Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
98849dff
Commit
98849dff
authored
Jan 16, 2017
by
John Johansen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
apparmor: rename namespace to ns to improve code line lengths
Signed-off-by:
John Johansen
<
john.johansen@canonical.com
>
parent
cff281f6
Changes
8
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
122 additions
and
128 deletions
+122
-128
security/apparmor/apparmorfs.c
security/apparmor/apparmorfs.c
+23
-26
security/apparmor/domain.c
security/apparmor/domain.c
+12
-12
security/apparmor/include/apparmorfs.h
security/apparmor/include/apparmorfs.h
+4
-4
security/apparmor/include/policy.h
security/apparmor/include/policy.h
+4
-4
security/apparmor/include/policy_ns.h
security/apparmor/include/policy_ns.h
+21
-22
security/apparmor/policy.c
security/apparmor/policy.c
+16
-16
security/apparmor/policy_ns.c
security/apparmor/policy_ns.c
+40
-42
security/apparmor/procattr.c
security/apparmor/procattr.c
+2
-2
No files found.
security/apparmor/apparmorfs.c
View file @
98849dff
...
@@ -478,9 +478,9 @@ int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
...
@@ -478,9 +478,9 @@ int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
return
error
;
return
error
;
}
}
void
__aa_fs_n
amespace_rmdir
(
struct
aa_namespace
*
ns
)
void
__aa_fs_n
s_rmdir
(
struct
aa_ns
*
ns
)
{
{
struct
aa_n
amespace
*
sub
;
struct
aa_n
s
*
sub
;
struct
aa_profile
*
child
;
struct
aa_profile
*
child
;
int
i
;
int
i
;
...
@@ -492,7 +492,7 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns)
...
@@ -492,7 +492,7 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns)
list_for_each_entry
(
sub
,
&
ns
->
sub_ns
,
base
.
list
)
{
list_for_each_entry
(
sub
,
&
ns
->
sub_ns
,
base
.
list
)
{
mutex_lock
(
&
sub
->
lock
);
mutex_lock
(
&
sub
->
lock
);
__aa_fs_n
amespace
_rmdir
(
sub
);
__aa_fs_n
s
_rmdir
(
sub
);
mutex_unlock
(
&
sub
->
lock
);
mutex_unlock
(
&
sub
->
lock
);
}
}
...
@@ -502,10 +502,9 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns)
...
@@ -502,10 +502,9 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns)
}
}
}
}
int
__aa_fs_namespace_mkdir
(
struct
aa_namespace
*
ns
,
struct
dentry
*
parent
,
int
__aa_fs_ns_mkdir
(
struct
aa_ns
*
ns
,
struct
dentry
*
parent
,
const
char
*
name
)
const
char
*
name
)
{
{
struct
aa_n
amespace
*
sub
;
struct
aa_n
s
*
sub
;
struct
aa_profile
*
child
;
struct
aa_profile
*
child
;
struct
dentry
*
dent
,
*
dir
;
struct
dentry
*
dent
,
*
dir
;
int
error
;
int
error
;
...
@@ -536,7 +535,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
...
@@ -536,7 +535,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
list_for_each_entry
(
sub
,
&
ns
->
sub_ns
,
base
.
list
)
{
list_for_each_entry
(
sub
,
&
ns
->
sub_ns
,
base
.
list
)
{
mutex_lock
(
&
sub
->
lock
);
mutex_lock
(
&
sub
->
lock
);
error
=
__aa_fs_n
amespace
_mkdir
(
sub
,
ns_subns_dir
(
ns
),
NULL
);
error
=
__aa_fs_n
s
_mkdir
(
sub
,
ns_subns_dir
(
ns
),
NULL
);
mutex_unlock
(
&
sub
->
lock
);
mutex_unlock
(
&
sub
->
lock
);
if
(
error
)
if
(
error
)
goto
fail2
;
goto
fail2
;
...
@@ -548,7 +547,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
...
@@ -548,7 +547,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
error
=
PTR_ERR
(
dent
);
error
=
PTR_ERR
(
dent
);
fail2:
fail2:
__aa_fs_n
amespace
_rmdir
(
ns
);
__aa_fs_n
s
_rmdir
(
ns
);
return
error
;
return
error
;
}
}
...
@@ -557,7 +556,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
...
@@ -557,7 +556,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
#define list_entry_is_head(pos, head, member) (&pos->member == (head))
#define list_entry_is_head(pos, head, member) (&pos->member == (head))
/**
/**
* __next_n
amespace
- find the next namespace to list
* __next_n
s
- find the next namespace to list
* @root: root namespace to stop search at (NOT NULL)
* @root: root namespace to stop search at (NOT NULL)
* @ns: current ns position (NOT NULL)
* @ns: current ns position (NOT NULL)
*
*
...
@@ -568,10 +567,9 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
...
@@ -568,10 +567,9 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
* Requires: ns->parent->lock to be held
* Requires: ns->parent->lock to be held
* NOTE: will not unlock root->lock
* NOTE: will not unlock root->lock
*/
*/
static
struct
aa_namespace
*
__next_namespace
(
struct
aa_namespace
*
root
,
static
struct
aa_ns
*
__next_ns
(
struct
aa_ns
*
root
,
struct
aa_ns
*
ns
)
struct
aa_namespace
*
ns
)
{
{
struct
aa_n
amespace
*
parent
,
*
next
;
struct
aa_n
s
*
parent
,
*
next
;
/* is next namespace a child */
/* is next namespace a child */
if
(
!
list_empty
(
&
ns
->
sub_ns
))
{
if
(
!
list_empty
(
&
ns
->
sub_ns
))
{
...
@@ -604,10 +602,10 @@ static struct aa_namespace *__next_namespace(struct aa_namespace *root,
...
@@ -604,10 +602,10 @@ static struct aa_namespace *__next_namespace(struct aa_namespace *root,
* Returns: unrefcounted profile or NULL if no profile
* Returns: unrefcounted profile or NULL if no profile
* Requires: profile->ns.lock to be held
* Requires: profile->ns.lock to be held
*/
*/
static
struct
aa_profile
*
__first_profile
(
struct
aa_n
amespace
*
root
,
static
struct
aa_profile
*
__first_profile
(
struct
aa_n
s
*
root
,
struct
aa_n
amespace
*
ns
)
struct
aa_n
s
*
ns
)
{
{
for
(;
ns
;
ns
=
__next_n
amespace
(
root
,
ns
))
{
for
(;
ns
;
ns
=
__next_n
s
(
root
,
ns
))
{
if
(
!
list_empty
(
&
ns
->
base
.
profiles
))
if
(
!
list_empty
(
&
ns
->
base
.
profiles
))
return
list_first_entry
(
&
ns
->
base
.
profiles
,
return
list_first_entry
(
&
ns
->
base
.
profiles
,
struct
aa_profile
,
base
.
list
);
struct
aa_profile
,
base
.
list
);
...
@@ -627,7 +625,7 @@ static struct aa_profile *__first_profile(struct aa_namespace *root,
...
@@ -627,7 +625,7 @@ static struct aa_profile *__first_profile(struct aa_namespace *root,
static
struct
aa_profile
*
__next_profile
(
struct
aa_profile
*
p
)
static
struct
aa_profile
*
__next_profile
(
struct
aa_profile
*
p
)
{
{
struct
aa_profile
*
parent
;
struct
aa_profile
*
parent
;
struct
aa_n
amespace
*
ns
=
p
->
ns
;
struct
aa_n
s
*
ns
=
p
->
ns
;
/* is next profile a child */
/* is next profile a child */
if
(
!
list_empty
(
&
p
->
base
.
profiles
))
if
(
!
list_empty
(
&
p
->
base
.
profiles
))
...
@@ -661,7 +659,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p)
...
@@ -661,7 +659,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p)
*
*
* Returns: next profile or NULL if there isn't one
* Returns: next profile or NULL if there isn't one
*/
*/
static
struct
aa_profile
*
next_profile
(
struct
aa_n
amespace
*
root
,
static
struct
aa_profile
*
next_profile
(
struct
aa_n
s
*
root
,
struct
aa_profile
*
profile
)
struct
aa_profile
*
profile
)
{
{
struct
aa_profile
*
next
=
__next_profile
(
profile
);
struct
aa_profile
*
next
=
__next_profile
(
profile
);
...
@@ -669,7 +667,7 @@ static struct aa_profile *next_profile(struct aa_namespace *root,
...
@@ -669,7 +667,7 @@ static struct aa_profile *next_profile(struct aa_namespace *root,
return
next
;
return
next
;
/* finished all profiles in namespace move to next namespace */
/* finished all profiles in namespace move to next namespace */
return
__first_profile
(
root
,
__next_n
amespace
(
root
,
profile
->
ns
));
return
__first_profile
(
root
,
__next_n
s
(
root
,
profile
->
ns
));
}
}
/**
/**
...
@@ -684,9 +682,9 @@ static struct aa_profile *next_profile(struct aa_namespace *root,
...
@@ -684,9 +682,9 @@ static struct aa_profile *next_profile(struct aa_namespace *root,
static
void
*
p_start
(
struct
seq_file
*
f
,
loff_t
*
pos
)
static
void
*
p_start
(
struct
seq_file
*
f
,
loff_t
*
pos
)
{
{
struct
aa_profile
*
profile
=
NULL
;
struct
aa_profile
*
profile
=
NULL
;
struct
aa_n
amespace
*
root
=
aa_current_profile
()
->
ns
;
struct
aa_n
s
*
root
=
aa_current_profile
()
->
ns
;
loff_t
l
=
*
pos
;
loff_t
l
=
*
pos
;
f
->
private
=
aa_get_n
amespace
(
root
);
f
->
private
=
aa_get_n
s
(
root
);
/* find the first profile */
/* find the first profile */
...
@@ -713,7 +711,7 @@ static void *p_start(struct seq_file *f, loff_t *pos)
...
@@ -713,7 +711,7 @@ static void *p_start(struct seq_file *f, loff_t *pos)
static
void
*
p_next
(
struct
seq_file
*
f
,
void
*
p
,
loff_t
*
pos
)
static
void
*
p_next
(
struct
seq_file
*
f
,
void
*
p
,
loff_t
*
pos
)
{
{
struct
aa_profile
*
profile
=
p
;
struct
aa_profile
*
profile
=
p
;
struct
aa_n
amespace
*
ns
=
f
->
private
;
struct
aa_n
s
*
ns
=
f
->
private
;
(
*
pos
)
++
;
(
*
pos
)
++
;
return
next_profile
(
ns
,
profile
);
return
next_profile
(
ns
,
profile
);
...
@@ -729,14 +727,14 @@ static void *p_next(struct seq_file *f, void *p, loff_t *pos)
...
@@ -729,14 +727,14 @@ static void *p_next(struct seq_file *f, void *p, loff_t *pos)
static
void
p_stop
(
struct
seq_file
*
f
,
void
*
p
)
static
void
p_stop
(
struct
seq_file
*
f
,
void
*
p
)
{
{
struct
aa_profile
*
profile
=
p
;
struct
aa_profile
*
profile
=
p
;
struct
aa_n
amespace
*
root
=
f
->
private
,
*
ns
;
struct
aa_n
s
*
root
=
f
->
private
,
*
ns
;
if
(
profile
)
{
if
(
profile
)
{
for
(
ns
=
profile
->
ns
;
ns
&&
ns
!=
root
;
ns
=
ns
->
parent
)
for
(
ns
=
profile
->
ns
;
ns
&&
ns
!=
root
;
ns
=
ns
->
parent
)
mutex_unlock
(
&
ns
->
lock
);
mutex_unlock
(
&
ns
->
lock
);
}
}
mutex_unlock
(
&
root
->
lock
);
mutex_unlock
(
&
root
->
lock
);
aa_put_n
amespace
(
root
);
aa_put_n
s
(
root
);
}
}
/**
/**
...
@@ -749,7 +747,7 @@ static void p_stop(struct seq_file *f, void *p)
...
@@ -749,7 +747,7 @@ static void p_stop(struct seq_file *f, void *p)
static
int
seq_show_profile
(
struct
seq_file
*
f
,
void
*
p
)
static
int
seq_show_profile
(
struct
seq_file
*
f
,
void
*
p
)
{
{
struct
aa_profile
*
profile
=
(
struct
aa_profile
*
)
p
;
struct
aa_profile
*
profile
=
(
struct
aa_profile
*
)
p
;
struct
aa_n
amespace
*
root
=
f
->
private
;
struct
aa_n
s
*
root
=
f
->
private
;
if
(
profile
->
ns
!=
root
)
if
(
profile
->
ns
!=
root
)
seq_printf
(
f
,
":%s://"
,
aa_ns_name
(
root
,
profile
->
ns
));
seq_printf
(
f
,
":%s://"
,
aa_ns_name
(
root
,
profile
->
ns
));
...
@@ -951,8 +949,7 @@ static int __init aa_create_aafs(void)
...
@@ -951,8 +949,7 @@ static int __init aa_create_aafs(void)
if
(
error
)
if
(
error
)
goto
error
;
goto
error
;
error
=
__aa_fs_namespace_mkdir
(
root_ns
,
aa_fs_entry
.
dentry
,
error
=
__aa_fs_ns_mkdir
(
root_ns
,
aa_fs_entry
.
dentry
,
"policy"
);
"policy"
);
if
(
error
)
if
(
error
)
goto
error
;
goto
error
;
...
...
security/apparmor/domain.c
View file @
98849dff
...
@@ -94,7 +94,7 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile)
...
@@ -94,7 +94,7 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile)
* Returns: permission set
* Returns: permission set
*/
*/
static
struct
file_perms
change_profile_perms
(
struct
aa_profile
*
profile
,
static
struct
file_perms
change_profile_perms
(
struct
aa_profile
*
profile
,
struct
aa_n
amespace
*
ns
,
struct
aa_n
s
*
ns
,
const
char
*
name
,
u32
request
,
const
char
*
name
,
u32
request
,
unsigned
int
start
)
unsigned
int
start
)
{
{
...
@@ -171,7 +171,7 @@ static struct aa_profile *__attach_match(const char *name,
...
@@ -171,7 +171,7 @@ static struct aa_profile *__attach_match(const char *name,
*
*
* Returns: profile or NULL if no match found
* Returns: profile or NULL if no match found
*/
*/
static
struct
aa_profile
*
find_attach
(
struct
aa_n
amespace
*
ns
,
static
struct
aa_profile
*
find_attach
(
struct
aa_n
s
*
ns
,
struct
list_head
*
list
,
const
char
*
name
)
struct
list_head
*
list
,
const
char
*
name
)
{
{
struct
aa_profile
*
profile
;
struct
aa_profile
*
profile
;
...
@@ -240,7 +240,7 @@ static const char *next_name(int xtype, const char *name)
...
