kernel_optimize_test

History

John Johansen 2ea3ffb778 apparmor: add mount mediation Add basic mount mediation. That allows controlling based on basic mount parameters. It does not include special mount parameters for apparmor, super block labeling, or any triggers for apparmor namespace parameter modifications on pivot root. default userspace policy rules have the form of MOUNT RULE = ( MOUNT \| REMOUNT \| UMOUNT ) MOUNT = [ QUALIFIERS ] 'mount' [ MOUNT CONDITIONS ] [ SOURCE FILEGLOB ] [ '->' MOUNTPOINT FILEGLOB ] REMOUNT = [ QUALIFIERS ] 'remount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB UMOUNT = [ QUALIFIERS ] 'umount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB MOUNT CONDITIONS = [ ( 'fstype' \| 'vfstype' ) ( '=' \| 'in' ) MOUNT FSTYPE EXPRESSION ] [ 'options' ( '=' \| 'in' ) MOUNT FLAGS EXPRESSION ] MOUNT FSTYPE EXPRESSION = ( MOUNT FSTYPE LIST \| MOUNT EXPRESSION ) MOUNT FSTYPE LIST = Comma separated list of valid filesystem and virtual filesystem types (eg ext4, debugfs, etc) MOUNT FLAGS EXPRESSION = ( MOUNT FLAGS LIST \| MOUNT EXPRESSION ) MOUNT FLAGS LIST = Comma separated list of MOUNT FLAGS. MOUNT FLAGS = ( 'ro' \| 'rw' \| 'nosuid' \| 'suid' \| 'nodev' \| 'dev' \| 'noexec' \| 'exec' \| 'sync' \| 'async' \| 'remount' \| 'mand' \| 'nomand' \| 'dirsync' \| 'noatime' \| 'atime' \| 'nodiratime' \| 'diratime' \| 'bind' \| 'rbind' \| 'move' \| 'verbose' \| 'silent' \| 'loud' \| 'acl' \| 'noacl' \| 'unbindable' \| 'runbindable' \| 'private' \| 'rprivate' \| 'slave' \| 'rslave' \| 'shared' \| 'rshared' \| 'relatime' \| 'norelatime' \| 'iversion' \| 'noiversion' \| 'strictatime' \| 'nouser' \| 'user' ) MOUNT EXPRESSION = ( ALPHANUMERIC \| AARE ) ... PIVOT ROOT RULE = [ QUALIFIERS ] pivot_root [ oldroot=OLD PUT FILEGLOB ] [ NEW ROOT FILEGLOB ] SOURCE FILEGLOB = FILEGLOB MOUNTPOINT FILEGLOB = FILEGLOB eg. mount, mount /dev/foo, mount options=ro /dev/foo -> /mnt/, mount options in (ro,atime) /dev/foo -> /mnt/, mount options=ro options=atime, Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>		2017-09-22 13:00:57 -07:00
..
apparmor.h	apparmor: add mount mediation	2017-09-22 13:00:57 -07:00
apparmorfs.h	apparmor: add policy revision file interface	2017-06-10 17:11:27 -07:00
audit.h	apparmor: add mount mediation	2017-09-22 13:00:57 -07:00
capability.h	apparmor: move capability checks to using labels	2017-06-10 17:11:40 -07:00
context.h	apparmor: switch from profiles to using labels on contexts	2017-06-10 17:11:38 -07:00
crypto.h	apparmor: allow introspecting the loaded policy pre internal transform	2017-01-16 01:18:42 -08:00
domain.h	apparmor: add mount mediation	2017-09-22 13:00:57 -07:00
file.h	apparmor: move path_link mediation to using labels	2017-06-10 17:11:44 -07:00
ipc.h	apparmor: add the ability to mediate signals	2017-09-22 13:00:57 -07:00
label.h	apparmor: add the base fns() for domain labels	2017-06-10 17:11:38 -07:00
lib.h	apparmor: move exec domain mediation to using labels	2017-06-10 17:11:46 -07:00
match.h	apparmor: fix restricted endian type warnings for dfa unpack	2017-01-16 01:18:54 -08:00
mount.h	apparmor: add mount mediation	2017-09-22 13:00:57 -07:00
path.h	apparmor: Move path lookup to using preallocated buffers	2017-06-08 11:29:34 -07:00
perms.h	apparmor: add cross check permission helper macros	2017-06-10 17:11:41 -07:00
policy_ns.h	apparmor: switch from profiles to using labels on contexts	2017-06-10 17:11:38 -07:00
policy_unpack.h	apparmor: move to per loaddata files, instead of replicating in profiles	2017-06-08 12:51:49 -07:00
policy.h	apparmor: switch from profiles to using labels on contexts	2017-06-10 17:11:38 -07:00
procattr.h	apparmor: switch getprocattr to using label_print fns()	2017-06-10 17:11:39 -07:00
resource.h	apparmor: move resource checks to using labels	2017-06-10 17:11:40 -07:00
secid.h	apparmor: rename sid to secid	2017-01-16 00:42:17 -08:00
sig_names.h	apparmor: add the ability to mediate signals	2017-09-22 13:00:57 -07:00