Loading security/apparmor/apparmorfs.c +23 −26 Original line number Diff line number Diff line Loading @@ -478,9 +478,9 @@ int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) return error; } void __aa_fs_namespace_rmdir(struct aa_namespace *ns) void __aa_fs_ns_rmdir(struct aa_ns *ns) { struct aa_namespace *sub; struct aa_ns *sub; struct aa_profile *child; int i; Loading @@ -492,7 +492,7 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns) list_for_each_entry(sub, &ns->sub_ns, base.list) { mutex_lock(&sub->lock); __aa_fs_namespace_rmdir(sub); __aa_fs_ns_rmdir(sub); mutex_unlock(&sub->lock); } Loading @@ -502,10 +502,9 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns) } } int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, const char *name) int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name) { struct aa_namespace *sub; struct aa_ns *sub; struct aa_profile *child; struct dentry *dent, *dir; int error; Loading Loading @@ -536,7 +535,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, list_for_each_entry(sub, &ns->sub_ns, base.list) { mutex_lock(&sub->lock); error = __aa_fs_namespace_mkdir(sub, ns_subns_dir(ns), NULL); error = __aa_fs_ns_mkdir(sub, ns_subns_dir(ns), NULL); mutex_unlock(&sub->lock); if (error) goto fail2; Loading @@ -548,7 +547,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, error = PTR_ERR(dent); fail2: __aa_fs_namespace_rmdir(ns); __aa_fs_ns_rmdir(ns); return error; } Loading @@ -557,7 +556,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, #define list_entry_is_head(pos, head, member) (&pos->member == (head)) /** * __next_namespace - find the next namespace to list * __next_ns - find the next namespace to list * @root: root namespace to stop search at (NOT NULL) * @ns: current ns position (NOT NULL) * Loading @@ -568,10 +567,9 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, * Requires: ns->parent->lock to be held * NOTE: will not unlock root->lock */ static struct aa_namespace *__next_namespace(struct aa_namespace *root, struct aa_namespace *ns) static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns) { struct aa_namespace *parent, *next; struct aa_ns *parent, *next; /* is next namespace a child */ if (!list_empty(&ns->sub_ns)) { Loading Loading @@ -604,10 +602,10 @@ static struct aa_namespace *__next_namespace(struct aa_namespace *root, * Returns: unrefcounted profile or NULL if no profile * Requires: profile->ns.lock to be held */ static struct aa_profile *__first_profile(struct aa_namespace *root, struct aa_namespace *ns) static struct aa_profile *__first_profile(struct aa_ns *root, struct aa_ns *ns) { for (; ns; ns = __next_namespace(root, ns)) { for (; ns; ns = __next_ns(root, ns)) { if (!list_empty(&ns->base.profiles)) return list_first_entry(&ns->base.profiles, struct aa_profile, base.list); Loading @@ -627,7 +625,7 @@ static struct aa_profile *__first_profile(struct aa_namespace *root, static struct aa_profile *__next_profile(struct aa_profile *p) { struct aa_profile *parent; struct aa_namespace *ns = p->ns; struct aa_ns *ns = p->ns; /* is next profile a child */ if (!list_empty(&p->base.profiles)) Loading Loading @@ -661,7 +659,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p) * * Returns: next profile or NULL if there isn't one */ static struct aa_profile *next_profile(struct aa_namespace *root, static struct aa_profile *next_profile(struct aa_ns *root, struct aa_profile *profile) { struct aa_profile *next = __next_profile(profile); Loading @@ -669,7 +667,7 @@ static struct aa_profile *next_profile(struct aa_namespace *root, return next; /* finished all profiles in namespace move to next namespace */ return __first_profile(root, __next_namespace(root, profile->ns)); return __first_profile(root, __next_ns(root, profile->ns)); } /** Loading @@ -684,9 +682,9 @@ static struct aa_profile *next_profile(struct aa_namespace *root, static void *p_start(struct seq_file *f, loff_t *pos) { struct aa_profile *profile = NULL; struct aa_namespace *root = aa_current_profile()->ns; struct aa_ns *root = aa_current_profile()->ns; loff_t l = *pos; f->private = aa_get_namespace(root); f->private = aa_get_ns(root); /* find the first profile */ Loading @@ -713,7 +711,7 @@ static void *p_start(struct seq_file *f, loff_t *pos) static void *p_next(struct seq_file *f, void *p, loff_t *pos) { struct aa_profile *profile = p; struct aa_namespace *ns = f->private; struct aa_ns *ns = f->private; (*pos)++; return next_profile(ns, profile); Loading @@ -729,14 +727,14 @@ static void *p_next(struct seq_file *f, void *p, loff_t *pos) static void p_stop(struct seq_file *f, void *p) { struct aa_profile *profile = p; struct aa_namespace *root = f->private, *ns; struct aa_ns *root = f->private, *ns; if (profile) { for (ns = profile->ns; ns && ns != root; ns = ns->parent) mutex_unlock(&ns->lock); } mutex_unlock(&root->lock); aa_put_namespace(root); aa_put_ns(root); } /** Loading @@ -749,7 +747,7 @@ static void p_stop(struct seq_file *f, void *p) static int seq_show_profile(struct seq_file *f, void *p) { struct aa_profile *profile = (struct aa_profile *)p; struct aa_namespace *root = f->private; struct aa_ns *root = f->private; if (profile->ns != root) seq_printf(f, ":%s://", aa_ns_name(root, profile->ns)); Loading Loading @@ -951,8 +949,7 @@ static int __init aa_create_aafs(void) if (error) goto error; error = __aa_fs_namespace_mkdir(root_ns, aa_fs_entry.dentry, "policy"); error = __aa_fs_ns_mkdir(root_ns, aa_fs_entry.dentry, "policy"); if (error) goto error; Loading security/apparmor/domain.c +12 −12 Original line number Diff line number Diff line Loading @@ -94,7 +94,7 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile) * Returns: permission set */ static struct file_perms change_profile_perms(struct aa_profile *profile, struct aa_namespace *ns, struct aa_ns *ns, const char *name, u32 request, unsigned int start) { Loading Loading @@ -171,7 +171,7 @@ static struct aa_profile *__attach_match(const char *name, * * Returns: profile or NULL if no match found */ static struct aa_profile *find_attach(struct aa_namespace *ns, static struct aa_profile *find_attach(struct aa_ns *ns, struct list_head *list, const char *name) { struct aa_profile *profile; Loading Loading @@ -240,7 +240,7 @@ static const char *next_name(int xtype, const char *name) static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) { struct aa_profile *new_profile = NULL; struct aa_namespace *ns = profile->ns; struct aa_ns *ns = profile->ns; u32 xtype = xindex & AA_X_TYPE_MASK; int index = xindex & AA_X_INDEX_MASK; const char *name; Loading @@ -248,7 +248,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) /* index is guaranteed to be in range, validated at load time */ for (name = profile->file.trans.table[index]; !new_profile && name; name = next_name(xtype, name)) { struct aa_namespace *new_ns; struct aa_ns *new_ns; const char *xname = NULL; new_ns = NULL; Loading @@ -268,7 +268,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) ; } /* released below */ new_ns = aa_find_namespace(ns, ns_name); new_ns = aa_find_ns(ns, ns_name); if (!new_ns) continue; } else if (*name == '@') { Loading @@ -281,7 +281,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) /* released by caller */ new_profile = aa_lookup_profile(new_ns ? new_ns : ns, xname); aa_put_namespace(new_ns); aa_put_ns(new_ns); } /* released by caller */ Loading @@ -302,7 +302,7 @@ static struct aa_profile *x_to_profile(struct aa_profile *profile, const char *name, u32 xindex) { struct aa_profile *new_profile = NULL; struct aa_namespace *ns = profile->ns; struct aa_ns *ns = profile->ns; u32 xtype = xindex & AA_X_TYPE_MASK; switch (xtype) { Loading Loading @@ -339,7 +339,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) { struct aa_task_cxt *cxt; struct aa_profile *profile, *new_profile = NULL; struct aa_namespace *ns; struct aa_ns *ns; char *buffer = NULL; unsigned int state; struct file_perms perms = {}; Loading Loading @@ -746,7 +746,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, { const struct cred *cred; struct aa_profile *profile, *target = NULL; struct aa_namespace *ns = NULL; struct aa_ns *ns = NULL; struct file_perms perms = {}; const char *name = NULL, *info = NULL; int op, error = 0; Loading Loading @@ -780,7 +780,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, if (ns_name) { /* released below */ ns = aa_find_namespace(profile->ns, ns_name); ns = aa_find_ns(profile->ns, ns_name); if (!ns) { /* we don't create new namespace in complain mode */ name = ns_name; Loading @@ -790,7 +790,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, } } else /* released below */ ns = aa_get_namespace(profile->ns); ns = aa_get_ns(profile->ns); /* if the name was not specified, use the name of the current profile */ if (!hname) { Loading Loading @@ -843,7 +843,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, name, hname, GLOBAL_ROOT_UID, info, error); aa_put_namespace(ns); aa_put_ns(ns); aa_put_profile(target); put_cred(cred); Loading security/apparmor/include/apparmorfs.h +4 −4 Original line number Diff line number Diff line Loading @@ -62,7 +62,7 @@ extern const struct file_operations aa_fs_seq_file_ops; extern void __init aa_destroy_aafs(void); struct aa_profile; struct aa_namespace; struct aa_ns; enum aafs_ns_type { AAFS_NS_DIR, Loading Loading @@ -97,8 +97,8 @@ void __aa_fs_profile_rmdir(struct aa_profile *profile); void __aa_fs_profile_migrate_dents(struct aa_profile *old, struct aa_profile *new); int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent); void __aa_fs_namespace_rmdir(struct aa_namespace *ns); int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, void __aa_fs_ns_rmdir(struct aa_ns *ns); int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name); #endif /* __AA_APPARMORFS_H */ security/apparmor/include/policy.h +4 −4 Original line number Diff line number Diff line Loading @@ -31,7 +31,7 @@ #include "resource.h" struct aa_namespace; struct aa_ns; extern const char *const aa_profile_mode_names[]; #define APPARMOR_MODE_NAMES_MAX_INDEX 4 Loading Loading @@ -141,7 +141,7 @@ struct aa_profile { struct rcu_head rcu; struct aa_profile __rcu *parent; struct aa_namespace *ns; struct aa_ns *ns; struct aa_replacedby *replacedby; const char *rename; Loading Loading @@ -177,8 +177,8 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat); void aa_free_profile(struct aa_profile *profile); void aa_free_profile_kref(struct kref *kref); struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name); struct aa_profile *aa_lookup_profile(struct aa_namespace *ns, const char *name); struct aa_profile *aa_match_profile(struct aa_namespace *ns, const char *name); struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *name); struct aa_profile *aa_match_profile(struct aa_ns *ns, const char *name); ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace); ssize_t aa_remove_profiles(char *name, size_t size); Loading security/apparmor/include/policy_ns.h +21 −22 Original line number Diff line number Diff line Loading @@ -35,7 +35,7 @@ struct aa_ns_acct { int count; }; /* struct aa_namespace - namespace for a set of profiles /* struct aa_ns - namespace for a set of profiles * @base: common policy * @parent: parent of namespace * @lock: lock for modifying the object Loading @@ -46,9 +46,9 @@ struct aa_ns_acct { * @uniq_id: a unique id count for the profiles in the namespace * @dents: dentries for the namespaces file entries in apparmorfs * * An aa_namespace defines the set profiles that are searched to determine * An aa_ns defines the set profiles that are searched to determine * which profile to attach to a task. Profiles can not be shared between * aa_namespaces and profile names within a namespace are guaranteed to be * aa_nss and profile names within a namespace are guaranteed to be * unique. When profiles in separate namespaces have the same name they * are NOT considered to be equivalent. * Loading @@ -57,9 +57,9 @@ struct aa_ns_acct { * * Namespace names must be unique and can not contain the characters :/\0 */ struct aa_namespace { struct aa_ns { struct aa_policy base; struct aa_namespace *parent; struct aa_ns *parent; struct mutex lock; struct aa_ns_acct acct; struct aa_profile *unconfined; Loading @@ -70,21 +70,20 @@ struct aa_namespace { struct dentry *dents[AAFS_NS_SIZEOF]; }; extern struct aa_namespace *root_ns; extern struct aa_ns *root_ns; extern const char *aa_hidden_ns_name; bool aa_ns_visible(struct aa_namespace *curr, struct aa_namespace *view); const char *aa_ns_name(struct aa_namespace *parent, struct aa_namespace *child); void aa_free_namespace(struct aa_namespace *ns); bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view); const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child); void aa_free_ns(struct aa_ns *ns); int aa_alloc_root_ns(void); void aa_free_root_ns(void); void aa_free_namespace_kref(struct kref *kref); void aa_free_ns_kref(struct kref *kref); struct aa_namespace *aa_find_namespace(struct aa_namespace *root, const char *name); struct aa_namespace *aa_prepare_namespace(const char *name); void __aa_remove_namespace(struct aa_namespace *ns); struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name); struct aa_ns *aa_prepare_ns(const char *name); void __aa_remove_ns(struct aa_ns *ns); static inline struct aa_profile *aa_deref_parent(struct aa_profile *p) { Loading @@ -93,13 +92,13 @@ static inline struct aa_profile *aa_deref_parent(struct aa_profile *p) } /** * aa_get_namespace - increment references count on @ns * aa_get_ns - increment references count on @ns * @ns: namespace to increment reference count of (MAYBE NULL) * * Returns: pointer to @ns, if @ns is NULL returns NULL * Requires: @ns must be held with valid refcount when called */ static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns) static inline struct aa_ns *aa_get_ns(struct aa_ns *ns) { if (ns) aa_get_profile(ns->unconfined); Loading @@ -108,19 +107,19 @@ static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns) } /** * aa_put_namespace - decrement refcount on @ns * aa_put_ns - decrement refcount on @ns * @ns: namespace to put reference of * * Decrement reference count of @ns and if no longer in use free it */ static inline void aa_put_namespace(struct aa_namespace *ns) static inline void aa_put_ns(struct aa_ns *ns) { if (ns) aa_put_profile(ns->unconfined); } /** * __aa_find_namespace - find a namespace on a list by @name * __aa_find_ns - find a namespace on a list by @name * @head: list to search for namespace on (NOT NULL) * @name: name of namespace to look for (NOT NULL) * Loading @@ -128,10 +127,10 @@ static inline void aa_put_namespace(struct aa_namespace *ns) * * Requires: rcu_read_lock be held */ static inline struct aa_namespace *__aa_find_namespace(struct list_head *head, static inline struct aa_ns *__aa_find_ns(struct list_head *head, const char *name) { return (struct aa_namespace *)__policy_find(head, name); return (struct aa_ns *)__policy_find(head, name); } #endif /* AA_NAMESPACE_H */ Loading
security/apparmor/apparmorfs.c +23 −26 Original line number Diff line number Diff line Loading @@ -478,9 +478,9 @@ int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) return error; } void __aa_fs_namespace_rmdir(struct aa_namespace *ns) void __aa_fs_ns_rmdir(struct aa_ns *ns) { struct aa_namespace *sub; struct aa_ns *sub; struct aa_profile *child; int i; Loading @@ -492,7 +492,7 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns) list_for_each_entry(sub, &ns->sub_ns, base.list) { mutex_lock(&sub->lock); __aa_fs_namespace_rmdir(sub); __aa_fs_ns_rmdir(sub); mutex_unlock(&sub->lock); } Loading @@ -502,10 +502,9 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns) } } int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, const char *name) int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name) { struct aa_namespace *sub; struct aa_ns *sub; struct aa_profile *child; struct dentry *dent, *dir; int error; Loading Loading @@ -536,7 +535,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, list_for_each_entry(sub, &ns->sub_ns, base.list) { mutex_lock(&sub->lock); error = __aa_fs_namespace_mkdir(sub, ns_subns_dir(ns), NULL); error = __aa_fs_ns_mkdir(sub, ns_subns_dir(ns), NULL); mutex_unlock(&sub->lock); if (error) goto fail2; Loading @@ -548,7 +547,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, error = PTR_ERR(dent); fail2: __aa_fs_namespace_rmdir(ns); __aa_fs_ns_rmdir(ns); return error; } Loading @@ -557,7 +556,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, #define list_entry_is_head(pos, head, member) (&pos->member == (head)) /** * __next_namespace - find the next namespace to list * __next_ns - find the next namespace to list * @root: root namespace to stop search at (NOT NULL) * @ns: current ns position (NOT NULL) * Loading @@ -568,10 +567,9 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, * Requires: ns->parent->lock to be held * NOTE: will not unlock root->lock */ static struct aa_namespace *__next_namespace(struct aa_namespace *root, struct aa_namespace *ns) static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns) { struct aa_namespace *parent, *next; struct aa_ns *parent, *next; /* is next namespace a child */ if (!list_empty(&ns->sub_ns)) { Loading Loading @@ -604,10 +602,10 @@ static struct aa_namespace *__next_namespace(struct aa_namespace *root, * Returns: unrefcounted profile or NULL if no profile * Requires: profile->ns.lock to be held */ static struct aa_profile *__first_profile(struct aa_namespace *root, struct aa_namespace *ns) static struct aa_profile *__first_profile(struct aa_ns *root, struct aa_ns *ns) { for (; ns; ns = __next_namespace(root, ns)) { for (; ns; ns = __next_ns(root, ns)) { if (!list_empty(&ns->base.profiles)) return list_first_entry(&ns->base.profiles, struct aa_profile, base.list); Loading @@ -627,7 +625,7 @@ static struct aa_profile *__first_profile(struct aa_namespace *root, static struct aa_profile *__next_profile(struct aa_profile *p) { struct aa_profile *parent; struct aa_namespace *ns = p->ns; struct aa_ns *ns = p->ns; /* is next profile a child */ if (!list_empty(&p->base.profiles)) Loading Loading @@ -661,7 +659,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p) * * Returns: next profile or NULL if there isn't one */ static struct aa_profile *next_profile(struct aa_namespace *root, static struct aa_profile *next_profile(struct aa_ns *root, struct aa_profile *profile) { struct aa_profile *next = __next_profile(profile); Loading @@ -669,7 +667,7 @@ static struct aa_profile *next_profile(struct aa_namespace *root, return next; /* finished all profiles in namespace move to next namespace */ return __first_profile(root, __next_namespace(root, profile->ns)); return __first_profile(root, __next_ns(root, profile->ns)); } /** Loading @@ -684,9 +682,9 @@ static struct aa_profile *next_profile(struct aa_namespace *root, static void *p_start(struct seq_file *f, loff_t *pos) { struct aa_profile *profile = NULL; struct aa_namespace *root = aa_current_profile()->ns; struct aa_ns *root = aa_current_profile()->ns; loff_t l = *pos; f->private = aa_get_namespace(root); f->private = aa_get_ns(root); /* find the first profile */ Loading @@ -713,7 +711,7 @@ static void *p_start(struct seq_file *f, loff_t *pos) static void *p_next(struct seq_file *f, void *p, loff_t *pos) { struct aa_profile *profile = p; struct aa_namespace *ns = f->private; struct aa_ns *ns = f->private; (*pos)++; return next_profile(ns, profile); Loading @@ -729,14 +727,14 @@ static void *p_next(struct seq_file *f, void *p, loff_t *pos) static void p_stop(struct seq_file *f, void *p) { struct aa_profile *profile = p; struct aa_namespace *root = f->private, *ns; struct aa_ns *root = f->private, *ns; if (profile) { for (ns = profile->ns; ns && ns != root; ns = ns->parent) mutex_unlock(&ns->lock); } mutex_unlock(&root->lock); aa_put_namespace(root); aa_put_ns(root); } /** Loading @@ -749,7 +747,7 @@ static void p_stop(struct seq_file *f, void *p) static int seq_show_profile(struct seq_file *f, void *p) { struct aa_profile *profile = (struct aa_profile *)p; struct aa_namespace *root = f->private; struct aa_ns *root = f->private; if (profile->ns != root) seq_printf(f, ":%s://", aa_ns_name(root, profile->ns)); Loading Loading @@ -951,8 +949,7 @@ static int __init aa_create_aafs(void) if (error) goto error; error = __aa_fs_namespace_mkdir(root_ns, aa_fs_entry.dentry, "policy"); error = __aa_fs_ns_mkdir(root_ns, aa_fs_entry.dentry, "policy"); if (error) goto error; Loading
security/apparmor/domain.c +12 −12 Original line number Diff line number Diff line Loading @@ -94,7 +94,7 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile) * Returns: permission set */ static struct file_perms change_profile_perms(struct aa_profile *profile, struct aa_namespace *ns, struct aa_ns *ns, const char *name, u32 request, unsigned int start) { Loading Loading @@ -171,7 +171,7 @@ static struct aa_profile *__attach_match(const char *name, * * Returns: profile or NULL if no match found */ static struct aa_profile *find_attach(struct aa_namespace *ns, static struct aa_profile *find_attach(struct aa_ns *ns, struct list_head *list, const char *name) { struct aa_profile *profile; Loading Loading @@ -240,7 +240,7 @@ static const char *next_name(int xtype, const char *name) static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) { struct aa_profile *new_profile = NULL; struct aa_namespace *ns = profile->ns; struct aa_ns *ns = profile->ns; u32 xtype = xindex & AA_X_TYPE_MASK; int index = xindex & AA_X_INDEX_MASK; const char *name; Loading @@ -248,7 +248,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) /* index is guaranteed to be in range, validated at load time */ for (name = profile->file.trans.table[index]; !new_profile && name; name = next_name(xtype, name)) { struct aa_namespace *new_ns; struct aa_ns *new_ns; const char *xname = NULL; new_ns = NULL; Loading @@ -268,7 +268,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) ; } /* released below */ new_ns = aa_find_namespace(ns, ns_name); new_ns = aa_find_ns(ns, ns_name); if (!new_ns) continue; } else if (*name == '@') { Loading @@ -281,7 +281,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) /* released by caller */ new_profile = aa_lookup_profile(new_ns ? new_ns : ns, xname); aa_put_namespace(new_ns); aa_put_ns(new_ns); } /* released by caller */ Loading @@ -302,7 +302,7 @@ static struct aa_profile *x_to_profile(struct aa_profile *profile, const char *name, u32 xindex) { struct aa_profile *new_profile = NULL; struct aa_namespace *ns = profile->ns; struct aa_ns *ns = profile->ns; u32 xtype = xindex & AA_X_TYPE_MASK; switch (xtype) { Loading Loading @@ -339,7 +339,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) { struct aa_task_cxt *cxt; struct aa_profile *profile, *new_profile = NULL; struct aa_namespace *ns; struct aa_ns *ns; char *buffer = NULL; unsigned int state; struct file_perms perms = {}; Loading Loading @@ -746,7 +746,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, { const struct cred *cred; struct aa_profile *profile, *target = NULL; struct aa_namespace *ns = NULL; struct aa_ns *ns = NULL; struct file_perms perms = {}; const char *name = NULL, *info = NULL; int op, error = 0; Loading Loading @@ -780,7 +780,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, if (ns_name) { /* released below */ ns = aa_find_namespace(profile->ns, ns_name); ns = aa_find_ns(profile->ns, ns_name); if (!ns) { /* we don't create new namespace in complain mode */ name = ns_name; Loading @@ -790,7 +790,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, } } else /* released below */ ns = aa_get_namespace(profile->ns); ns = aa_get_ns(profile->ns); /* if the name was not specified, use the name of the current profile */ if (!hname) { Loading Loading @@ -843,7 +843,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, name, hname, GLOBAL_ROOT_UID, info, error); aa_put_namespace(ns); aa_put_ns(ns); aa_put_profile(target); put_cred(cred); Loading
security/apparmor/include/apparmorfs.h +4 −4 Original line number Diff line number Diff line Loading @@ -62,7 +62,7 @@ extern const struct file_operations aa_fs_seq_file_ops; extern void __init aa_destroy_aafs(void); struct aa_profile; struct aa_namespace; struct aa_ns; enum aafs_ns_type { AAFS_NS_DIR, Loading Loading @@ -97,8 +97,8 @@ void __aa_fs_profile_rmdir(struct aa_profile *profile); void __aa_fs_profile_migrate_dents(struct aa_profile *old, struct aa_profile *new); int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent); void __aa_fs_namespace_rmdir(struct aa_namespace *ns); int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent, void __aa_fs_ns_rmdir(struct aa_ns *ns); int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name); #endif /* __AA_APPARMORFS_H */
security/apparmor/include/policy.h +4 −4 Original line number Diff line number Diff line Loading @@ -31,7 +31,7 @@ #include "resource.h" struct aa_namespace; struct aa_ns; extern const char *const aa_profile_mode_names[]; #define APPARMOR_MODE_NAMES_MAX_INDEX 4 Loading Loading @@ -141,7 +141,7 @@ struct aa_profile { struct rcu_head rcu; struct aa_profile __rcu *parent; struct aa_namespace *ns; struct aa_ns *ns; struct aa_replacedby *replacedby; const char *rename; Loading Loading @@ -177,8 +177,8 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat); void aa_free_profile(struct aa_profile *profile); void aa_free_profile_kref(struct kref *kref); struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name); struct aa_profile *aa_lookup_profile(struct aa_namespace *ns, const char *name); struct aa_profile *aa_match_profile(struct aa_namespace *ns, const char *name); struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *name); struct aa_profile *aa_match_profile(struct aa_ns *ns, const char *name); ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace); ssize_t aa_remove_profiles(char *name, size_t size); Loading