@@ -240,7 +240,7 @@ static const char *next_name(int xtype, const char *name)
static
struct
aa_profile
*
x_table_lookup
(
struct
aa_profile
*
profile
,
u32
xindex
)
static
struct
aa_profile
*
x_table_lookup
(
struct
aa_profile
*
profile
,
u32
xindex
)
{
{
struct
aa_profile
*
new_profile
=
NULL
;
struct
aa_profile
*
new_profile
=
NULL
;
struct
aa_n
amespace
*
ns
=
profile
->
ns
;
struct
aa_n
s
*
ns
=
profile
->
ns
;
u32
xtype
=
xindex
&
AA_X_TYPE_MASK
;
u32
xtype
=
xindex
&
AA_X_TYPE_MASK
;
int
index
=
xindex
&
AA_X_INDEX_MASK
;
int
index
=
xindex
&
AA_X_INDEX_MASK
;
const
char
*
name
;
const
char
*
name
;
...
@@ -248,7 +248,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
...
@@ -248,7 +248,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
/* index is guaranteed to be in range, validated at load time */
/* index is guaranteed to be in range, validated at load time */
for
(
name
=
profile
->
file
.
trans
.
table
[
index
];
!
new_profile
&&
name
;
for
(
name
=
profile
->
file
.
trans
.
table
[
index
];
!
new_profile
&&
name
;
name
=
next_name
(
xtype
,
name
))
{
name
=
next_name
(
xtype
,
name
))
{
struct
aa_n
amespace
*
new_ns
;
struct
aa_n
s
*
new_ns
;
const
char
*
xname
=
NULL
;
const
char
*
xname
=
NULL
;
new_ns
=
NULL
;
new_ns
=
NULL
;
...
@@ -268,7 +268,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
...
@@ -268,7 +268,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
;
;
}
}
/* released below */
/* released below */
new_ns
=
aa_find_n
amespace
(
ns
,
ns_name
);
new_ns
=
aa_find_n
s
(
ns
,
ns_name
);
if
(
!
new_ns
)
if
(
!
new_ns
)
continue
;
continue
;
}
else
if
(
*
name
==
'@'
)
{
}
else
if
(
*
name
==
'@'
)
{
...
@@ -281,7 +281,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
...
@@ -281,7 +281,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
/* released by caller */
/* released by caller */
new_profile
=
aa_lookup_profile
(
new_ns
?
new_ns
:
ns
,
xname
);
new_profile
=
aa_lookup_profile
(
new_ns
?
new_ns
:
ns
,
xname
);
aa_put_n
amespace
(
new_ns
);
aa_put_n
s
(
new_ns
);
}
}
/* released by caller */
/* released by caller */
...
@@ -302,7 +302,7 @@ static struct aa_profile *x_to_profile(struct aa_profile *profile,
...
@@ -302,7 +302,7 @@ static struct aa_profile *x_to_profile(struct aa_profile *profile,
const
char
*
name
,
u32
xindex
)
const
char
*
name
,
u32
xindex
)
{
{
struct
aa_profile
*
new_profile
=
NULL
;
struct
aa_profile
*
new_profile
=
NULL
;
struct
aa_n
amespace
*
ns
=
profile
->
ns
;
struct
aa_n
s
*
ns
=
profile
->
ns
;
u32
xtype
=
xindex
&
AA_X_TYPE_MASK
;
u32
xtype
=
xindex
&
AA_X_TYPE_MASK
;
switch
(
xtype
)
{
switch
(
xtype
)
{
...
@@ -339,7 +339,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -339,7 +339,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
{
{
struct
aa_task_cxt
*
cxt
;
struct
aa_task_cxt
*
cxt
;
struct
aa_profile
*
profile
,
*
new_profile
=
NULL
;
struct
aa_profile
*
profile
,
*
new_profile
=
NULL
;
struct
aa_n
amespace
*
ns
;
struct
aa_n
s
*
ns
;
char
*
buffer
=
NULL
;
char
*
buffer
=
NULL
;
unsigned
int
state
;
unsigned
int
state
;
struct
file_perms
perms
=
{};
struct
file_perms
perms
=
{};
...
@@ -746,7 +746,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
...
@@ -746,7 +746,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
{
{
const
struct
cred
*
cred
;
const
struct
cred
*
cred
;
struct
aa_profile
*
profile
,
*
target
=
NULL
;
struct
aa_profile
*
profile
,
*
target
=
NULL
;
struct
aa_n
amespace
*
ns
=
NULL
;
struct
aa_n
s
*
ns
=
NULL
;
struct
file_perms
perms
=
{};
struct
file_perms
perms
=
{};
const
char
*
name
=
NULL
,
*
info
=
NULL
;
const
char
*
name
=
NULL
,
*
info
=
NULL
;
int
op
,
error
=
0
;
int
op
,
error
=
0
;
...
@@ -780,7 +780,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
...
@@ -780,7 +780,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
if
(
ns_name
)
{
if
(
ns_name
)
{
/* released below */
/* released below */
ns
=
aa_find_n
amespace
(
profile
->
ns
,
ns_name
);
ns
=
aa_find_n
s
(
profile
->
ns
,
ns_name
);
if
(
!
ns
)
{
if
(
!
ns
)
{
/* we don't create new namespace in complain mode */
/* we don't create new namespace in complain mode */
name
=
ns_name
;
name
=
ns_name
;
...
@@ -790,7 +790,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
...
@@ -790,7 +790,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
}
}
}
else
}
else
/* released below */
/* released below */
ns
=
aa_get_n
amespace
(
profile
->
ns
);
ns
=
aa_get_n
s
(
profile
->
ns
);
/* if the name was not specified, use the name of the current profile */
/* if the name was not specified, use the name of the current profile */
if
(
!
hname
)
{
if
(
!
hname
)
{
...
@@ -843,7 +843,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
...
@@ -843,7 +843,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
error
=
aa_audit_file
(
profile
,
&
perms
,
GFP_KERNEL
,
op
,
request
,
error
=
aa_audit_file
(
profile
,
&
perms
,
GFP_KERNEL
,
op
,
request
,
name
,
hname
,
GLOBAL_ROOT_UID
,
info
,
error
);
name
,
hname
,
GLOBAL_ROOT_UID
,
info
,
error
);
aa_put_n
amespace
(
ns
);
aa_put_n
s
(
ns
);
aa_put_profile
(
target
);
aa_put_profile
(
target
);
put_cred
(
cred
);
put_cred
(
cred
);
...
...
security/apparmor/include/apparmorfs.h
View file @
98849dff
...
@@ -62,7 +62,7 @@ extern const struct file_operations aa_fs_seq_file_ops;
...
@@ -62,7 +62,7 @@ extern const struct file_operations aa_fs_seq_file_ops;
extern
void
__init
aa_destroy_aafs
(
void
);
extern
void
__init
aa_destroy_aafs
(
void
);
struct
aa_profile
;
struct
aa_profile
;
struct
aa_n
amespace
;
struct
aa_n
s
;
enum
aafs_ns_type
{
enum
aafs_ns_type
{
AAFS_NS_DIR
,
AAFS_NS_DIR
,
...
@@ -97,8 +97,8 @@ void __aa_fs_profile_rmdir(struct aa_profile *profile);
...
@@ -97,8 +97,8 @@ void __aa_fs_profile_rmdir(struct aa_profile *profile);
void
__aa_fs_profile_migrate_dents
(
struct
aa_profile
*
old
,
void
__aa_fs_profile_migrate_dents
(
struct
aa_profile
*
old
,
struct
aa_profile
*
new
);
struct
aa_profile
*
new
);
int
__aa_fs_profile_mkdir
(
struct
aa_profile
*
profile
,
struct
dentry
*
parent
);
int
__aa_fs_profile_mkdir
(
struct
aa_profile
*
profile
,
struct
dentry
*
parent
);
void
__aa_fs_n
amespace_rmdir
(
struct
aa_namespace
*
ns
);
void
__aa_fs_n
s_rmdir
(
struct
aa_ns
*
ns
);
int
__aa_fs_n
amespace_mkdir
(
struct
aa_namespace
*
ns
,
struct
dentry
*
parent
,
int
__aa_fs_n
s_mkdir
(
struct
aa_ns
*
ns
,
struct
dentry
*
parent
,
const
char
*
name
);
const
char
*
name
);
#endif
/* __AA_APPARMORFS_H */
#endif
/* __AA_APPARMORFS_H */
security/apparmor/include/policy.h
View file @
98849dff
...
@@ -31,7 +31,7 @@
...
@@ -31,7 +31,7 @@
#include "resource.h"
#include "resource.h"
struct
aa_n
amespace
;
struct
aa_n
s
;
extern
const
char
*
const
aa_profile_mode_names
[];
extern
const
char
*
const
aa_profile_mode_names
[];
#define APPARMOR_MODE_NAMES_MAX_INDEX 4
#define APPARMOR_MODE_NAMES_MAX_INDEX 4
...
@@ -141,7 +141,7 @@ struct aa_profile {
...
@@ -141,7 +141,7 @@ struct aa_profile {
struct
rcu_head
rcu
;
struct
rcu_head
rcu
;
struct
aa_profile
__rcu
*
parent
;
struct
aa_profile
__rcu
*
parent
;
struct
aa_n
amespace
*
ns
;
struct
aa_n
s
*
ns
;
struct
aa_replacedby
*
replacedby
;
struct
aa_replacedby
*
replacedby
;
const
char
*
rename
;
const
char
*
rename
;
...
@@ -177,8 +177,8 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat);
...
@@ -177,8 +177,8 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat);
void
aa_free_profile
(
struct
aa_profile
*
profile
);
void
aa_free_profile
(
struct
aa_profile
*
profile
);
void
aa_free_profile_kref
(
struct
kref
*
kref
);
void
aa_free_profile_kref
(
struct
kref
*
kref
);
struct
aa_profile
*
aa_find_child
(
struct
aa_profile
*
parent
,
const
char
*
name
);
struct
aa_profile
*
aa_find_child
(
struct
aa_profile
*
parent
,
const
char
*
name
);
struct
aa_profile
*
aa_lookup_profile
(
struct
aa_n
amespace
*
ns
,
const
char
*
name
);
struct
aa_profile
*
aa_lookup_profile
(
struct
aa_n
s
*
ns
,
const
char
*
name
);
struct
aa_profile
*
aa_match_profile
(
struct
aa_n
amespace
*
ns
,
const
char
*
name
);
struct
aa_profile
*
aa_match_profile
(
struct
aa_n
s
*
ns
,
const
char
*
name
);
ssize_t
aa_replace_profiles
(
void
*
udata
,
size_t
size
,
bool
noreplace
);
ssize_t
aa_replace_profiles
(
void
*
udata
,
size_t
size
,
bool
noreplace
);
ssize_t
aa_remove_profiles
(
char
*
name
,
size_t
size
);
ssize_t
aa_remove_profiles
(
char
*
name
,
size_t
size
);
...
...
security/apparmor/include/policy_ns.h
View file @
98849dff
...
@@ -35,7 +35,7 @@ struct aa_ns_acct {
...
@@ -35,7 +35,7 @@ struct aa_ns_acct {
int
count
;
int
count
;
};
};
/* struct aa_n
amespace
- namespace for a set of profiles
/* struct aa_n
s
- namespace for a set of profiles
* @base: common policy
* @base: common policy
* @parent: parent of namespace
* @parent: parent of namespace
* @lock: lock for modifying the object
* @lock: lock for modifying the object
...
@@ -46,9 +46,9 @@ struct aa_ns_acct {
...
@@ -46,9 +46,9 @@ struct aa_ns_acct {
* @uniq_id: a unique id count for the profiles in the namespace
* @uniq_id: a unique id count for the profiles in the namespace
* @dents: dentries for the namespaces file entries in apparmorfs
* @dents: dentries for the namespaces file entries in apparmorfs
*
*
* An aa_n
amespace
defines the set profiles that are searched to determine
* An aa_n
s
defines the set profiles that are searched to determine
* which profile to attach to a task. Profiles can not be shared between
* which profile to attach to a task. Profiles can not be shared between
* aa_n
amespace
s and profile names within a namespace are guaranteed to be
* aa_n
s
s and profile names within a namespace are guaranteed to be
* unique. When profiles in separate namespaces have the same name they
* unique. When profiles in separate namespaces have the same name they
* are NOT considered to be equivalent.
* are NOT considered to be equivalent.
*
*
...
@@ -57,9 +57,9 @@ struct aa_ns_acct {
...
@@ -57,9 +57,9 @@ struct aa_ns_acct {
*
*
* Namespace names must be unique and can not contain the characters :/\0
* Namespace names must be unique and can not contain the characters :/\0
*/
*/
struct
aa_n
amespace
{
struct
aa_n
s
{
struct
aa_policy
base
;
struct
aa_policy
base
;
struct
aa_n
amespace
*
parent
;
struct
aa_n
s
*
parent
;
struct
mutex
lock
;
struct
mutex
lock
;
struct
aa_ns_acct
acct
;
struct
aa_ns_acct
acct
;
struct
aa_profile
*
unconfined
;
struct
aa_profile
*
unconfined
;
...
@@ -70,21 +70,20 @@ struct aa_namespace {
...
@@ -70,21 +70,20 @@ struct aa_namespace {
struct
dentry
*
dents
[
AAFS_NS_SIZEOF
];
struct
dentry
*
dents
[
AAFS_NS_SIZEOF
];
};
};
extern
struct
aa_n
amespace
*
root_ns
;
extern
struct
aa_n
s
*
root_ns
;
extern
const
char
*
aa_hidden_ns_name
;
extern
const
char
*
aa_hidden_ns_name
;
bool
aa_ns_visible
(
struct
aa_n
amespace
*
curr
,
struct
aa_namespace
*
view
);
bool
aa_ns_visible
(
struct
aa_n
s
*
curr
,
struct
aa_ns
*
view
);
const
char
*
aa_ns_name
(
struct
aa_n
amespace
*
parent
,
struct
aa_namespace
*
child
);
const
char
*
aa_ns_name
(
struct
aa_n
s
*
parent
,
struct
aa_ns
*
child
);
void
aa_free_n
amespace
(
struct
aa_namespace
*
ns
);
void
aa_free_n
s
(
struct
aa_ns
*
ns
);
int
aa_alloc_root_ns
(
void
);
int
aa_alloc_root_ns
(
void
);
void
aa_free_root_ns
(
void
);
void
aa_free_root_ns
(
void
);
void
aa_free_n
amespace
_kref
(
struct
kref
*
kref
);
void
aa_free_n
s
_kref
(
struct
kref
*
kref
);
struct
aa_namespace
*
aa_find_namespace
(
struct
aa_namespace
*
root
,
struct
aa_ns
*
aa_find_ns
(
struct
aa_ns
*
root
,
const
char
*
name
);
const
char
*
name
);
struct
aa_ns
*
aa_prepare_ns
(
const
char
*
name
);
struct
aa_namespace
*
aa_prepare_namespace
(
const
char
*
name
);
void
__aa_remove_ns
(
struct
aa_ns
*
ns
);
void
__aa_remove_namespace
(
struct
aa_namespace
*
ns
);
static
inline
struct
aa_profile
*
aa_deref_parent
(
struct
aa_profile
*
p
)
static
inline
struct
aa_profile
*
aa_deref_parent
(
struct
aa_profile
*
p
)
{
{
...
