Commit 617a629c authored by Matthew Garrett's avatar Matthew Garrett Committed by John Johansen

apparmor: Add a wildcard secid

Reserve a secid value that we can use as a wildcard, allowing us to
define policy that's expected to match against all secids.
Signed-off-by: default avatarMatthew Garrett <mjg59@google.com>
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 1f8266ff
...@@ -22,6 +22,9 @@ struct aa_label; ...@@ -22,6 +22,9 @@ struct aa_label;
/* secid value that will not be allocated */ /* secid value that will not be allocated */
#define AA_SECID_INVALID 0 #define AA_SECID_INVALID 0
/* secid value that matches any other secid */
#define AA_SECID_WILDCARD 1
struct aa_label *aa_secid_to_label(u32 secid); struct aa_label *aa_secid_to_label(u32 secid);
int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
......
...@@ -32,8 +32,7 @@ ...@@ -32,8 +32,7 @@
* secids - do not pin labels with a refcount. They rely on the label * secids - do not pin labels with a refcount. They rely on the label
* properly updating/freeing them * properly updating/freeing them
*/ */
#define AA_FIRST_SECID 2
#define AA_FIRST_SECID 1
static DEFINE_IDR(aa_secids); static DEFINE_IDR(aa_secids);
static DEFINE_SPINLOCK(secid_lock); static DEFINE_SPINLOCK(secid_lock);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment