diff options
author | John Johansen <john.johansen@canonical.com> | 2012-05-22 08:22:18 -0700 |
---|---|---|
committer | John Rigby <john.rigby@linaro.org> | 2012-06-25 15:02:27 -0600 |
commit | ad84502eba74dbc6cf303e812f8c122d91ae3106 (patch) | |
tree | 19eab059791ae1a74835e373cc97b5a3b51c714a /security/apparmor/include/apparmor.h | |
parent | 721964d7ebe2759d41a7dfe78b1d6effdb1859a7 (diff) |
UBUNTU: SAUCE: apparmor: Add the ability to mediate mount
Add the ability for apparmor to do mediation of mount operations. Mount
rules require an updated apparmor_parser (2.8 series) for policy compilation.
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
Example mount commands
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) -> /mnt/
umount,
umount /m*,
See the apparmor userspace for full documentation
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Diffstat (limited to 'security/apparmor/include/apparmor.h')
-rw-r--r-- | security/apparmor/include/apparmor.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h index 40aedd9f73e..e243d96ddbd 100644 --- a/security/apparmor/include/apparmor.h +++ b/security/apparmor/include/apparmor.h @@ -29,8 +29,9 @@ #define AA_CLASS_NET 4 #define AA_CLASS_RLIMITS 5 #define AA_CLASS_DOMAIN 6 +#define AA_CLASS_MOUNT 7 -#define AA_CLASS_LAST AA_CLASS_DOMAIN +#define AA_CLASS_LAST AA_CLASS_MOUNT /* Control parameters settable through module/boot flags */ extern enum audit_mode aa_g_audit; |