@@ -93,13 +92,13 @@ static inline struct aa_profile *aa_deref_parent(struct aa_profile *p)
...
@@ -93,13 +92,13 @@ static inline struct aa_profile *aa_deref_parent(struct aa_profile *p)
}
}
/**
/**
* aa_get_n
amespace
- increment references count on @ns
* aa_get_n
s
- increment references count on @ns
* @ns: namespace to increment reference count of (MAYBE NULL)
* @ns: namespace to increment reference count of (MAYBE NULL)
*
*
* Returns: pointer to @ns, if @ns is NULL returns NULL
* Returns: pointer to @ns, if @ns is NULL returns NULL
* Requires: @ns must be held with valid refcount when called
* Requires: @ns must be held with valid refcount when called
*/
*/
static
inline
struct
aa_n
amespace
*
aa_get_namespace
(
struct
aa_namespace
*
ns
)
static
inline
struct
aa_n
s
*
aa_get_ns
(
struct
aa_ns
*
ns
)
{
{
if
(
ns
)
if
(
ns
)
aa_get_profile
(
ns
->
unconfined
);
aa_get_profile
(
ns
->
unconfined
);
...
@@ -108,19 +107,19 @@ static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns)
...
@@ -108,19 +107,19 @@ static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns)
}
}
/**
/**
* aa_put_n
amespace
- decrement refcount on @ns
* aa_put_n
s
- decrement refcount on @ns
* @ns: namespace to put reference of
* @ns: namespace to put reference of
*
*
* Decrement reference count of @ns and if no longer in use free it
* Decrement reference count of @ns and if no longer in use free it
*/
*/
static
inline
void
aa_put_n
amespace
(
struct
aa_namespace
*
ns
)
static
inline
void
aa_put_n
s
(
struct
aa_ns
*
ns
)
{
{
if
(
ns
)
if
(
ns
)
aa_put_profile
(
ns
->
unconfined
);
aa_put_profile
(
ns
->
unconfined
);
}
}
/**
/**
* __aa_find_n
amespace
- find a namespace on a list by @name
* __aa_find_n
s
- find a namespace on a list by @name
* @head: list to search for namespace on (NOT NULL)
* @head: list to search for namespace on (NOT NULL)
* @name: name of namespace to look for (NOT NULL)
* @name: name of namespace to look for (NOT NULL)
*
*
...
@@ -128,10 +127,10 @@ static inline void aa_put_namespace(struct aa_namespace *ns)
...
@@ -128,10 +127,10 @@ static inline void aa_put_namespace(struct aa_namespace *ns)
*
*
* Requires: rcu_read_lock be held
* Requires: rcu_read_lock be held
*/
*/
static
inline
struct
aa_n
amespace
*
__aa_find_namespace
(
struct
list_head
*
head
,
static
inline
struct
aa_n
s
*
__aa_find_ns
(
struct
list_head
*
head
,
const
char
*
name
)
const
char
*
name
)
{
{
return
(
struct
aa_n
amespace
*
)
__policy_find
(
head
,
name
);
return
(
struct
aa_n
s
*
)
__policy_find
(
head
,
name
);
}
}
#endif
/* AA_NAMESPACE_H */
#endif
/* AA_NAMESPACE_H */
security/apparmor/policy.c
View file @
98849dff
...
@@ -213,7 +213,7 @@ void aa_free_profile(struct aa_profile *profile)
...
@@ -213,7 +213,7 @@ void aa_free_profile(struct aa_profile *profile)
aa_policy_destroy
(
&
profile
->
base
);
aa_policy_destroy
(
&
profile
->
base
);
aa_put_profile
(
rcu_access_pointer
(
profile
->
parent
));
aa_put_profile
(
rcu_access_pointer
(
profile
->
parent
));
aa_put_n
amespace
(
profile
->
ns
);
aa_put_n
s
(
profile
->
ns
);
kzfree
(
profile
->
rename
);
kzfree
(
profile
->
rename
);
aa_free_file_rules
(
&
profile
->
file
);
aa_free_file_rules
(
&
profile
->
file
);
...
@@ -237,7 +237,7 @@ static void aa_free_profile_rcu(struct rcu_head *head)
...
@@ -237,7 +237,7 @@ static void aa_free_profile_rcu(struct rcu_head *head)
{
{
struct
aa_profile
*
p
=
container_of
(
head
,
struct
aa_profile
,
rcu
);
struct
aa_profile
*
p
=
container_of
(
head
,
struct
aa_profile
,
rcu
);
if
(
p
->
flags
&
PFLAG_NS_COUNT
)
if
(
p
->
flags
&
PFLAG_NS_COUNT
)
aa_free_n
amespace
(
p
->
ns
);
aa_free_n
s
(
p
->
ns
);
else
else
aa_free_profile
(
p
);
aa_free_profile
(
p
);
}
}
...
@@ -324,7 +324,7 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat)
...
@@ -324,7 +324,7 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat)
/* released on free_profile */
/* released on free_profile */
rcu_assign_pointer
(
profile
->
parent
,
aa_get_profile
(
parent
));
rcu_assign_pointer
(
profile
->
parent
,
aa_get_profile
(
parent
));
profile
->
ns
=
aa_get_n
amespace
(
parent
->
ns
);
profile
->
ns
=
aa_get_n
s
(
parent
->
ns
);
mutex_lock
(
&
profile
->
ns
->
lock
);
mutex_lock
(
&
profile
->
ns
->
lock
);
__list_add_profile
(
&
parent
->
base
.
profiles
,
profile
);
__list_add_profile
(
&
parent
->
base
.
profiles
,
profile
);
...
@@ -403,7 +403,7 @@ struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
...
@@ -403,7 +403,7 @@ struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
*
*
* Returns: unrefcounted policy or NULL if not found
* Returns: unrefcounted policy or NULL if not found
*/
*/
static
struct
aa_policy
*
__lookup_parent
(
struct
aa_n
amespace
*
ns
,
static
struct
aa_policy
*
__lookup_parent
(
struct
aa_n
s
*
ns
,
const
char
*
hname
)
const
char
*
hname
)
{
{
struct
aa_policy
*
policy
;
struct
aa_policy
*
policy
;
...
@@ -466,7 +466,7 @@ static struct aa_profile *__lookup_profile(struct aa_policy *base,
...
@@ -466,7 +466,7 @@ static struct aa_profile *__lookup_profile(struct aa_policy *base,
*
*
* Returns: refcounted profile or NULL if not found
* Returns: refcounted profile or NULL if not found
*/
*/
struct
aa_profile
*
aa_lookup_profile
(
struct
aa_n
amespace
*
ns
,
const
char
*
hname
)
struct
aa_profile
*
aa_lookup_profile
(
struct
aa_n
s
*
ns
,
const
char
*
hname
)
{
{
struct
aa_profile
*
profile
;
struct
aa_profile
*
profile
;
...
@@ -670,7 +670,7 @@ static void __replace_profile(struct aa_profile *old, struct aa_profile *new,
...
@@ -670,7 +670,7 @@ static void __replace_profile(struct aa_profile *old, struct aa_profile *new,
*
*
* Returns: profile to replace (no ref) on success else ptr error
* Returns: profile to replace (no ref) on success else ptr error
*/
*/
static
int
__lookup_replace
(
struct
aa_n
amespace
*
ns
,
const
char
*
hname
,
static
int
__lookup_replace
(
struct
aa_n
s
*
ns
,
const
char
*
hname
,
bool
noreplace
,
struct
aa_profile
**
p
,
bool
noreplace
,
struct
aa_profile
**
p
,
const
char
**
info
)
const
char
**
info
)
{
{
...
