apparmor: mediate files when they are received

Signed-off-by: N John Johansen <john.johansen@canonical.com>

apparmor: mediate files when they are received
Signed-off-by: N John Johansen <john.johansen@canonical.com>
064dc947 · John Johansen · 496c9319 · 064dc947 · 064dc947
隐藏空白更改
内联并排

Showing with 7 addition and 0 deletion

security/apparmor/include/audit.h security/apparmor/include/audit.h +1 -0

security/apparmor/lsm.c security/apparmor/lsm.c +6 -0

未找到文件。
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -64,6 +64,7 @@ enum audit_type {
 #define OP_GETATTR "getattr"
 #define OP_OPEN "open"

+#define OP_FRECEIVE "file_receive"
 #define OP_FPERM "file_perm"
 #define OP_FLOCK "file_lock"
 #define OP_FMMAP "file_mmap"

--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -456,6 +456,11 @@ static int common_file_perm(const char *op, struct file *file, u32 mask)
 	return error;
 }

+static int apparmor_file_receive(struct file *file)
+{
+	return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file));
+}
+
 static int apparmor_file_permission(struct file *file, int mask)
 {
 	return common_file_perm(OP_FPERM, file, mask);
@@ -665,6 +670,7 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),

 	LSM_HOOK_INIT(file_open, apparmor_file_open),
+	LSM_HOOK_INIT(file_receive, apparmor_file_receive),
 	LSM_HOOK_INIT(file_permission, apparmor_file_permission),
 	LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
 	LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),