apparmor: add support for profiles to define the kill signal

Previously apparmor has only sent SIGKILL but there are cases where it can be useful to send a different signal. Allow the profile to optionally specify a different value. Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2023-08-21 16:54:58 -0700
committer: John Johansen <john.johansen@canonical.com> 2025-01-18 06:47:12 -0800
commit: 84c455decf27ce97a23fb70b58075592ab88d66a (patch)
tree: 0259a3a265ff60e4329adfe6787592194a7a68b8 /security/apparmor/policy_unpack.c
parent: 2e12c5f060176ede209673e4f63ea5d0e3c5814c (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 7813920a21e5..73139189df0f 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -29,6 +29,7 @@
 #include "include/policy.h"
 #include "include/policy_unpack.h"
 #include "include/policy_compat.h"
+#include "include/signal.h"
 
 /* audit callback for unpack fields */
 static void audit_cb(struct audit_buffer *ab, void *va)
@@ -916,6 +917,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 	(void) aa_unpack_strdup(e, &disconnected, "disconnected");
 	profile->disconnected = disconnected;
 
+	/* optional */
+	(void) aa_unpack_u32(e, &profile->signal, "kill");
+	if (profile->signal < 1 && profile->signal > MAXMAPPED_SIG) {
+		info = "profile kill.signal invalid value";
+		goto fail;
+	}
 	/* per profile debug flags (complain, audit) */
 	if (!aa_unpack_nameX(e, AA_STRUCT, "flags")) {
 		info = "profile missing flags";
author	John Johansen <john.johansen@canonical.com>	2023-08-21 16:54:58 -0700
committer	John Johansen <john.johansen@canonical.com>	2025-01-18 06:47:12 -0800
commit	84c455decf27ce97a23fb70b58075592ab88d66a (patch)
tree	0259a3a265ff60e4329adfe6787592194a7a68b8 /security/apparmor/policy_unpack.c
parent	2e12c5f060176ede209673e4f63ea5d0e3c5814c (diff)