git.ipfire.org Git - thirdparty/linux.git/commit

author	John Johansen <john.johansen@canonical.com>
	Tue, 1 Apr 2025 22:51:41 +0000 (15:51 -0700)
committer	John Johansen <john.johansen@canonical.com>
	Thu, 29 Jan 2026 09:27:47 +0000 (01:27 -0800)
commit	3d28e2397af7a89ac3de33c686ed404cda59b5d5
tree	0b0fe894927b882385ea87b4a20e2f8a01224da3	tree
parent	c140dcd1246bfe705921ca881bbb247ff1ba2bca	commit \| diff

apparmor: add support loading per permission tagging

Add support for the per permission tag index for a given permission
set. This will be used by both meta-data tagging, to allow annotating
accept states with context and debug information. As well as by rule
tainting and triggers to specify the taint or trigger to be applied.

Since these are low frequency ancillary data items they are stored
in a tighter packed format to that allows for sharing and reuse of the
strings between permissions and accept states. Reducing the amount of
kernel memory use at the cost of having to go through a couple if
index based indirections.

The tags are just strings that has no meaning with out context. When
used as meta-data for auditing and debugging its entirely information
for userspace, but triggers, and tainting can be used to affect the
domain. However they all exist in the same packed data set and can
be shared between different uses.

Signed-off-by: John Johansen <john.johansen@canonical.com>

security/apparmor/file.c		diff \| blob \| blame \| history
security/apparmor/include/audit.h		diff \| blob \| blame \| history
security/apparmor/include/lib.h		diff \| blob \| blame \| history
security/apparmor/include/policy.h		diff \| blob \| blame \| history
security/apparmor/lib.c		diff \| blob \| blame \| history
security/apparmor/policy.c		diff \| blob \| blame \| history
security/apparmor/policy_compat.c		diff \| blob \| blame \| history
security/apparmor/policy_unpack.c		diff \| blob \| blame \| history