1. 10 Jan, 2019 1 commit
  2. 09 Feb, 2018 4 commits
  3. 12 Jan, 2018 1 commit
  4. 08 Nov, 2017 1 commit
  5. 22 Sep, 2017 1 commit
    • John Johansen's avatar
      apparmor: add the ability to mediate signals · cd1dbf76
      John Johansen authored
      Add signal mediation where the signal can be mediated based on the
      signal, direction, or the label or the peer/target. The signal perms
      are verified on a cross check to ensure policy consistency in the case
      of incremental policy load/replacement.
      
      The optimization of skipping the cross check when policy is guaranteed
      to be consistent (single compile unit) remains to be done.
      
      policy rules have the form of
        SIGNAL_RULE = [ QUALIFIERS ] 'signal' [ SIGNAL ACCESS PERMISSIONS ]
                      [ SIGNAL SET ] [ SIGNAL PEER ]
      
        SIGNAL ACCESS PERMISSIONS = SIGNAL ACCESS | SIGNAL ACCESS LIST
      
        SIGNAL ACCESS LIST = '(' Comma or space separated list of SIGNAL
                                 ACCESS ')'
      
        SIGNAL ACCESS = ( 'r' | 'w' | 'rw' | 'read' | 'write' | 'send' |
                          'receive' )
      
        SIGNAL SET = 'set' '=' '(' SIGNAL LIST ')'
      
        SIGNAL LIST = Comma or space separated list of SIGNALS
      
        SIGNALS = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' |
                    'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' |
      	      'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' |
      	      'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' |
      	      'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' |
      	      'sys' | 'emt' | 'exists' | 'rtmin+0' ... 'rtmin+32'
                  )
      
        SIGNAL PEER = 'peer' '=' AARE
      
      eg.
        signal,                                 # allow all signals
        signal send set=(hup, kill) peer=foo,
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      cd1dbf76
  6. 11 Jun, 2017 4 commits
  7. 16 Jan, 2017 1 commit
  8. 30 Oct, 2013 1 commit
  9. 28 Apr, 2013 1 commit
  10. 09 Apr, 2012 2 commits
  11. 03 Apr, 2012 1 commit
  12. 09 Sep, 2011 1 commit
  13. 02 Aug, 2010 2 commits
    • James Morris's avatar
      AppArmor: fix build warnings for non-const use of get_task_cred · 77c80e6b
      James Morris authored
      Fix build warnings for non-const use of get_task_cred.
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      77c80e6b
    • John Johansen's avatar
      AppArmor: mediation of non file objects · 0ed3b28a
      John Johansen authored
      ipc:
      AppArmor ipc is currently limited to mediation done by file mediation
      and basic ptrace tests.  Improved mediation is a wip.
      
      rlimits:
      AppArmor provides basic abilities to set and control rlimits at
      a per profile level.  Only resources specified in a profile are controled
      or set.  AppArmor rules set the hard limit to a value <= to the current
      hard limit (ie. they can not currently raise hard limits), and if
      necessary will lower the soft limit to the new hard limit value.
      
      AppArmor does not track resource limits to reset them when a profile
      is left so that children processes inherit the limits set by the
      parent even if they are not confined by the same profile.
      
      Capabilities:  AppArmor provides a per profile mask of capabilities,
      that will further restrict.
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJames Morris <jmorris@namei.org>
      0ed3b28a