@@ -701,7 +701,7 @@ static int __lookup_replace(struct aa_namespace *ns, const char *hname,
...
@@ -701,7 +701,7 @@ static int __lookup_replace(struct aa_namespace *ns, const char *hname,
ssize_t
aa_replace_profiles
(
void
*
udata
,
size_t
size
,
bool
noreplace
)
ssize_t
aa_replace_profiles
(
void
*
udata
,
size_t
size
,
bool
noreplace
)
{
{
const
char
*
ns_name
,
*
info
=
NULL
;
const
char
*
ns_name
,
*
info
=
NULL
;
struct
aa_n
amespace
*
ns
=
NULL
;
struct
aa_n
s
*
ns
=
NULL
;
struct
aa_load_ent
*
ent
,
*
tmp
;
struct
aa_load_ent
*
ent
,
*
tmp
;
int
op
=
OP_PROF_REPL
;
int
op
=
OP_PROF_REPL
;
ssize_t
error
;
ssize_t
error
;
...
@@ -713,7 +713,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
...
@@ -713,7 +713,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
goto
out
;
goto
out
;
/* released below */
/* released below */
ns
=
aa_prepare_n
amespace
(
ns_name
);
ns
=
aa_prepare_n
s
(
ns_name
);
if
(
!
ns
)
{
if
(
!
ns
)
{
error
=
audit_policy
(
op
,
GFP_KERNEL
,
ns_name
,
error
=
audit_policy
(
op
,
GFP_KERNEL
,
ns_name
,
"failed to prepare namespace"
,
-
ENOMEM
);
"failed to prepare namespace"
,
-
ENOMEM
);
...
@@ -738,7 +738,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
...
@@ -738,7 +738,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
}
}
/* released when @new is freed */
/* released when @new is freed */
ent
->
new
->
ns
=
aa_get_n
amespace
(
ns
);
ent
->
new
->
ns
=
aa_get_n
s
(
ns
);
if
(
ent
->
old
||
ent
->
rename
)
if
(
ent
->
old
||
ent
->
rename
)
continue
;
continue
;
...
@@ -835,7 +835,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
...
@@ -835,7 +835,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
mutex_unlock
(
&
ns
->
lock
);
mutex_unlock
(
&
ns
->
lock
);
out:
out:
aa_put_n
amespace
(
ns
);
aa_put_n
s
(
ns
);
if
(
error
)
if
(
error
)
return
error
;
return
error
;
...
@@ -881,7 +881,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
...
@@ -881,7 +881,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
*/
*/
ssize_t
aa_remove_profiles
(
char
*
fqname
,
size_t
size
)
ssize_t
aa_remove_profiles
(
char
*
fqname
,
size_t
size
)
{
{
struct
aa_n
amespace
*
root
,
*
ns
=
NULL
;
struct
aa_n
s
*
root
,
*
ns
=
NULL
;
struct
aa_profile
*
profile
=
NULL
;
struct
aa_profile
*
profile
=
NULL
;
const
char
*
name
=
fqname
,
*
info
=
NULL
;
const
char
*
name
=
fqname
,
*
info
=
NULL
;
ssize_t
error
=
0
;
ssize_t
error
=
0
;
...
@@ -898,7 +898,7 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
...
@@ -898,7 +898,7 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
char
*
ns_name
;
char
*
ns_name
;
name
=
aa_split_fqname
(
fqname
,
&
ns_name
);
name
=
aa_split_fqname
(
fqname
,
&
ns_name
);
/* released below */
/* released below */
ns
=
aa_find_n
amespace
(
root
,
ns_name
);
ns
=
aa_find_n
s
(
root
,
ns_name
);
if
(
!
ns
)
{
if
(
!
ns
)
{
info
=
"namespace does not exist"
;
info
=
"namespace does not exist"
;
error
=
-
ENOENT
;
error
=
-
ENOENT
;
...
@@ -906,12 +906,12 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
...
@@ -906,12 +906,12 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
}
}
}
else
}
else
/* released below */
/* released below */
ns
=
aa_get_n
amespace
(
root
);
ns
=
aa_get_n
s
(
root
);
if
(
!
name
)
{
if
(
!
name
)
{
/* remove namespace - can only happen if fqname[0] == ':' */
/* remove namespace - can only happen if fqname[0] == ':' */
mutex_lock
(
&
ns
->
parent
->
lock
);
mutex_lock
(
&
ns
->
parent
->
lock
);
__aa_remove_n
amespace
(
ns
);
__aa_remove_n
s
(
ns
);
mutex_unlock
(
&
ns
->
parent
->
lock
);
mutex_unlock
(
&
ns
->
parent
->
lock
);
}
else
{
}
else
{
/* remove profile */
/* remove profile */
...
@@ -929,13 +929,13 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
...
@@ -929,13 +929,13 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
/* don't fail removal if audit fails */
/* don't fail removal if audit fails */
(
void
)
audit_policy
(
OP_PROF_RM
,
GFP_KERNEL
,
name
,
info
,
error
);
(
void
)
audit_policy
(
OP_PROF_RM
,
GFP_KERNEL
,
name
,
info
,
error
);
aa_put_n
amespace
(
ns
);
aa_put_n
s
(
ns
);
aa_put_profile
(
profile
);
aa_put_profile
(
profile
);
return
size
;
return
size
;
fail_ns_lock:
fail_ns_lock:
mutex_unlock
(
&
ns
->
lock
);
mutex_unlock
(
&
ns
->
lock
);
aa_put_n
amespace
(
ns
);
aa_put_n
s
(
ns
);
fail:
fail:
(
void
)
audit_policy
(
OP_PROF_RM
,
GFP_KERNEL
,
name
,
info
,
error
);
(
void
)
audit_policy
(
OP_PROF_RM
,
GFP_KERNEL
,
name
,
info
,
error
);
...
...
security/apparmor/policy_ns.c
View file @
98849dff
...
@@ -26,7 +26,7 @@
...
@@ -26,7 +26,7 @@
#include "include/policy.h"
#include "include/policy.h"
/* root profile namespace */
/* root profile namespace */
struct
aa_n
amespace
*
root_ns
;
struct
aa_n
s
*
root_ns
;
const
char
*
aa_hidden_ns_name
=
"---"
;
const
char
*
aa_hidden_ns_name
=
"---"
;
/**
/**
...
@@ -36,7 +36,7 @@ const char *aa_hidden_ns_name = "---";
...
@@ -36,7 +36,7 @@ const char *aa_hidden_ns_name = "---";
*
*
* Returns: true if @view is visible from @curr else false
* Returns: true if @view is visible from @curr else false
*/
*/
bool
aa_ns_visible
(
struct
aa_n
amespace
*
curr
,
struct
aa_namespace
*
view
)
bool
aa_ns_visible
(
struct
aa_n
s
*
curr
,
struct
aa_ns
*
view
)
{
{
if
(
curr
==
view
)
if
(
curr
==
view
)
return
true
;
return
true
;
...
@@ -55,7 +55,7 @@ bool aa_ns_visible(struct aa_namespace *curr, struct aa_namespace *view)
...
