apparmor: allow label to carry debug flags

Allow labels to have debug flags that can be used to trigger debug output only from profiles/labels that are marked. This can help reduce debug output by allowing debug to be target to a specific confinement condition. Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2022-03-26 11:46:18 +0300
committer: John Johansen <john.johansen@canonical.com> 2022-07-19 12:55:45 +0300
commit: c1ed5da197652318341fd36333d45e8e6d5c3359 (patch)
tree: 683644f81fe3f38082ddc519a8d7d798e183ab70 /security/apparmor/policy_unpack.c
parent: 2504db207146543736e877241f3b3de005cbe056 (diff)
download: linux-c1ed5da197652318341fd36333d45e8e6d5c3359.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 302fecf9b197..55d31bac4f35 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -748,6 +748,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 		goto fail;
 	if (tmp & PACKED_FLAG_HAT)
 		profile->label.flags |= FLAG_HAT;
+	if (tmp & PACKED_FLAG_DEBUG1)
+		profile->label.flags |= FLAG_DEBUG1;
+	if (tmp & PACKED_FLAG_DEBUG2)
+		profile->label.flags |= FLAG_DEBUG2;
 	if (!unpack_u32(e, &tmp, NULL))
 		goto fail;
 	if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG)) {
author	John Johansen <john.johansen@canonical.com>	2022-03-26 11:46:18 +0300
committer	John Johansen <john.johansen@canonical.com>	2022-07-19 12:55:45 +0300
commit	c1ed5da197652318341fd36333d45e8e6d5c3359 (patch)
tree	683644f81fe3f38082ddc519a8d7d798e183ab70 /security/apparmor/policy_unpack.c
parent	2504db207146543736e877241f3b3de005cbe056 (diff)
download	linux-c1ed5da197652318341fd36333d45e8e6d5c3359.tar.xz