSE
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License as
> + * published by the Free Software Foundation, version 2 of the
> + * License.
> + *
> + * AppArmor Profile List Management
> + */
> +
> +#include <linux/seq_file.h>
> +#include "apparmor.h"
> +#include "inline.h"
> +
> +/* list of all profiles and lock */
> +static LIST_HEAD(profile_list);
> +static rwlock_t profile_lock = RW_LOCK_UNLOCKED;
> +
> +/* list of all subdomains and lock */
> +static LIST_HEAD(subdomain_list);
> +static rwlock_t subdomain_lock = RW_LOCK_UNLOCKED;

This would be a good candidate for RCU.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Grzegorz Kulewski: "Re: Linux 2.6.17-rc2"
Previous message: Moore, Robert: "RE: [patch 1/3] acpi: dock driver"
In reply to: Tony Jones: "[RFC][PATCH 7/11] security: AppArmor - Misc (capabilities, data structures)"
Next in thread: Tony Jones: "[RFC][PATCH 6/11] security: AppArmor - Userspace interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]