Add a policy revision file to find the current revision of a ns's policy.
There is a revision file per ns, as well as a virtualized global revision
file in the base apparmor fs directory. The global revision file when
opened will provide the revision of the opening task namespace.

The revision file can be waited on via select/poll to detect apparmor
policy changes from the last read revision of the opened file. This
means that the revision file must be read after the select/poll other
wise update data will remain ready for reading.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Reviewed-by: NSeth Arnold <seth.arnold@canonical.com>
Reviewed-by: NKees Cook <keescook@chromium.org>

prefixes are used for fns/data that are not static to apparmorfs.c
with the prefixes being
  aafs   - special magic apparmorfs for policy namespace data
  aa_sfs - for fns/data that go into securityfs
  aa_fs  - for fns/data that may be used in the either of aafs or
           securityfs
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Reviewed-by: NSeth Arnold <seth.arnold@canonical.com>
Reviewed-by: NKees Cook <keescook@chromium.org>

The loaddata sets cover more than just a single profile and should
be tracked at the ns level. Move the load data files under the namespace
and reference the files from the profiles via a symlink.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Reviewed-by: NSeth Arnold <seth.arnold@canonical.com>
Reviewed-by: NKees Cook <keescook@chromium.org>

Having per policy ns interface files helps with containers restoring
policy.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Store loaded policy and allow introspecting it through apparmorfs. This
has several uses from debugging, policy validation, and policy checkpoint
and restore for containers.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Borrow the special null device file from selinux to "close" fds that
don't have sufficient permissions at exec time.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Provide userspace the ability to introspect a sha1 hash value for each
profile currently loaded.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSeth Arnold <seth.arnold@canonical.com>

Add the ability to take in and report a human readable profile attachment
string for profiles so that attachment specifications can be easily
inspected.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Acked-by: NSeth Arnold <seth.arnold@canonical.com>

Add basic interface files to access namespace and profile information.
The interface files are created when a profile is loaded and removed
when the profile or namespace is removed.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Create the "file" directory in the securityfs for tracking features
related to files.
Signed-off-by: NKees Cook <kees@ubuntu.com>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

This adds the "features" subdirectory to the AppArmor securityfs
to display boolean features flags and the known capability mask.
Signed-off-by: NKees Cook <kees@ubuntu.com>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

Use a file tree structure to represent the AppArmor securityfs.
Signed-off-by: NKees Cook <kees@ubuntu.com>
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

The /proc/<pid>/attr/* interface is used for process introspection and
commands.  While the apparmorfs interface is used for global introspection
and loading and removing policy.

The interface currently only contains the files necessary for loading
policy, and will be extended in the future to include sysfs style
single per file introspection inteface.

The old AppArmor 2.4 interface files have been removed into a compatibility
patch, that distros can use to maintain backwards compatibility.
Signed-off-by: NJohn Johansen <john.johansen@canonical.com>
Signed-off-by: NJames Morris <jmorris@namei.org>