apparmor: Add support for attaching profiles via xattr, presence and value
Make it possible to tie Apparmor profiles to the presence of one or more
extended attributes, and optionally their values. An example usecase for
this is to automatically transition to a more privileged Apparmor profile
if an executable has a valid IMA signature, which can then be appraised
by the IMA subsystem.
Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index a8e096a..7fee546 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -210,6 +210,7 @@ static void aa_free_data(void *ptr, void *arg)
void aa_free_profile(struct aa_profile *profile)
{
struct rhashtable *rht;
+ int i;
AA_DEBUG("%s(%p)\n", __func__, profile);
@@ -227,6 +228,13 @@ void aa_free_profile(struct aa_profile *profile)
aa_free_cap_rules(&profile->caps);
aa_free_rlimit_rules(&profile->rlimits);
+ for (i = 0; i < profile->xattr_count; i++) {
+ kzfree(profile->xattrs[i]);
+ kzfree(profile->xattr_values[i]);
+ }
+ kzfree(profile->xattrs);
+ kzfree(profile->xattr_lens);
+ kzfree(profile->xattr_values);
kzfree(profile->dirname);
aa_put_dfa(profile->xmatch);
aa_put_dfa(profile->policy.dfa);