Loading security/apparmor/apparmorfs.c +23 −26 Original line number Original line Diff line number Diff line Loading @@ -478,9 +478,9 @@ int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) return error; return error; } } void __aa_fs_namespace_rmdir(struct aa_namespace *ns) void __aa_fs_ns_rmdir(struct aa_ns *ns) { { struct aa_namespace *sub; struct aa_ns *sub; struct aa_profile *child; struct aa_profile *child; int i; int i; Loading @@ -492,7 +492,7 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns) list_for_each_entry(sub, &ns->sub_ns, base.list) { list_for_each_entry(sub, &ns->sub_ns, base.list) { mutex_lock(&sub->lock); mutex_lock(&sub->lock); __aa_fs_namespace_rmdir(sub); __aa_fs_ns_rmdir(sub); mutex_unlock(&sub->lock); mutex_unlock(&sub->lock); } } Loading @@ -502,10 +502,9 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns) } } } } int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name) const char *name) { { struct aa_namespace *sub; struct aa_ns *sub; struct aa_profile *child; struct aa_profile *child; struct dentry *dent, *dir; struct dentry *dent, *dir; int error; int error; Loading Loading @@ -536,7 +535,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, list_for_each_entry(sub, &ns->sub_ns, base.list) { list_for_each_entry(sub, &ns->sub_ns, base.list) { mutex_lock(&sub->lock); mutex_lock(&sub->lock); error = __aa_fs_namespace_mkdir(sub, ns_subns_dir(ns), NULL); error = __aa_fs_ns_mkdir(sub, ns_subns_dir(ns), NULL); mutex_unlock(&sub->lock); mutex_unlock(&sub->lock); if (error) if (error) goto fail2; goto fail2; Loading @@ -548,7 +547,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, error = PTR_ERR(dent); error = PTR_ERR(dent); fail2: fail2: __aa_fs_namespace_rmdir(ns); __aa_fs_ns_rmdir(ns); return error; return error; } } Loading @@ -557,7 +556,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, #define list_entry_is_head(pos, head, member) (&pos->member == (head)) #define list_entry_is_head(pos, head, member) (&pos->member == (head)) /** /** * __next_namespace - find the next namespace to list * __next_ns - find the next namespace to list * @root: root namespace to stop search at (NOT NULL) * @root: root namespace to stop search at (NOT NULL) * @ns: current ns position (NOT NULL) * @ns: current ns position (NOT NULL) * * Loading @@ -568,10 +567,9 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, * Requires: ns->parent->lock to be held * Requires: ns->parent->lock to be held * NOTE: will not unlock root->lock * NOTE: will not unlock root->lock */ */ static struct aa_namespace *__next_namespace(struct aa_namespace *root, static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns) struct aa_namespace *ns) { { struct aa_namespace *parent, *next; struct aa_ns *parent, *next; /* is next namespace a child */ /* is next namespace a child */ if (!list_empty(&ns->sub_ns)) { if (!list_empty(&ns->sub_ns)) { Loading Loading @@ -604,10 +602,10 @@ static struct aa_namespace *__next_namespace(struct aa_namespace *root, * Returns: unrefcounted profile or NULL if no profile * Returns: unrefcounted profile or NULL if no profile * Requires: profile->ns.lock to be held * Requires: profile->ns.lock to be held */ */ static struct aa_profile *__first_profile(struct aa_namespace *root, static struct aa_profile *__first_profile(struct aa_ns *root, struct aa_namespace *ns) struct aa_ns *ns) { { for (; ns; ns = __next_namespace(root, ns)) { for (; ns; ns = __next_ns(root, ns)) { if (!list_empty(&ns->base.profiles)) if (!list_empty(&ns->base.profiles)) return list_first_entry(&ns->base.profiles, return list_first_entry(&ns->base.profiles, struct aa_profile, base.list); struct aa_profile, base.list); Loading @@ -627,7 +625,7 @@ static struct aa_profile *__first_profile(struct aa_namespace *root, static struct aa_profile *__next_profile(struct aa_profile *p) static struct aa_profile *__next_profile(struct aa_profile *p) { { struct aa_profile *parent; struct aa_profile *parent; struct aa_namespace *ns = p->ns; struct aa_ns *ns = p->ns; /* is next profile a child */ /* is next profile a child */ if (!list_empty(&p->base.profiles)) if (!list_empty(&p->base.profiles)) Loading Loading @@ -661,7 +659,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p) * * * Returns: next profile or NULL if there isn't one * Returns: next profile or NULL if there isn't one */ */ static struct aa_profile *next_profile(struct aa_namespace *root, static struct aa_profile *next_profile(struct aa_ns *root, struct aa_profile *profile) struct aa_profile *profile) { { struct aa_profile *next = __next_profile(profile); struct aa_profile *next = __next_profile(profile); Loading @@ -669,7 +667,7 @@ static struct aa_profile *next_profile(struct aa_namespace *root, return next; return next; /* finished all profiles in namespace move to next namespace */ /* finished all profiles in namespace move to next namespace */ return __first_profile(root, __next_namespace(root, profile->ns)); return __first_profile(root, __next_ns(root, profile->ns)); } } /** /** Loading @@ -684,9 +682,9 @@ static struct aa_profile *next_profile(struct aa_namespace *root, static void *p_start(struct seq_file *f, loff_t *pos) static