@@ -55,7 +55,7 @@ bool aa_ns_visible(struct aa_namespace *curr, struct aa_namespace *view)
*
*
* Returns: name of @view visible from @curr
* Returns: name of @view visible from @curr
*/
*/
const
char
*
aa_ns_name
(
struct
aa_n
amespace
*
curr
,
struct
aa_namespace
*
view
)
const
char
*
aa_ns_name
(
struct
aa_n
s
*
curr
,
struct
aa_ns
*
view
)
{
{
/* if view == curr then the namespace name isn't displayed */
/* if view == curr then the namespace name isn't displayed */
if
(
curr
==
view
)
if
(
curr
==
view
)
...
@@ -75,16 +75,15 @@ const char *aa_ns_name(struct aa_namespace *curr, struct aa_namespace *view)
...
@@ -75,16 +75,15 @@ const char *aa_ns_name(struct aa_namespace *curr, struct aa_namespace *view)
}
}
/**
/**
* alloc_n
amespace
- allocate, initialize and return a new namespace
* alloc_n
s
- allocate, initialize and return a new namespace
* @prefix: parent namespace name (MAYBE NULL)
* @prefix: parent namespace name (MAYBE NULL)
* @name: a preallocated name (NOT NULL)
* @name: a preallocated name (NOT NULL)
*
*
* Returns: refcounted namespace or NULL on failure.
* Returns: refcounted namespace or NULL on failure.
*/
*/
static
struct
aa_namespace
*
alloc_namespace
(
const
char
*
prefix
,
static
struct
aa_ns
*
alloc_ns
(
const
char
*
prefix
,
const
char
*
name
)
const
char
*
name
)
{
{
struct
aa_n
amespace
*
ns
;
struct
aa_n
s
*
ns
;
ns
=
kzalloc
(
sizeof
(
*
ns
),
GFP_KERNEL
);
ns
=
kzalloc
(
sizeof
(
*
ns
),
GFP_KERNEL
);
AA_DEBUG
(
"%s(%p)
\n
"
,
__func__
,
ns
);
AA_DEBUG
(
"%s(%p)
\n
"
,
__func__
,
ns
);
...
@@ -96,7 +95,7 @@ static struct aa_namespace *alloc_namespace(const char *prefix,
...
@@ -96,7 +95,7 @@ static struct aa_namespace *alloc_namespace(const char *prefix,
INIT_LIST_HEAD
(
&
ns
->
sub_ns
);
INIT_LIST_HEAD
(
&
ns
->
sub_ns
);
mutex_init
(
&
ns
->
lock
);
mutex_init
(
&
ns
->
lock
);
/* released by
free_namespace
*/
/* released by
aa_free_ns()
*/
ns
->
unconfined
=
aa_alloc_profile
(
"unconfined"
);
ns
->
unconfined
=
aa_alloc_profile
(
"unconfined"
);
if
(
!
ns
->
unconfined
)
if
(
!
ns
->
unconfined
)
goto
fail_unconfined
;
goto
fail_unconfined
;
...
@@ -120,19 +119,19 @@ static struct aa_namespace *alloc_namespace(const char *prefix,
...
@@ -120,19 +119,19 @@ static struct aa_namespace *alloc_namespace(const char *prefix,
}
}
/**
/**
* aa_free_n
amespace
- free a profile namespace
* aa_free_n
s
- free a profile namespace
* @ns: the namespace to free (MAYBE NULL)
* @ns: the namespace to free (MAYBE NULL)
*
*
* Requires: All references to the namespace must have been put, if the
* Requires: All references to the namespace must have been put, if the
* namespace was referenced by a profile confining a task,
* namespace was referenced by a profile confining a task,
*/
*/
void
aa_free_n
amespace
(
struct
aa_namespace
*
ns
)
void
aa_free_n
s
(
struct
aa_ns
*
ns
)
{
{
if
(
!
ns
)
if
(
!
ns
)
return
;
return
;
aa_policy_destroy
(
&
ns
->
base
);
aa_policy_destroy
(
&
ns
->
base
);
aa_put_n
amespace
(
ns
->
parent
);
aa_put_n
s
(
ns
->
parent
);
ns
->
unconfined
->
ns
=
NULL
;
ns
->
unconfined
->
ns
=
NULL
;
aa_free_profile
(
ns
->
unconfined
);
aa_free_profile
(
ns
->
unconfined
);
...
@@ -140,7 +139,7 @@ void aa_free_namespace(struct aa_namespace *ns)
...
@@ -140,7 +139,7 @@ void aa_free_namespace(struct aa_namespace *ns)
}
}
/**
/**
* aa_find_n
amespace
- look up a profile namespace on the namespace list
* aa_find_n
s
- look up a profile namespace on the namespace list
* @root: namespace to search in (NOT NULL)
* @root: namespace to search in (NOT NULL)
* @name: name of namespace to find (NOT NULL)
* @name: name of namespace to find (NOT NULL)
*
*
...
@@ -149,27 +148,26 @@ void aa_free_namespace(struct aa_namespace *ns)
...
@@ -149,27 +148,26 @@ void aa_free_namespace(struct aa_namespace *ns)
*
*
* refcount released by caller
* refcount released by caller
*/
*/
struct
aa_namespace
*
aa_find_namespace
(
struct
aa_namespace
*
root
,
struct
aa_ns
*
aa_find_ns
(
struct
aa_ns
*
root
,
const
char
*
name
)
const
char
*
name
)
{
{
struct
aa_n
amespace
*
ns
=
NULL
;
struct
aa_n
s
*
ns
=
NULL
;
rcu_read_lock
();
rcu_read_lock
();
ns
=
aa_get_n
amespace
(
__aa_find_namespace
(
&
root
->
sub_ns
,
name
));
ns
=
aa_get_n
s
(
__aa_find_ns
(
&
root
->
sub_ns
,
name
));
rcu_read_unlock
();
rcu_read_unlock
();
return
ns
;
return
ns
;
}
}
/**
/**
* aa_prepare_n
amespace
- find an existing or create a new namespace of @name
* aa_prepare_n
s
- find an existing or create a new namespace of @name
* @name: the namespace to find or add (MAYBE NULL)
* @name: the namespace to find or add (MAYBE NULL)
*
*
* Returns: refcounted n
amespace
or NULL if failed to create one
* Returns: refcounted n
s
or NULL if failed to create one
*/
*/
struct
aa_n
amespace
*
aa_prepare_namespace
(
const
char
*
name
)
struct
aa_n
s
*
aa_prepare_ns
(
const
char
*
name
)
{
{
struct
aa_n
amespace
*
ns
,
*
root
;
struct
aa_n
s
*
ns
,
*
root
;
root
=
aa_current_profile
()
->
ns
;
root
=
aa_current_profile
()
->
ns
;
...
@@ -178,28 +176,28 @@ struct aa_namespace *aa_prepare_namespace(const char *name)
...
