Commit 84c455de authored by John Johansen's avatar John Johansen
Browse files

apparmor: add support for profiles to define the kill signal 



Previously apparmor has only sent SIGKILL but there are cases where
it can be useful to send a different signal. Allow the profile
to optionally specify a different value.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 2e12c5f0

security/apparmor/apparmorfs.c

+1 −0
Original line number Diff line number Diff line
@@ -2342,6 +2342,7 @@ static struct aa_sfs_entry aa_sfs_entry_domain[] = { 
	AA_SFS_FILE_BOOLEAN("computed_longest_left",	1),

	AA_SFS_DIR("attach_conditions",		aa_sfs_entry_attach),

	AA_SFS_FILE_BOOLEAN("disconnected.path",            1),

	AA_SFS_FILE_BOOLEAN("kill.signal",		1),

	AA_SFS_FILE_STRING("version", "1.2"),

	{ }

};

security/apparmor/audit.c

+1 −1
Original line number Diff line number Diff line
@@ -192,7 +192,7 @@ int aa_audit(int type, struct aa_profile *profile, 
	aa_audit_msg(type, ad, cb);



	if (ad->type == AUDIT_APPARMOR_KILL)

		(void)send_sig_info(SIGKILL, NULL,

		(void)send_sig_info(profile->signal, NULL,

			ad->common.type == LSM_AUDIT_DATA_TASK &&

			ad->common.u.tsk ? ad->common.u.tsk : current);

security/apparmor/include/ipc.h

+3 −0
Original line number Diff line number Diff line
@@ -13,6 +13,9 @@ 


#include <linux/sched.h>



#define SIGUNKNOWN 0

#define MAXMAPPED_SIG 35



int aa_may_signal(const struct cred *subj_cred, struct aa_label *sender,

		  const struct cred *target_cred, struct aa_label *target,

		  int sig);

security/apparmor/include/policy.h

+1 −0
Original line number Diff line number Diff line
@@ -236,6 +236,7 @@ struct aa_profile { 
	enum audit_mode audit;

	long mode;

	u32 path_flags;

	int signal;

	const char *disconnected;



	struct aa_attachment attach;

security/apparmor/include/sig_names.h

+1 −5
Original line number Diff line number Diff line 
#include <linux/signal.h>



#define SIGUNKNOWN 0

#define MAXMAPPED_SIG 35

#define MAXMAPPED_SIGNAME (MAXMAPPED_SIG + 1)

#define SIGRT_BASE 128

#include "signal.h"



/* provide a mapping of arch signal to internal signal # for mediation

 * those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO