Merge tag 'apparmor-pr-2017-11-21' of...

	long last_read;

	int avail;

	mutex_lock(&rev->ns->lock);

	mutex_lock_nested(&rev->ns->lock, rev->ns->level);

	last_read = rev->last_read;

	if (last_read == rev->ns->revision) {

		mutex_unlock(&rev->ns->lock);

					     last_read !=

					     READ_ONCE(rev->ns->revision)))

			return -ERESTARTSYS;

		mutex_lock(&rev->ns->lock);

		mutex_lock_nested(&rev->ns->lock, rev->ns->level);

	}

	avail = sprintf(buffer, "%ld\n", rev->ns->revision);

	unsigned int mask = 0;

	if (rev) {

		mutex_lock(&rev->ns->lock);

		mutex_lock_nested(&rev->ns->lock, rev->ns->level);

		poll_wait(file, &rev->ns->wait, pt);

		if (rev->last_read < rev->ns->revision)

			mask |= POLLIN | POLLRDNORM;

	 */

	inode_unlock(dir);

	error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count);

	mutex_lock(&parent->lock);

	mutex_lock_nested(&parent->lock, parent->level);

	inode_lock_nested(dir, I_MUTEX_PARENT);

	if (error)

		goto out;

	inode_unlock(dir);

	inode_unlock(dentry->d_inode);

	mutex_lock(&parent->lock);

	mutex_lock_nested(&parent->lock, parent->level);

	ns = aa_get_ns(__aa_findn_ns(&parent->sub_ns, dentry->d_name.name,

				     dentry->d_name.len));

	if (!ns) {

		__aafs_profile_rmdir(child);

	list_for_each_entry(sub, &ns->sub_ns, base.list) {

		mutex_lock(&sub->lock);

		mutex_lock_nested(&sub->lock, sub->level);

		__aafs_ns_rmdir(sub);

		mutex_unlock(&sub->lock);

	}

	/* subnamespaces */

	list_for_each_entry(sub, &ns->sub_ns, base.list) {

		mutex_lock(&sub->lock);

		mutex_lock_nested(&sub->lock, sub->level);

		error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL, NULL);

		mutex_unlock(&sub->lock);

		if (error)

	/* is next namespace a child */

	if (!list_empty(&ns->sub_ns)) {

		next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);

		mutex_lock(&next->lock);

		mutex_lock_nested(&next->lock, next->level);

		return next;

	}

		mutex_unlock(&ns->lock);

		next = list_next_entry(ns, base.list);

		if (!list_entry_is_head(next, &parent->sub_ns, base.list)) {

			mutex_lock(&next->lock);

			mutex_lock_nested(&next->lock, next->level);

			return next;

		}

		ns = parent;

	f->private = root;

	/* find the first profile */

	mutex_lock(&root->lock);

	mutex_lock_nested(&root->lock, root->level);

	profile = __first_profile(root, root);

	/* skip to position */

	ns_subrevision(root_ns) = dent;

	/* policy tree referenced by magic policy symlink */

	mutex_lock(&root_ns->lock);

	mutex_lock_nested(&root_ns->lock, root_ns->level);

	error = __aafs_ns_mkdir(root_ns, aafs_mnt->mnt_root, ".policy",

				aafs_mnt->mnt_root);

	mutex_unlock(&root_ns->lock);

 * __attach_match_ - find an attachment match

 * @name - to match against  (NOT NULL)

 * @head - profile list to walk  (NOT NULL)

 * @info - info message if there was an error (NOT NULL)

 *

 * Do a linear search on the profiles in the list.  There is a matching

 * preference where an exact match is preferred over a name which uses

 * Returns: profile or NULL if no match found

 */

static struct aa_profile *__attach_match(const char *name,

					 struct list_head *head)

					 struct list_head *head,

					 const char **info)

{

	int len = 0;

	bool conflict = false;

	struct aa_profile *profile, *candidate = NULL;

	list_for_each_entry_rcu(profile, head, base.list) {

		if (profile->label.flags & FLAG_NULL)

		if (profile->label.flags & FLAG_NULL &&

		    &profile->label == ns_unconfined(profile->ns))

			continue;

		if (profile->xmatch) {

			if (profile->xmatch_len == len) {

				conflict = true;

				continue;

		if (profile->xmatch && profile->xmatch_len > len) {

			unsigned int state = aa_dfa_match(profile->xmatch,

			} else if (profile->xmatch_len > len) {

				unsigned int state;

				u32 perm;

				state = aa_dfa_match(profile->xmatch,

						     DFA_START, name);

			u32 perm = dfa_user_allow(profile->xmatch, state);

				perm = dfa_user_allow(profile->xmatch, state);

				/* any accepting state means a valid match. */

				if (perm & MAY_EXEC) {

					candidate = profile;

					len = profile->xmatch_len;

					conflict = false;

				}

			}

		} else if (!strcmp(profile->base.name, name))

			/* exact non-re match, no more searching required */

			return profile;

	}

	if (conflict) {

		*info = "conflicting profile attachments";

		return NULL;

	}

	return candidate;

}

 * @ns: the current namespace  (NOT NULL)

 * @list: list to search  (NOT NULL)

 * @name: the executable name to match against  (NOT NULL)

 * @info: info message if there was an error

 *

 * Returns: label or NULL if no match found

 */

static struct aa_label *find_attach(struct aa_ns *ns, struct list_head *list,

				    const char *name)

				    const char *name, const char **info)

{

	struct aa_profile *profile;

	rcu_read_lock();

	profile = aa_get_profile(__attach_match(name, list));

	profile = aa_get_profile(__attach_match(name, list, info));

	rcu_read_unlock();

	return profile ? &profile->label : NULL;

		if (xindex & AA_X_CHILD)

			/* released by caller */

			new = find_attach(ns, &profile->base.profiles,

						name);

					  name, info);

		else

			/* released by caller */

			new = find_attach(ns, &ns->base.profiles,

						name);

					  name, info);

		*lookupname = name;

		break;

	}

	if (profile_unconfined(profile)) {

		new = find_attach(profile->ns, &profile->ns->base.profiles,

				  name);

				  name, &info);

		if (new) {

			AA_DEBUG("unconfined attached to new label");

			return new;

		}

	} else if (COMPLAIN_MODE(profile)) {

		/* no exec permission - learning mode */

		struct aa_profile *new_profile = aa_new_null_profile(profile,

							      false, name,

							      GFP_ATOMIC);

		struct aa_profile *new_profile = NULL;

		char *n = kstrdup(name, GFP_ATOMIC);

		if (n) {

			/* name is ptr into buffer */

			long pos = name - buffer;

			/* break per cpu buffer hold */

			put_buffers(buffer);

			new_profile = aa_new_null_profile(profile, false, n,

							  GFP_KERNEL);

			get_buffers(buffer);

			name = buffer + pos;

			strcpy((char *)name, n);

			kfree(n);

		}

		if (!new_profile) {

			error = -ENOMEM;

			info = "could not create null profile";

struct aa_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state,

				  struct path_cond *cond)

{

	struct aa_perms perms;

	/* FIXME: change over to new dfa format

	 * currently file perms are encoded in the dfa, new format

	 * splits the permissions from the dfa.  This mapping can be

	 * done at profile load

	 */

	perms.deny = 0;

	perms.kill = perms.stop = 0;

	perms.complain = perms.cond = 0;

	perms.hide = 0;

	perms.prompt = 0;

	struct aa_perms perms = { };

	if (uid_eq(current_fsuid(), cond->uid)) {

		perms.allow = map_old_perms(dfa_user_allow(dfa, state));

	__labelset_update(ns);

	list_for_each_entry(child, &ns->sub_ns, base.list) {

		mutex_lock(&child->lock);

		mutex_lock_nested(&child->lock, child->level);

		__aa_labelset_update_subtree(child);

		mutex_unlock(&child->lock);

	}

void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,

		      struct aa_perms *perms)

{

	perms->deny = 0;

	perms->kill = perms->stop = 0;

	perms->complain = perms->cond = 0;

	perms->hide = 0;

	perms->prompt = 0;

	perms->allow = dfa_user_allow(dfa, state);

	perms->audit = dfa_user_audit(dfa, state);

	perms->quiet = dfa_user_quiet(dfa, state);

	*perms = (struct aa_perms) {

		.allow = dfa_user_allow(dfa, state),

		.audit = dfa_user_audit(dfa, state),

		.quiet = dfa_user_quiet(dfa, state),

	};

	/* for v5 perm mapping in the policydb, the other set is used

	 * to extend the general perm set

		   void (*cb)(struct audit_buffer *, void *))

{

	int type, error;

	bool stop = false;

	u32 denied = request & (~perms->allow | perms->deny);

	if (likely(!denied)) {

		else

			type = AUDIT_APPARMOR_DENIED;

		if (denied & perms->stop)

			stop = true;

		if (denied == (denied & perms->hide))

			error = -ENOENT;