apparmor: add support loading per permission tagging

Add support for the per permission tag index for a given permission
set. This will be used by both meta-data tagging, to allow annotating
accept states with context and debug information. As well as by rule
tainting and triggers to specify the taint or trigger to be applied.

Since these are low frequency ancillary data items they are stored
in a tighter packed format to that allows for sharing and reuse of the
strings between permissions and accept states. Reducing the amount of
kernel memory use at the cost of having to go through a couple if
index based indirections.

The tags are just strings that has no meaning with out context. When
used as meta-data for auditing and debugging its entirely information
for userspace, but triggers, and tainting can be used to affect the
domain. However they all exist in the same packed data set and can
be shared between different uses.

Signed-off-by: John Johansen <john.johansen@canonical.com>

3 files changed, 33 insertions, 6 deletions

diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 1a71a94ea19c..aa00b34404f9 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -119,6 +119,8 @@ struct apparmor_audit_data {
 	const char *info;
 	u32 request;
 	u32 denied;
+	u32 tags;
+
 	union {
 		/* these entries require a custom callback fn */
 		struct {
diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
index 194be85e7fff..7ca8a92c449c 100644
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -30,9 +30,10 @@ extern struct aa_dfa *stacksplitdfa;
 #define DEBUG_DOMAIN 4
 #define DEBUG_POLICY 8
 #define DEBUG_INTERFACE 0x10
-#define DEBUG_UNPACK 0x40
+#define DEBUG_UNPACK 0x20
+#define DEBUG_TAGS 0x40
 
-#define DEBUG_ALL 0x1f		/* update if new DEBUG_X added */
+#define DEBUG_ALL 0x7f		/* update if new DEBUG_X added */
 #define DEBUG_PARSE_ERROR (-1)
 
 #define DEBUG_ON (aa_g_debug != DEBUG_NONE)
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 4c50875c9d13..5115ebae2661 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -79,11 +79,33 @@ enum profile_mode {
 };
 
 
+struct aa_tags_header {
+	u32 mask;	/* bit mask matching permissions */
+	u32 count;	/* number of strings per entry */
+	u32 size;	/* size of all strings covered by count */
+	u32 tags;	/* index into string table */
+};
+
+struct aa_tags_struct {
+	struct {
+		u32 size;		/* number of entries in tagsets */
+		u32 *table;		/* indexes into headers & strs */
+	} sets;
+	struct {
+		u32 size;		/* number of headers == num of strs */
+		struct aa_tags_header *table;
+	} hdrs;
+	struct aa_str_table strs;
+};
+
 /* struct aa_policydb - match engine for a policy
- * count: refcount for the pdb
- * dfa: dfa pattern match
- * perms: table of permissions
- * strs: table of strings, index by x
+ * @count: refcount for the pdb
+ * @dfa: dfa pattern match
+ * @perms: table of permissions
+ * @size: number of entries in @perms
+ * @trans: table of strings, index by x
+ * @tags: table of tags that perms->tag indexes
+ * @start:_states to start in for each class
  * start: set of start states for the different classes of data
  */
 struct aa_policydb {
@@ -94,11 +116,13 @@ struct aa_policydb {
 		u32 size;
 	};
 	struct aa_str_table trans;
+	struct aa_tags_struct tags;
 	aa_state_t start[AA_CLASS_LAST + 1];
 };
 
 extern struct aa_policydb *nullpdb;
 
+void aa_destroy_tags(struct aa_tags_struct *tags);
 struct aa_policydb *aa_alloc_pdb(gfp_t gfp);
 void aa_pdb_free_kref(struct kref *kref);