@@ -178,28 +176,28 @@ struct aa_namespace *aa_prepare_namespace(const char *name)
/* if name isn't specified the profile is loaded to the current ns */
/* if name isn't specified the profile is loaded to the current ns */
if
(
!
name
)
{
if
(
!
name
)
{
/* released by caller */
/* released by caller */
ns
=
aa_get_n
amespace
(
root
);
ns
=
aa_get_n
s
(
root
);
goto
out
;
goto
out
;
}
}
/* try and find the specified ns and if it doesn't exist create it */
/* try and find the specified ns and if it doesn't exist create it */
/* released by caller */
/* released by caller */
ns
=
aa_get_n
amespace
(
__aa_find_namespace
(
&
root
->
sub_ns
,
name
));
ns
=
aa_get_n
s
(
__aa_find_ns
(
&
root
->
sub_ns
,
name
));
if
(
!
ns
)
{
if
(
!
ns
)
{
ns
=
alloc_n
amespace
(
root
->
base
.
hname
,
name
);
ns
=
alloc_n
s
(
root
->
base
.
hname
,
name
);
if
(
!
ns
)
if
(
!
ns
)
goto
out
;
goto
out
;
if
(
__aa_fs_n
amespace
_mkdir
(
ns
,
ns_subns_dir
(
root
),
name
))
{
if
(
__aa_fs_n
s
_mkdir
(
ns
,
ns_subns_dir
(
root
),
name
))
{
AA_ERROR
(
"Failed to create interface for ns %s
\n
"
,
AA_ERROR
(
"Failed to create interface for ns %s
\n
"
,
ns
->
base
.
name
);
ns
->
base
.
name
);
aa_free_n
amespace
(
ns
);
aa_free_n
s
(
ns
);
ns
=
NULL
;
ns
=
NULL
;
goto
out
;
goto
out
;
}
}
ns
->
parent
=
aa_get_n
amespace
(
root
);
ns
->
parent
=
aa_get_n
s
(
root
);
list_add_rcu
(
&
ns
->
base
.
list
,
&
root
->
sub_ns
);
list_add_rcu
(
&
ns
->
base
.
list
,
&
root
->
sub_ns
);
/* add list ref */
/* add list ref */
aa_get_n
amespace
(
ns
);
aa_get_n
s
(
ns
);
}
}
out:
out:
mutex_unlock
(
&
root
->
lock
);
mutex_unlock
(
&
root
->
lock
);
...
@@ -211,10 +209,10 @@ struct aa_namespace *aa_prepare_namespace(const char *name)
...
@@ -211,10 +209,10 @@ struct aa_namespace *aa_prepare_namespace(const char *name)
static
void
__ns_list_release
(
struct
list_head
*
head
);
static
void
__ns_list_release
(
struct
list_head
*
head
);
/**
/**
* destroy_n
amespace
- remove everything contained by @ns
* destroy_n
s
- remove everything contained by @ns
* @ns: n
amespace
to have it contents removed (NOT NULL)
* @ns: n
s
to have it contents removed (NOT NULL)
*/
*/
static
void
destroy_n
amespace
(
struct
aa_namespace
*
ns
)
static
void
destroy_n
s
(
struct
aa_ns
*
ns
)
{
{
if
(
!
ns
)
if
(
!
ns
)
return
;
return
;
...
@@ -228,22 +226,22 @@ static void destroy_namespace(struct aa_namespace *ns)
...
@@ -228,22 +226,22 @@ static void destroy_namespace(struct aa_namespace *ns)
if
(
ns
->
parent
)
if
(
ns
->
parent
)
__aa_update_replacedby
(
ns
->
unconfined
,
ns
->
parent
->
unconfined
);
__aa_update_replacedby
(
ns
->
unconfined
,
ns
->
parent
->
unconfined
);
__aa_fs_n
amespace
_rmdir
(
ns
);
__aa_fs_n
s
_rmdir
(
ns
);
mutex_unlock
(
&
ns
->
lock
);
mutex_unlock
(
&
ns
->
lock
);
}
}
/**
/**
* __aa_remove_n
amespace
- remove a namespace and all its children
* __aa_remove_n
s
- remove a namespace and all its children
* @ns: namespace to be removed (NOT NULL)
* @ns: namespace to be removed (NOT NULL)
*
*
* Requires: ns->parent->lock be held and ns removed from parent.
* Requires: ns->parent->lock be held and ns removed from parent.
*/
*/
void
__aa_remove_n
amespace
(
struct
aa_namespace
*
ns
)
void
__aa_remove_n
s
(
struct
aa_ns
*
ns
)
{
{
/* remove ns from namespace list */
/* remove ns from namespace list */
list_del_rcu
(
&
ns
->
base
.
list
);
list_del_rcu
(
&
ns
->
base
.
list
);
destroy_n
amespace
(
ns
);
destroy_n
s
(
ns
);
aa_put_n
amespace
(
ns
);
aa_put_n
s
(
ns
);
}
}
/**
/**
...
@@ -254,15 +252,15 @@ void __aa_remove_namespace(struct aa_namespace *ns)
...
@@ -254,15 +252,15 @@ void __aa_remove_namespace(struct aa_namespace *ns)
*/
*/
static
void
__ns_list_release
(
struct
list_head
*
head
)
static
void
__ns_list_release
(
struct
list_head
*
head
)
{
{
struct
aa_n
amespace
*
ns
,
*
tmp
;
struct
aa_n
s
*
ns
,
*
tmp
;
list_for_each_entry_safe
(
ns
,
tmp
,
head
,
base
.
list
)
list_for_each_entry_safe
(
ns
,
tmp
,
head
,
base
.
list
)
__aa_remove_n
amespace
(
ns
);
__aa_remove_n
s
(
ns
);
}
}
/**
/**
* aa_alloc_root_ns - allocate the root profile namesp
ac
e
* aa_alloc_root_ns - allocate the root profile namesp
ca
e
*
*
* Returns: %0 on success else error
* Returns: %0 on success else error
*
*
...
@@ -270,7 +268,7 @@ static void __ns_list_release(struct list_head *head)
...
@@ -270,7 +268,7 @@ static void __ns_list_release(struct list_head *head)
int
__init
aa_alloc_root_ns
(
void
)
int
__init
aa_alloc_root_ns
(
void
)
{
{
/* released by aa_free_root_ns - used as list ref*/
/* released by aa_free_root_ns - used as list ref*/
root_ns
=
alloc_n
amespace
(
NULL
,
"root"
);
root_ns
=
alloc_n
s
(
NULL
,
"root"
);
if
(
!
root_ns
)
if
(
!
root_ns
)
return
-
ENOMEM
;
return
-
ENOMEM
;
...
@@ -282,10 +280,10 @@ int __init aa_alloc_root_ns(void)
...
@@ -282,10 +280,10 @@ int __init aa_alloc_root_ns(void)
*/
*/
void
__init
aa_free_root_ns
(
void
)
void
__init
aa_free_root_ns
(
void
)
{
{
struct
aa_n
amespace
*
ns
=
root_ns
;
struct
aa_n
s
*
ns
=
root_ns
;
root_ns
=
NULL
;
root_ns
=
NULL
;
destroy_n
amespace
(
ns
);
destroy_n
s
(
ns
);
aa_put_n
amespace
(
ns
);
aa_put_n
s
(
ns
);
}
}
security/apparmor/procattr.c
View file @
98849dff
...
@@ -40,8 +40,8 @@ int aa_getprocattr(struct aa_profile *profile, char **string)
...
@@ -40,8 +40,8 @@ int aa_getprocattr(struct aa_profile *profile, char **string)
int
len
=
0
,
mode_len
=
0
,
ns_len
=
0
,
name_len
;
int
len
=
0
,
mode_len
=
0
,
ns_len
=
0
,
name_len
;
const
char
*
mode_str
=
aa_profile_mode_names
[
profile
->
mode
];
const
char
*
mode_str
=
aa_profile_mode_names
[
profile
->
mode
];
const
char
*
ns_name
=
NULL
;
const
char
*
ns_name
=
NULL
;
struct
aa_n
amespace
*
ns
=
profile
->
ns
;
struct
aa_n
s
*
ns
=
profile
->
ns
;
struct
aa_n
amespace
*
current_ns
=
__aa_current_profile
()
->
ns
;
struct
aa_n
s
*
current_ns
=
__aa_current_profile
()
->
ns
;
char
*
s
;
char
*
s
;
if
(
!
aa_ns_visible
(
current_ns
,
ns
))
if
(
!
aa_ns_visible
(
current_ns
,
ns
))
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment