AppArmor: Abstract use of cred security blob (69b5a44a) · Commits · e / devices / android_kernel_fairphone_FP5

security/apparmor/domain.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -975,7 +975,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
		}
		aa_put_label(cred_label(bprm->cred));
		/* transfer reference, released when cred is freed */
		cred_label(bprm->cred) = new;
		set_cred_label(bprm->cred, new);

		done:
		aa_put_label(label);

+15 −1

Original line number	Diff line number	Diff line
		@@ -23,8 +23,22 @@
		#include "policy_ns.h"
		#include "task.h"

		#define cred_label(X) ((X)->security)
		static inline struct aa_label cred_label(const struct cred cred)
		{
		struct aa_label **blob = cred->security;

		AA_BUG(!blob);
		return *blob;
		}

		static inline void set_cred_label(const struct cred *cred,
		struct aa_label *label)
		{
		struct aa_label **blob = cred->security;

		AA_BUG(!blob);
		*blob = label;
		}

		/**
		* aa_cred_raw_label - obtain cred's label

+5 −5

Original line number	Diff line number	Diff line
		@@ -60,7 +60,7 @@ DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
		static void apparmor_cred_free(struct cred *cred)
		{
		aa_put_label(cred_label(cred));
		cred_label(cred) = NULL;
		set_cred_label(cred, NULL);
		}

		/*
		@@ -68,7 +68,7 @@ static void apparmor_cred_free(struct cred *cred)
		*/
		static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
		{
		cred_label(cred) = NULL;
		set_cred_label(cred, NULL);
		return 0;
		}

		@@ -78,7 +78,7 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
		static int apparmor_cred_prepare(struct cred new, const struct cred old,
		gfp_t gfp)
		{
		cred_label(new) = aa_get_newest_label(cred_label(old));
		set_cred_label(new, aa_get_newest_label(cred_label(old)));
		return 0;
		}

		@@ -87,7 +87,7 @@ static int apparmor_cred_prepare(struct cred new, const struct cred old,
		*/
		static void apparmor_cred_transfer(struct cred new, const struct cred old)
		{
		cred_label(new) = aa_get_newest_label(cred_label(old));
		set_cred_label(new, aa_get_newest_label(cred_label(old)));
		}

		static void apparmor_task_free(struct task_struct *task)
		@@ -1485,7 +1485,7 @@ static int __init set_init_ctx(void)
		if (!ctx)
		return -ENOMEM;

		cred_label(cred) = aa_get_label(ns_unconfined(root_ns));
		set_cred_label(cred, aa_get_label(ns_unconfined(root_ns)));
		task_ctx(current) = ctx;

		return 0;

+3 −3

Original line number	Diff line number	Diff line
		@@ -81,7 +81,7 @@ int aa_replace_current_label(struct aa_label *label)
		*/
		aa_get_label(label);
		aa_put_label(cred_label(new));
		cred_label(new) = label;
		set_cred_label(new, label);

		commit_creds(new);
		return 0;
		@@ -138,7 +138,7 @@ int aa_set_current_hat(struct aa_label *label, u64 token)
		return -EACCES;
		}

		cred_label(new) = aa_get_newest_label(label);
		set_cred_label(new, aa_get_newest_label(label));
		/* clear exec on switching context */
		aa_put_label(ctx->onexec);
		ctx->onexec = NULL;
		@@ -172,7 +172,7 @@ int aa_restore_previous_label(u64 token)
		return -ENOMEM;

		aa_put_label(cred_label(new));
		cred_label(new) = aa_get_newest_label(ctx->previous);
		set_cred_label(new, aa_get_newest_label(ctx->previous));
		AA_BUG(!cred_label(new));
		/* clear exec && prev information when restoring to previous context */
		aa_clear_task_ctx_trans(ctx);