void *p_start(struct seq_file *f, loff_t *pos) { { struct aa_profile *profile = NULL; struct aa_profile *profile = NULL; struct aa_namespace *root = aa_current_profile()->ns; struct aa_ns *root = aa_current_profile()->ns; loff_t l = *pos; loff_t l = *pos; f->private = aa_get_namespace(root); f->private = aa_get_ns(root); /* find the first profile */ /* find the first profile */ Loading @@ -713,7 +711,7 @@ static void *p_start(struct seq_file *f, loff_t *pos) static void *p_next(struct seq_file *f, void *p, loff_t *pos) static void *p_next(struct seq_file *f, void *p, loff_t *pos) { { struct aa_profile *profile = p; struct aa_profile *profile = p; struct aa_namespace *ns = f->private; struct aa_ns *ns = f->private; (*pos)++; (*pos)++; return next_profile(ns, profile); return next_profile(ns, profile); Loading @@ -729,14 +727,14 @@ static void *p_next(struct seq_file *f, void *p, loff_t *pos) static void p_stop(struct seq_file *f, void *p) static void p_stop(struct seq_file *f, void *p) { { struct aa_profile *profile = p; struct aa_profile *profile = p; struct aa_namespace *root = f->private, *ns; struct aa_ns *root = f->private, *ns; if (profile) { if (profile) { for (ns = profile->ns; ns && ns != root; ns = ns->parent) for (ns = profile->ns; ns && ns != root; ns = ns->parent) mutex_unlock(&ns->lock); mutex_unlock(&ns->lock); } } mutex_unlock(&root->lock); mutex_unlock(&root->lock); aa_put_namespace(root); aa_put_ns(root); } } /** /** Loading @@ -749,7 +747,7 @@ static void p_stop(struct seq_file *f, void *p) static int seq_show_profile(struct seq_file *f, void *p) static int seq_show_profile(struct seq_file *f, void *p) { { struct aa_profile *profile = (struct aa_profile *)p; struct aa_profile *profile = (struct aa_profile *)p; struct aa_namespace *root = f->private; struct aa_ns *root = f->private; if (profile->ns != root) if (profile->ns != root) seq_printf(f, ":%s://", aa_ns_name(root, profile->ns)); seq_printf(f, ":%s://", aa_ns_name(root, profile->ns)); Loading Loading @@ -951,8 +949,7 @@ static int __init aa_create_aafs(void) if (error) if (error) goto error; goto error; error = __aa_fs_namespace_mkdir(root_ns, aa_fs_entry.dentry, error = __aa_fs_ns_mkdir(root_ns, aa_fs_entry.dentry, "policy"); "policy"); if (error) if (error) goto error; goto error; Loading security/apparmor/domain.c +12 −12 Original line number Original line Diff line number Diff line Loading @@ -94,7 +94,7 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile) * Returns: permission set * Returns: permission set */ */ static struct file_perms change_profile_perms(struct aa_profile *profile, static struct file_perms change_profile_perms(struct aa_profile *profile, struct aa_namespace *ns, struct aa_ns *ns, const char *name, u32 request, const char *name, u32 request, unsigned int start) unsigned int start) { { Loading Loading @@ -171,7 +171,7 @@ static struct aa_profile *__attach_match(const char *name, * * * Returns: profile or NULL if no match found * Returns: profile or NULL if no match found */ */ static struct aa_profile *find_attach(struct aa_namespace *ns, static struct aa_profile *find_attach(struct aa_ns *ns, struct list_head *list, const char *name) struct list_head *list, const char *name) { { struct aa_profile *profile; struct aa_profile *profile; Loading Loading @@ -240,7 +240,7 @@ static const char *next_name(int xtype, const char *name) static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) { { struct aa_profile *new_profile = NULL; struct aa_profile *new_profile = NULL; struct aa_namespace *ns = profile->ns; struct aa_ns *ns = profile->ns; u32 xtype = xindex & AA_X_TYPE_MASK; u32 xtype = xindex & AA_X_TYPE_MASK; int index = xindex & AA_X_INDEX_MASK; int index = xindex & AA_X_INDEX_MASK; const char *name; const char *name; Loading @@ -248,7 +248,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) /* index is guaranteed to be in range, validated at load time */ /* index is guaranteed to be in range, validated at load time */ for (name = profile->file.trans.table[index]; !new_profile && name; for (name = profile->file.trans.table[index]; !new_profile && name; name = next_name(xtype, name)) { name = next_name(xtype, name)) { struct aa_namespace *new_ns; struct aa_ns *new_ns; const char *xname = NULL; const char *xname = NULL; new_ns = NULL; new_ns = NULL; Loading @@ -268,7 +268,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) ; ; } } /* released below */ /* released below */ new_ns = aa_find_namespace(ns, ns_name); new_ns = aa_find_ns(ns, ns_name); if (!new_ns) if (!new_ns) continue; continue; } else if (*name == '@') { } else if (*name == '@') { Loading @@ -281,7 +281,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) /* released by caller */ /* released by caller */ new_profile = aa_lookup_profile(new_ns ? new_ns : ns, xname); new_profile = aa_lookup_profile(new_ns ? new_ns : ns, xname); aa_put_namespace(new_ns); aa_put_ns(new_ns); } } /* released by caller */ /* released by caller */ Loading @@ -302,7 +302,7 @@ static struct aa_profile *x_to_profile(struct aa_profile *profile, const char *name, u32 xindex) const char *name, u32 xindex) { { struct aa_profile *new_profile = NULL; struct aa_profile *new_profile = NULL; struct aa_namespace *ns = profile->ns; struct aa_ns *ns = profile->ns; u32 xtype = xindex & AA_X_TYPE_MASK; u32 xtype = xindex & AA_X_TYPE_MASK; switch (xtype) { switch (xtype) { Loading Loading @@ -339,7 +339,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) { { struct aa_task_cxt *cxt; struct aa_task_cxt *cxt; struct aa_profile *profile, *new_profile = NULL; struct aa_profile *profile, *new_profile = NULL; struct aa_namespace *ns; struct aa_ns *ns; char *buffer = NULL; char *buffer = NULL; unsigned int state; unsigned int state; struct file_perms perms = {}; struct file_perms perms = {}; Loading Loading @@ -746,7 +746,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, { { const struct cred *cred; const struct cred *cred; struct aa_profile *profile, *target = NULL; struct aa_profile *profile, *target = NULL; struct aa_namespace *ns = NULL; struct aa_ns *ns = NULL; struct file_perms perms = {}; struct file_perms perms = {}; const char *name = NULL, *info = NULL; const char *name = NULL, *info = NULL; int op, error = 0; int op, error = 0; Loading Loading @@ -780,7 +780,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, if (ns_name) { if (ns_name) { /* released below */ /* released below */ ns = aa_find_namespace(profile->ns, ns_name); ns = aa_find_ns(profile->ns, ns_name); if (!ns) { if (!ns) { /* we don't create new namespace in complain mode */ /* we don't create new namespace in complain mode */ name = ns_name; name = ns_name; Loading @@ -790,7 +790,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, } } } else } else /* released below */ /* released below */ ns = aa_get_namespace(profile->ns); ns = aa_get_ns(profile->ns); /* if the name was not specified, use the name of the current profile */ /* if the name was not specified, use the name of the current profile */ if (!hname) { if (!hname) { Loading Loading @@ -843,7 +843,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, name, hname, GLOBAL_ROOT_UID, info, error); name, hname, GLOBAL_ROOT_UID, info, error); aa_put_namespace(ns); aa_put_ns(ns); aa_put_profile(target); aa_put_profile(target); put_cred(cred); put_cred(cred); Loading security/apparmor/include/apparmorfs.h +4 −4 Original line number Original line Diff line number Diff line Loading @@ -62,7 +62,7 @@ extern const struct file_operations aa_fs_seq_file_ops; extern void __init aa_destroy_aafs(void); extern void __init aa_destroy_aafs(void); struct aa_profile; struct aa_profile; struct aa_namespace; struct aa_ns; enum aafs_ns_type { enum aafs_ns_type { AAFS_NS_DIR, AAFS_NS_DIR, Loading Loading @@ -97,8 +97,8 @@ void __aa_fs_profile_rmdir(struct aa_profile *profile); void __aa_fs_profile_migrate_dents(struct aa_profile *old, void __aa_fs_profile_migrate_dents(struct aa_profile *old, struct aa_profile *new); struct aa_profile *new); int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent); int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent); void __aa_fs_namespace_rmdir(struct aa_namespace *ns); void __aa_fs_ns_rmdir(struct aa_ns *ns); int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name); const char *name); #endif /* __AA_APPARMORFS_H */ #endif /* __AA_APPARMORFS_H */ security/apparmor/include/policy.h +4 −4 Original line number Original line Diff line number Diff line Loading @@ -31,7 +31,7 @@ #include "resource.h" #include "resource.h" struct aa_namespace; struct aa_ns; extern const char *const aa_profile_mode_names[]; extern const char *const aa_profile_mode_names[]; #define APPARMOR_MODE_NAMES_MAX_INDEX 4 #define APPARMOR_MODE_NAMES_MAX_INDEX 4 Loading Loading @@ -141,7 +141,7 @@ struct aa_profile { struct rcu_head rcu; struct rcu_head rcu; struct aa_profile __rcu *parent; struct aa_profile __rcu *parent; struct aa_namespace *ns; struct aa_ns *ns; struct aa_replacedby *replacedby; struct aa_replacedby *replacedby; const char *rename; const char *rename; Loading Loading @@ -177,8 +177,8 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat); void aa_free_profile(struct aa_profile *profile); void aa_free_profile(struct aa_profile *profile); void aa_free_profile_kref(struct kref *kref); void aa_free_profile_kref(struct kref *kref); struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name); struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name); struct aa_profile *aa_lookup_profile(struct aa_namespace *ns, const char *name); struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *name); struct aa_profile *aa_match_profile(struct aa_namespace *ns, const char *name); struct aa_profile *aa_match_profile(struct aa_ns *ns, const char *name); ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace); ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace); ssize_t aa_remove_profiles(char *name, size_t size); ssize_t aa_remove_profiles(char *name, size_t size); Loading security/apparmor/include/policy_ns.h +21 −22 Original line number Original line Diff line number Diff line Loading @@ -35,7 +35,7 @@ struct aa_ns_acct { int count; int count; }; }; /* struct aa_namespace - namespace for a set of profiles /* struct aa_ns - namespace for a set of profiles * @base: common policy * @base: common policy * @parent: parent of namespace * @parent: parent of namespace * @lock: lock for modifying the object * @lock: lock for modifying the object Loading @@ -46,9 +46,9 @@ struct aa_ns_acct { * @uniq_id: a unique id count for the profiles in the namespace * @uniq_id: a unique id count for the profiles in the namespace * @dents: dentries for the namespaces file entries in apparmorfs * @dents: dentries for the namespaces file entries in apparmorfs * * * An aa_namespace defines the set profiles that are searched to determine * An aa_ns defines the set profiles that are searched to determine * which profile to attach to a task. Profiles can not be shared between * which profile to attach to a task. Profiles can not be shared between * aa_namespaces and profile names within a namespace are guaranteed to be * aa_nss and profile names within a namespace are guaranteed to be * unique. When profiles in separate namespaces have the same name they * unique. When profiles in separate namespaces have the same name they * are NOT considered to be equivalent. * are NOT considered to be equivalent. * * Loading @@ -57,9 +57,9 @@ struct aa_ns_acct { * * * Namespace names must be unique and can not contain the characters :/\0 * Namespace names must be unique and can not contain the characters :/\0 */ */ struct aa_namespace { struct aa_ns { struct aa_policy base; struct aa_policy base; struct aa_namespace *parent; struct aa_ns *parent; struct mutex lock; struct mutex lock; struct aa_ns_acct acct; struct aa_ns_acct acct; struct aa_profile *unconfined; struct aa_profile *unconfined; Loading @@ -70,21 +70,20 @@ struct aa_namespace { struct dentry *dents[AAFS_NS_SIZEOF]; struct dentry *dents[AAFS_NS_SIZEOF]; }; }; extern struct aa_namespace *root_ns; extern struct aa_ns *root_ns; extern const char *aa_hidden_ns_name; extern const char *aa_hidden_ns_name; bool aa_ns_visible(struct aa_namespace *curr, struct aa_namespace *view); bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view); const char *aa_ns_name(struct aa_namespace *parent, struct aa_namespace *child); const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child); void aa_free_namespace(struct aa_namespace *ns); void aa_free_ns(struct aa_ns *ns); int aa_alloc_root_ns(void); int aa_alloc_root_ns(void); void aa_free_root_ns(void); void aa_free_root_ns(void); void aa_free_namespace_kref(struct kref *kref); void aa_free_ns_kref(struct kref *kref); struct aa_namespace *aa_find_namespace(struct aa_namespace *root, struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name); const char *name); struct aa_ns *aa_prepare_ns(const char *name); struct aa_namespace *aa_prepare_namespace(const char *name); void __aa_remove_ns(struct aa_ns *ns); void __aa_remove_namespace(struct aa_namespace *ns); static inline struct aa_profile *aa_deref_parent(struct aa_profile *p) static inline struct aa_profile *aa_deref_parent(struct aa_profile *p) { { Loading @@ -93,13 +92,13 @@ static inline struct aa_profile *aa_deref_parent(struct aa_profile *p) } } /** /** * aa_get_namespace - increment references count on @ns * aa_get_ns - increment references count on @ns * @ns: namespace to increment reference count of (MAYBE NULL) * @ns: namespace to increment reference count of (MAYBE NULL) * * * Returns: pointer to @ns, if @ns is NULL returns NULL * Returns: pointer to @ns, if @ns is NULL returns NULL * Requires: @ns must be held with valid refcount when called * Requires: @ns must be held with valid refcount when called */ */ static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns) static inline struct aa_ns *aa_get_ns(struct aa_ns *ns) { { if (ns) if (ns) aa_get_profile(ns->unconfined); aa_get_profile(ns->unconfined); Loading @@ -108,19 +107,19 @@ static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns) } } /** /** * aa_put_namespace - decrement refcount on @ns * aa_put_ns - decrement refcount on @ns * @ns: namespace to put reference of * @ns: namespace to put reference of * * * Decrement reference count of @ns and if no longer in use free it * Decrement reference count of @ns and if no longer in use free it */ */ static inline void aa_put_namespace(struct aa_namespace *ns) static inline void aa_put_ns(struct aa_ns *ns) { { if (ns) if (ns) aa_put_profile(ns->unconfined); aa_put_profile(ns->unconfined); } } /** /** * __aa_find_namespace - find a namespace on a list by @name * __aa_find_ns - find a namespace on a list by @name * @head: list to search for namespace on (NOT NULL) * @head: list to search for namespace on (NOT NULL) * @name: name of namespace to look for (NOT NULL) * @name: name of namespace to look for (NOT NULL) * * Loading @@ -128,10 +127,10 @@ static inline void aa_put_namespace(struct aa_namespace *ns) * * * Requires: rcu_read_lock be held * Requires: rcu_read_lock be held */ */ static inline struct aa_namespace *__aa_find_namespace(struct list_head *head, static inline struct aa_ns *__aa_find_ns(struct list_head *head, const char *name) const char *name) { { return (struct aa_namespace *)__policy_find(head, name); return (struct aa_ns *)__policy_find(head, name); } } #endif /* AA_NAMESPACE_H */ #endif /* AA_NAMESPACE_H */ Loading
security/apparmor/apparmorfs.c +23 −26 Original line number Original line Diff line number Diff line Loading @@ -478,9 +478,9 @@ int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) return error; return error; } } void __aa_fs_namespace_rmdir(struct aa_namespace *ns) void __aa_fs_ns_rmdir(struct aa_ns *ns) { { struct aa_namespace *sub; struct aa_ns *sub; struct aa_profile *child; struct aa_profile *child; int i; int i; Loading @@ -492,7 +492,7 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns) list_for_each_entry(sub, &ns->sub_ns, base.list) { list_for_each_entry(sub, &ns->sub_ns, base.list) { mutex_lock(&sub->lock); mutex_lock(&sub->lock); __aa_fs_namespace_rmdir(sub); __aa_fs_ns_rmdir(sub); mutex_unlock(&sub->lock); mutex_unlock(&sub->lock); } } Loading @@ -502,10 +502,9 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns) } } } } int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name) const char *name) { { struct aa_namespace *sub; struct aa_ns *sub; struct aa_profile *child; struct aa_profile *child; struct dentry *dent, *dir; struct dentry *dent, *dir; int error; int error; Loading Loading @@ -536,7 +535,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, list_for_each_entry(sub, &ns->sub_ns, base.list) { list_for_each_entry(sub, &ns->sub_ns, base.list) { mutex_lock(&sub->lock); mutex_lock(&sub->lock); error = __aa_fs_namespace_mkdir(sub, ns_subns_dir(ns), NULL); error = __aa_fs_ns_mkdir(sub, ns_subns_dir(ns), NULL); mutex_unlock(&sub->lock); mutex_unlock(&sub->lock); if (error) if (error) goto fail2; goto fail2; Loading @@ -548,7 +547,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, error = PTR_ERR(dent); error = PTR_ERR(dent); fail2: fail2: __aa_fs_namespace_rmdir(ns); __aa_fs_ns_rmdir(ns); return error; return error; } } Loading @@ -557,7 +556,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, #define list_entry_is_head(pos, head, member) (&pos->member == (head)) #define list_entry_is_head(pos, head, member) (&pos->member == (head)) /** /** * __next_namespace - find the next namespace to list * __next_ns - find the next namespace to list * @root: root namespace to stop search at (NOT NULL) * @root: root namespace to stop search at (NOT NULL) * @ns: current ns position (NOT NULL) * @ns: current ns position (NOT NULL) * * Loading @@ -568,10 +567,9 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, * Requires: ns->parent->lock to be held * Requires: ns->parent->lock to be held * NOTE: will not unlock root->lock * NOTE: will not unlock root->lock */ */ static struct aa_namespace *__next_namespace(struct aa_namespace *root, static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns) struct aa_namespace *ns) { { struct aa_namespace *parent, *next; struct aa_ns *parent, *next; /* is next namespace a child */ /* is next namespace a child */ if (!list_empty(&ns->sub_ns)) { if (!list_empty(&ns->sub_ns)) { Loading Loading @@ -604,10 +602,10 @@ static struct aa_namespace *__next_namespace(struct aa_namespace *root, * Returns: unrefcounted profile or NULL if no profile * Returns: unrefcounted profile or NULL if no profile * Requires: profile->ns.lock to be held * Requires: profile->ns.lock to be held */ */ static struct aa_profile *__first_profile(struct aa_namespace *root, static struct aa_profile *__first_profile(struct aa_ns *root, struct aa_namespace *ns) struct aa_ns *ns) { { for (; ns; ns = __next_namespace(root, ns)) { for (; ns; ns = __next_ns(root, ns)) { if (!list_empty(&ns->base.profiles)) if (!list_empty(&ns->base.profiles)) return list_first_entry(&ns->base.profiles, return list_first_entry(&ns->base.profiles, struct aa_profile, base.list); struct aa_profile, base.list); Loading @@ -627,7 +625,7 @@ static struct aa_profile *__first_profile(struct aa_namespace *root, static struct aa_profile *__next_profile(struct aa_profile *p) static struct aa_profile *__next_profile(struct aa_profile *p) { { struct aa_profile *parent; struct aa_profile *parent; struct aa_namespace *ns = p->ns; struct aa_ns *ns = p->ns; /* is next profile a child */ /* is next profile a child */ if (!list_empty(&p->base.profiles)) if (!list_empty(&p->base.profiles)) Loading Loading @@ -661,7 +659,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p) * * * Returns: next profile or NULL if there isn't one * Returns: next profile or NULL if there isn't one */ */ static struct aa_profile *next_profile(struct aa_namespace *root, static struct aa_profile *next_profile(struct aa_ns *root, struct aa_profile *profile) struct aa_profile *profile) { { struct aa_profile *next = __next_profile(profile); struct aa_profile *next = __next_profile(profile); Loading @@ -669,7 +667,7 @@ static struct aa_profile *next_profile(struct aa_namespace *root, return next; return next; /* finished all profiles in namespace move to next namespace */ /* finished all profiles in namespace move to next namespace */ return __first_profile(root, __next_namespace(root, profile->ns)); return __first_profile(root, __next_ns(root, profile->ns)); } } /** /** Loading @@ -684,9 +682,9 @@ static struct aa_profile *next_profile(struct aa_namespace *root, static void *p_start(struct seq_file *f, loff_t *pos) static void *p_start(struct seq_file *f, loff_t *pos) { { struct aa_profile *profile = NULL; struct aa_profile *profile = NULL; struct aa_namespace *root = aa_current_profile()->ns; struct aa_ns *root = aa_current_profile()->ns; loff_t l = *pos; loff_t l = *pos; f->private = aa_get_namespace(root); f->private = aa_get_ns(root); /* find the first profile */ /* find the first profile */ Loading @@ -713,7 +711,7 @@ static void *p_start(struct seq_file *f, loff_t *pos) static void *p_next(struct seq_file *f, void *p, loff_t *pos) static void *p_next(struct seq_file *f, void *p, loff_t *pos) { { struct aa_profile *profile = p; struct aa_profile *profile = p; struct aa_namespace *ns = f->private; struct aa_ns *ns = f->private; (*pos)++; (*pos)++; return next_profile(ns, profile); return next_profile(ns, profile); Loading @@ -729,14 +727,14 @@ static void *p_next(struct seq_file *f, void *p, loff_t *pos) static void p_stop(struct seq_file *f, void *p) static void p_stop(struct seq_file *f, void *p) { { struct aa_profile *profile = p; struct aa_profile *profile = p; struct aa_namespace *root = f->private, *ns; struct aa_ns *root = f->private, *ns; if (profile) { if (profile) { for (ns = profile->ns; ns && ns != root; ns = ns->parent) for (ns = profile->ns; ns && ns != root; ns = ns->parent) mutex_unlock(&ns->lock); mutex_unlock(&ns->lock); } } mutex_unlock(&root->lock); mutex_unlock(&root->lock); aa_put_namespace(root); aa_put_ns(root); } } /** /** Loading @@ -749,7 +747,7 @@ static void p_stop(struct seq_file *f, void *p) static int seq_show_profile(struct seq_file *f, void *p) static int seq_show_profile(struct seq_file *f, void *p) { { struct aa_profile *profile = (struct aa_profile *)p; struct aa_profile *profile = (struct aa_profile *)p; struct aa_namespace *root = f->private; struct aa_ns *root = f->private; if (profile->ns != root) if (profile->ns != root) seq_printf(f, ":%s://", aa_ns_name(root, profile->ns)); seq_printf(f, ":%s://", aa_ns_name(root, profile->ns)); Loading Loading @@ -951,8 +949,7 @@ static int __init aa_create_aafs(void) if (error) if (error) goto error; goto error; error = __aa_fs_namespace_mkdir(root_ns, aa_fs_entry.dentry, error = __aa_fs_ns_mkdir(root_ns, aa_fs_entry.dentry, "policy"); "policy"); if (error) if (error) goto error; goto error; Loading
security/apparmor/domain.c +12 −12 Original line number Original line Diff line number Diff line Loading @@ -94,7 +94,7 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile) * Returns: permission set * Returns: permission set */ */ static struct file_perms change_profile_perms(struct aa_profile *profile, static struct file_perms change_profile_perms(struct aa_profile *profile, struct aa_namespace *ns, struct aa_ns *ns, const char *name, u32 request, const char *name, u32 request, unsigned int start) unsigned int start) { { Loading Loading @@ -171,7 +171,7 @@ static struct aa_profile *__attach_match(const char *name, * * * Returns: profile or NULL if no match found * Returns: profile or NULL if no match found */ */ static struct aa_profile *find_attach(struct aa_namespace *ns, static struct aa_profile *find_attach(struct aa_ns *ns, struct list_head *list, const char *name) struct list_head *list, const char *name) { { struct aa_profile *profile; struct aa_profile *profile; Loading Loading @@ -240,7 +240,7 @@ static const char *next_name(int xtype, const char *name) static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) { { struct aa_profile *new_profile = NULL; struct aa_profile *new_profile = NULL; struct aa_namespace *ns = profile->ns; struct aa_ns *ns = profile->ns; u32 xtype = xindex & AA_X_TYPE_MASK; u32 xtype = xindex & AA_X_TYPE_MASK; int index = xindex & AA_X_INDEX_MASK; int index = xindex & AA_X_INDEX_MASK; const char *name; const char *name; Loading @@ -248,7 +248,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) /* index is guaranteed to be in range, validated at load time */ /* index is guaranteed to be in range, validated at load time */ for (name = profile->file.trans.table[index]; !new_profile && name; for (name = profile->file.trans.table[index]; !new_profile && name; name = next_name(xtype, name)) { name = next_name(xtype, name)) { struct aa_namespace *new_ns; struct aa_ns *new_ns; const char *xname = NULL; const char *xname = NULL; new_ns = NULL; new_ns = NULL; Loading @@ -268,7 +268,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) ; ; } } /* released below */ /* released below */ new_ns = aa_find_namespace(ns, ns_name); new_ns = aa_find_ns(ns, ns_name); if (!new_ns) if (!new_ns) continue; continue; } else if (*name == '@') { } else if (*name == '@') { Loading @@ -281,7 +281,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) /* released by caller */ /* released by caller */ new_profile = aa_lookup_profile(new_ns ? new_ns : ns, xname); new_profile = aa_lookup_profile(new_ns ? new_ns : ns, xname); aa_put_namespace(new_ns); aa_put_ns(new_ns); } } /* released by caller */ /* released by caller */ Loading @@ -302,7 +302,7 @@ static struct aa_profile *x_to_profile(struct aa_profile *profile, const char *name, u32 xindex) const char *name, u32 xindex) { { struct aa_profile *new_profile = NULL; struct aa_profile *new_profile = NULL; struct aa_namespace *ns = profile->ns; struct aa_ns *ns = profile->ns; u32 xtype = xindex & AA_X_TYPE_MASK; u32 xtype = xindex & AA_X_TYPE_MASK; switch (xtype) { switch (xtype) { Loading Loading @@ -339,7 +339,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) { { struct aa_task_cxt *cxt; struct aa_task_cxt *cxt; struct aa_profile *profile, *new_profile = NULL; struct aa_profile *profile, *new_profile = NULL; struct aa_namespace *ns; struct aa_ns *ns; char *buffer = NULL; char *buffer = NULL; unsigned int state; unsigned int state; struct file_perms perms = {}; struct file_perms perms = {}; Loading Loading @@ -746,7 +746,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, { { const struct cred *cred; const struct cred *cred; struct aa_profile *profile, *target = NULL; struct aa_profile *profile, *target = NULL; struct aa_namespace *ns = NULL; struct aa_ns *ns = NULL; struct file_perms perms = {}; struct file_perms perms = {}; const char *name = NULL, *info = NULL; const char *name = NULL, *info = NULL; int op, error = 0; int op, error = 0; Loading Loading @@ -780,7 +780,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, if (ns_name) { if (ns_name) { /* released below */ /* released below */ ns = aa_find_namespace(profile->ns, ns_name); ns = aa_find_ns(profile->ns, ns_name); if (!ns) { if (!ns) { /* we don't create new namespace in complain mode */ /* we don't create new namespace in complain mode */ name = ns_name; name = ns_name; Loading @@ -790,7 +790,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, } } } else } else /* released below */ /* released below */ ns = aa_get_namespace(profile->ns); ns = aa_get_ns(profile->ns); /* if the name was not specified, use the name of the current profile */ /* if the name was not specified, use the name of the current profile */ if (!hname) { if (!hname) { Loading Loading @@ -843,7 +843,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, name, hname, GLOBAL_ROOT_UID, info, error); name, hname, GLOBAL_ROOT_UID, info, error); aa_put_namespace(ns); aa_put_ns(ns); aa_put_profile(target); aa_put_profile(target); put_cred(cred); put_cred(cred); Loading
security/apparmor/include/apparmorfs.h +4 −4 Original line number Original line Diff line number Diff line Loading @@ -62,7 +62,7 @@ extern const struct file_operations aa_fs_seq_file_ops; extern void __init aa_destroy_aafs(void); extern void __init aa_destroy_aafs(void); struct aa_profile; struct aa_profile; struct aa_namespace; struct aa_ns; enum aafs_ns_type { enum aafs_ns_type { AAFS_NS_DIR, AAFS_NS_DIR, Loading Loading @@ -97,8 +97,8 @@ void __aa_fs_profile_rmdir(struct aa_profile *profile); void __aa_fs_profile_migrate_dents(struct aa_profile *old, void __aa_fs_profile_migrate_dents(struct aa_profile *old, struct aa_profile *new); struct aa_profile *new); int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent); int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent); void __aa_fs_namespace_rmdir(struct aa_namespace *ns); void __aa_fs_ns_rmdir(struct aa_ns *ns); int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name); const char *name); #endif /* __AA_APPARMORFS_H */ #endif /* __AA_APPARMORFS_H */
security/apparmor/include/policy.h +4 −4 Original line number Original line Diff line number Diff line Loading @@ -31,7 +31,7 @@ #include "resource.h" #include "resource.h" struct aa_namespace; struct aa_ns; extern const char *const aa_profile_mode_names[]; extern const char *const aa_profile_mode_names[]; #define APPARMOR_MODE_NAMES_MAX_INDEX 4 #define APPARMOR_MODE_NAMES_MAX_INDEX 4 Loading Loading @@ -141,7 +141,7 @@ struct aa_profile { struct rcu_head rcu; struct rcu_head rcu; struct aa_profile __rcu *parent; struct aa_profile __rcu *parent; struct aa_namespace *ns; struct aa_ns *ns; struct aa_replacedby *replacedby; struct aa_replacedby *replacedby; const char *rename; const char *rename; Loading Loading @@ -177,8 +177,8 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat); void aa_free_profile(struct aa_profile *profile); void aa_free_profile(struct aa_profile *profile); void aa_free_profile_kref(struct kref *kref); void aa_free_profile_kref(struct kref *kref); struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name); struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name); struct aa_profile *aa_lookup_profile(struct aa_namespace *ns, const char *name); struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *name); struct aa_profile *aa_match_profile(struct aa_namespace *ns, const char *name); struct aa_profile *aa_match_profile(struct aa_ns *ns, const char *name); ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace); ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace); ssize_t aa_remove_profiles(char *name, size_t size); ssize_t aa_remove_profiles(char *name, size_t size); Loading
security/apparmor/include/policy_ns.h +21 −22 Original line number Original line Diff line number Diff line Loading @@ -35,7 +35,7 @@ struct aa_ns_acct { int count; int count; }; }; /* struct aa_namespace - namespace for a set of profiles /* struct aa_ns - namespace for a set of profiles * @base: common policy * @base: common policy * @parent: parent of namespace * @parent: parent of namespace * @lock: lock for modifying the object * @lock: lock for modifying the object Loading @@ -46,9 +46,9 @@ struct aa_ns_acct { * @uniq_id: a unique id count for the profiles in the namespace * @uniq_id: a unique id count for the profiles in the namespace * @dents: dentries for the namespaces file entries in apparmorfs * @dents: dentries for the namespaces file entries in apparmorfs * * * An aa_namespace defines the set profiles that are searched to determine * An aa_ns defines the set profiles that are searched to determine * which profile to attach to a task. Profiles can not be shared between * which profile to attach to a task. Profiles can not be shared between * aa_namespaces and profile names within a namespace are guaranteed to be * aa_nss and profile names within a namespace are guaranteed to be * unique. When profiles in separate namespaces have the same name they * unique. When profiles in separate namespaces have the same name they * are NOT considered to be equivalent. * are NOT considered to be equivalent. * * Loading @@ -57,9 +57,9 @@ struct aa_ns_acct { * * * Namespace names must be unique and can not contain the characters :/\0 * Namespace names must be unique and can not contain the characters :/\0 */ */ struct aa_namespace { struct aa_ns { struct aa_policy base; struct aa_policy base; struct aa_namespace *parent; struct aa_ns *parent; struct mutex lock; struct mutex lock; struct aa_ns_acct acct; struct aa_ns_acct acct; struct aa_profile *unconfined; struct aa_profile *unconfined; Loading @@ -70,21 +70,20 @@ struct aa_namespace { struct dentry *dents[AAFS_NS_SIZEOF]; struct dentry *dents[AAFS_NS_SIZEOF]; }; }; extern struct aa_namespace *root_ns; extern struct aa_ns *root_ns; extern const char *aa_hidden_ns_name; extern const char *aa_hidden_ns_name; bool aa_ns_visible(struct aa_namespace *curr, struct aa_namespace *view); bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view); const char *aa_ns_name(struct aa_namespace *parent, struct aa_namespace *child); const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child); void aa_free_namespace(struct aa_namespace *ns); void aa_free_ns(struct aa_ns *ns); int aa_alloc_root_ns(void); int aa_alloc_root_ns(void); void aa_free_root_ns(void); void aa_free_root_ns(void); void aa_free_namespace_kref(struct kref *kref); void aa_free_ns_kref(struct kref *kref); struct aa_namespace *aa_find_namespace(struct aa_namespace *root, struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name); const char *name); struct aa_ns *aa_prepare_ns(const char *name); struct aa_namespace *aa_prepare_namespace(const char *name); void __aa_remove_ns(struct aa_ns *ns); void __aa_remove_namespace(struct aa_namespace *ns); static inline struct aa_profile *aa_deref_parent(struct aa_profile *p) static inline struct aa_profile *aa_deref_parent(struct aa_profile *p) { { Loading @@ -93,13 +92,13 @@ static inline struct aa_profile *aa_deref_parent(struct aa_profile *p) } } /** /** * aa_get_namespace - increment references count on @ns * aa_get_ns - increment references count on @ns * @ns: namespace to increment reference count of (MAYBE NULL) * @ns: namespace to increment reference count of (MAYBE NULL) * * * Returns: pointer to @ns, if @ns is NULL returns NULL * Returns: pointer to @ns, if @ns is NULL returns NULL * Requires: @ns must be held with valid refcount when called * Requires: @ns must be held with valid refcount when called */ */ static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns) static inline struct aa_ns *aa_get_ns(struct aa_ns *ns) { { if (ns) if (ns) aa_get_profile(ns->unconfined); aa_get_profile(ns->unconfined); Loading @@ -108,19 +107,19 @@ static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns) } } /** /** * aa_put_namespace - decrement refcount on @ns * aa_put_ns - decrement refcount on @ns * @ns: namespace to put reference of * @ns: namespace to put reference of * * * Decrement reference count of @ns and if no longer in use free it * Decrement reference count of @ns and if no longer in use free it */ */ static inline void aa_put_namespace(struct aa_namespace *ns) static inline void aa_put_ns(struct aa_ns *ns) { { if (ns) if (ns) aa_put_profile(ns->unconfined); aa_put_profile(ns->unconfined); } } /** /** * __aa_find_namespace - find a namespace on a list by @name * __aa_find_ns - find a namespace on a list by @name * @head: list to search for namespace on (NOT NULL) * @head: list to search for namespace on (NOT NULL) * @name: name of namespace to look for (NOT NULL) * @name: name of namespace to look for (NOT NULL) * * Loading @@ -128,10 +127,10 @@ static inline void aa_put_namespace(struct aa_namespace *ns) * * * Requires: rcu_read_lock be held * Requires: rcu_read_lock be held */ */ static inline struct aa_namespace *__aa_find_namespace(struct list_head *head, static inline struct aa_ns *__aa_find_ns(struct list_head *head, const char *name) const char *name) { { return (struct aa_namespace *)__policy_find(head, name); return (struct aa_ns *)__policy_find(head, name); } } #endif /* AA_NAMESPACE_H */ #endif /* AA_NAMESPACE_H */
John Johansen <john.johansen@canonical.com>John Johansen <john.johansen@canonical.com>