security/apparmor/include/policy_ns.h +21 −22 Original line number Diff line number Diff line Loading @@ -35,7 +35,7 @@ struct aa_ns_acct { int count; }; /* struct aa_namespace - namespace for a set of profiles /* struct aa_ns - namespace for a set of profiles * @base: common policy * @parent: parent of namespace * @lock: lock for modifying the object Loading @@ -46,9 +46,9 @@ struct aa_ns_acct { * @uniq_id: a unique id count for the profiles in the namespace * @dents: dentries for the namespaces file entries in apparmorfs * * An aa_namespace defines the set profiles that are searched to determine * An aa_ns defines the set profiles that are searched to determine * which profile to attach to a task. Profiles can not be shared between * aa_namespaces and profile names within a namespace are guaranteed to be * aa_nss and profile names within a namespace are guaranteed to be * unique. When profiles in separate namespaces have the same name they * are NOT considered to be equivalent. * Loading @@ -57,9 +57,9 @@ struct aa_ns_acct { * * Namespace names must be unique and can not contain the characters :/\0 */ struct aa_namespace { struct aa_ns { struct aa_policy base; struct aa_namespace *parent; struct aa_ns *parent; struct mutex lock; struct aa_ns_acct acct; struct aa_profile *unconfined; Loading @@ -70,21 +70,20 @@ struct aa_namespace { struct dentry *dents[AAFS_NS_SIZEOF]; }; extern struct aa_namespace *root_ns; extern struct aa_ns *root_ns; extern const char *aa_hidden_ns_name; bool aa_ns_visible(struct aa_namespace *curr, struct aa_namespace *view); const char *aa_ns_name(struct aa_namespace *parent, struct aa_namespace *child); void aa_free_namespace(struct aa_namespace *ns); bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view); const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child); void aa_free_ns(struct aa_ns *ns); int aa_alloc_root_ns(void); void aa_free_root_ns(void); void aa_free_namespace_kref(struct kref *kref); void aa_free_ns_kref(struct kref *kref); struct aa_namespace *aa_find_namespace(struct aa_namespace *root, const char *name); struct aa_namespace *aa_prepare_namespace(const char *name); void __aa_remove_namespace(struct aa_namespace *ns); struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name); struct aa_ns *aa_prepare_ns(const char *name); void __aa_remove_ns(struct aa_ns *ns); static inline struct aa_profile *aa_deref_parent(struct aa_profile *p) { Loading @@ -93,13 +92,13 @@ static inline struct aa_profile *aa_deref_parent(struct aa_profile *p) } /** * aa_get_namespace - increment references count on @ns * aa_get_ns - increment references count on @ns * @ns: namespace to increment reference count of (MAYBE NULL) * * Returns: pointer to @ns, if @ns is NULL returns NULL * Requires: @ns must be held with valid refcount when called */ static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns) static inline struct aa_ns *aa_get_ns(struct aa_ns *ns) { if (ns) aa_get_profile(ns->unconfined); Loading @@ -108,19 +107,19 @@ static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns) } /** * aa_put_namespace - decrement refcount on @ns * aa_put_ns - decrement refcount on @ns * @ns: namespace to put reference of * * Decrement reference count of @ns and if no longer in use free it */ static inline void aa_put_namespace(struct aa_namespace *ns) static inline void aa_put_ns(struct aa_ns *ns) { if (ns) aa_put_profile(ns->unconfined); } /** * __aa_find_namespace - find a namespace on a list by @name * __aa_find_ns - find a namespace on a list by @name * @head: list to search for namespace on (NOT NULL) * @name: name of namespace to look for (NOT NULL) * Loading @@ -128,10 +127,10 @@ static inline void aa_put_namespace(struct aa_namespace *ns) * * Requires: rcu_read_lock be held */ static inline struct aa_namespace *__aa_find_namespace(struct list_head *head, static inline struct aa_ns *__aa_find_ns(struct list_head *head, const char *name) { return (struct aa_namespace *)__policy_find(head, name); return (struct aa_ns *)__policy_find(head, name); } #endif /* AA_NAMESPACE_H */
John Johansen <john.johansen@canonical.com>John Johansen <john.johansen@canonical.com>