Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
fe6bb31f
Commit
fe6bb31f
authored
Jan 16, 2017
by
John Johansen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
apparmor: split out shared policy_XXX fns to lib
Signed-off-by:
John Johansen
<
john.johansen@canonical.com
>
parent
12557dcb
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
137 additions
and
132 deletions
+137
-132
security/apparmor/include/lib.h
security/apparmor/include/lib.h
+81
-0
security/apparmor/include/policy.h
security/apparmor/include/policy.h
+0
-13
security/apparmor/lib.c
security/apparmor/lib.c
+52
-0
security/apparmor/policy.c
security/apparmor/policy.c
+4
-119
No files found.
security/apparmor/include/lib.h
View file @
fe6bb31f
...
...
@@ -91,4 +91,85 @@ static inline bool mediated_filesystem(struct dentry *dentry)
return
!
(
dentry
->
d_sb
->
s_flags
&
MS_NOUSER
);
}
/* struct aa_policy - common part of both namespaces and profiles
* @name: name of the object
* @hname - The hierarchical name
* @list: list policy object is on
* @profiles: head of the profiles list contained in the object
*/
struct
aa_policy
{
char
*
name
;
char
*
hname
;
struct
list_head
list
;
struct
list_head
profiles
;
};
/**
* hname_tail - find the last component of an hname
* @name: hname to find the base profile name component of (NOT NULL)
*
* Returns: the tail (base profile name) name component of an hname
*/
static
inline
const
char
*
hname_tail
(
const
char
*
hname
)
{
char
*
split
;
hname
=
strim
((
char
*
)
hname
);
for
(
split
=
strstr
(
hname
,
"//"
);
split
;
split
=
strstr
(
hname
,
"//"
))
hname
=
split
+
2
;
return
hname
;
}
/**
* __policy_find - find a policy by @name on a policy list
* @head: list to search (NOT NULL)
* @name: name to search for (NOT NULL)
*
* Requires: rcu_read_lock be held
*
* Returns: unrefcounted policy that match @name or NULL if not found
*/
static
inline
struct
aa_policy
*
__policy_find
(
struct
list_head
*
head
,
const
char
*
name
)
{
struct
aa_policy
*
policy
;
list_for_each_entry_rcu
(
policy
,
head
,
list
)
{
if
(
!
strcmp
(
policy
->
name
,
name
))
return
policy
;
}
return
NULL
;
}
/**
* __policy_strn_find - find a policy that's name matches @len chars of @str
* @head: list to search (NOT NULL)
* @str: string to search for (NOT NULL)
* @len: length of match required
*
* Requires: rcu_read_lock be held
*
* Returns: unrefcounted policy that match @str or NULL if not found
*
* if @len == strlen(@strlen) then this is equiv to __policy_find
* other wise it allows searching for policy by a partial match of name
*/
static
inline
struct
aa_policy
*
__policy_strn_find
(
struct
list_head
*
head
,
const
char
*
str
,
int
len
)
{
struct
aa_policy
*
policy
;
list_for_each_entry_rcu
(
policy
,
head
,
list
)
{
if
(
aa_strneq
(
policy
->
name
,
str
,
len
))
return
policy
;
}
return
NULL
;
}
bool
aa_policy_init
(
struct
aa_policy
*
policy
,
const
char
*
prefix
,
const
char
*
name
);
void
aa_policy_destroy
(
struct
aa_policy
*
policy
);
#endif
/* AA_LIB_H */
security/apparmor/include/policy.h
View file @
fe6bb31f
...
...
@@ -77,19 +77,6 @@ enum profile_flags {
struct
aa_profile
;
/* struct aa_policy - common part of both namespaces and profiles
* @name: name of the object
* @hname - The hierarchical name
* @list: list policy object is on
* @profiles: head of the profiles list contained in the object
*/
struct
aa_policy
{
char
*
name
;
char
*
hname
;
struct
list_head
list
;
struct
list_head
profiles
;
};
/* struct aa_ns_acct - accounting of profiles in namespace
* @max_size: maximum space allowed for all profiles in namespace
* @max_count: maximum number of profiles that can be in this namespace
...
...
security/apparmor/lib.c
View file @
fe6bb31f
...
...
@@ -20,6 +20,7 @@
#include "include/audit.h"
#include "include/apparmor.h"
#include "include/lib.h"
#include "include/policy.h"
/**
* aa_split_fqname - split a fqname into a profile and namespace name
...
...
@@ -105,3 +106,54 @@ void *__aa_kvmalloc(size_t size, gfp_t flags)
}
return
buffer
;
}
/**
* aa_policy_init - initialize a policy structure
* @policy: policy to initialize (NOT NULL)
* @prefix: prefix name if any is required. (MAYBE NULL)
* @name: name of the policy, init will make a copy of it (NOT NULL)
*
* Note: this fn creates a copy of strings passed in
*
* Returns: true if policy init successful
*/
bool
aa_policy_init
(
struct
aa_policy
*
policy
,
const
char
*
prefix
,
const
char
*
name
)
{
/* freed by policy_free */
if
(
prefix
)
{
policy
->
hname
=
kmalloc
(
strlen
(
prefix
)
+
strlen
(
name
)
+
3
,
GFP_KERNEL
);
if
(
policy
->
hname
)
sprintf
(
policy
->
hname
,
"%s//%s"
,
prefix
,
name
);
}
else
policy
->
hname
=
kstrdup
(
name
,
GFP_KERNEL
);
if
(
!
policy
->
hname
)
return
0
;
/* base.name is a substring of fqname */
policy
->
name
=
(
char
*
)
hname_tail
(
policy
->
hname
);
INIT_LIST_HEAD
(
&
policy
->
list
);
INIT_LIST_HEAD
(
&
policy
->
profiles
);
return
1
;
}
/**
* aa_policy_destroy - free the elements referenced by @policy
* @policy: policy that is to have its elements freed (NOT NULL)
*/
void
aa_policy_destroy
(
struct
aa_policy
*
policy
)
{
/* still contains profiles -- invalid */
if
(
on_list_rcu
(
&
policy
->
profiles
))
{
AA_ERROR
(
"%s: internal error, policy '%s' contains profiles
\n
"
,
__func__
,
policy
->
name
);
}
if
(
on_list_rcu
(
&
policy
->
list
))
{
AA_ERROR
(
"%s: internal error, policy '%s' still on list
\n
"
,
__func__
,
policy
->
name
);
}
/* don't free name as its a subset of hname */
kzfree
(
policy
->
hname
);
}
security/apparmor/policy.c
View file @
fe6bb31f
...
...
@@ -99,121 +99,6 @@ const char *const aa_profile_mode_names[] = {
"unconfined"
,
};
/**
* hname_tail - find the last component of an hname
* @name: hname to find the base profile name component of (NOT NULL)
*
* Returns: the tail (base profile name) name component of an hname
*/
static
const
char
*
hname_tail
(
const
char
*
hname
)
{
char
*
split
;
hname
=
strim
((
char
*
)
hname
);
for
(
split
=
strstr
(
hname
,
"//"
);
split
;
split
=
strstr
(
hname
,
"//"
))
hname
=
split
+
2
;
return
hname
;
}
/**
* policy_init - initialize a policy structure
* @policy: policy to initialize (NOT NULL)
* @prefix: prefix name if any is required. (MAYBE NULL)
* @name: name of the policy, init will make a copy of it (NOT NULL)
*
* Note: this fn creates a copy of strings passed in
*
* Returns: true if policy init successful
*/
static
bool
policy_init
(
struct
aa_policy
*
policy
,
const
char
*
prefix
,
const
char
*
name
)
{
/* freed by policy_free */
if
(
prefix
)
{
policy
->
hname
=
kmalloc
(
strlen
(
prefix
)
+
strlen
(
name
)
+
3
,
GFP_KERNEL
);
if
(
policy
->
hname
)
sprintf
(
policy
->
hname
,
"%s//%s"
,
prefix
,
name
);
}
else
policy
->
hname
=
kstrdup
(
name
,
GFP_KERNEL
);
if
(
!
policy
->
hname
)
return
0
;
/* base.name is a substring of fqname */
policy
->
name
=
(
char
*
)
hname_tail
(
policy
->
hname
);
INIT_LIST_HEAD
(
&
policy
->
list
);
INIT_LIST_HEAD
(
&
policy
->
profiles
);
return
1
;
}
/**
* policy_destroy - free the elements referenced by @policy
* @policy: policy that is to have its elements freed (NOT NULL)
*/
static
void
policy_destroy
(
struct
aa_policy
*
policy
)
{
/* still contains profiles -- invalid */
if
(
on_list_rcu
(
&
policy
->
profiles
))
{
AA_ERROR
(
"%s: internal error, "
"policy '%s' still contains profiles
\n
"
,
__func__
,
policy
->
name
);
BUG
();
}
if
(
on_list_rcu
(
&
policy
->
list
))
{
AA_ERROR
(
"%s: internal error, policy '%s' still on list
\n
"
,
__func__
,
policy
->
name
);
BUG
();
}
/* don't free name as its a subset of hname */
kzfree
(
policy
->
hname
);
}
/**
* __policy_find - find a policy by @name on a policy list
* @head: list to search (NOT NULL)
* @name: name to search for (NOT NULL)
*
* Requires: rcu_read_lock be held
*
* Returns: unrefcounted policy that match @name or NULL if not found
*/
static
struct
aa_policy
*
__policy_find
(
struct
list_head
*
head
,
const
char
*
name
)
{
struct
aa_policy
*
policy
;
list_for_each_entry_rcu
(
policy
,
head
,
list
)
{
if
(
!
strcmp
(
policy
->
name
,
name
))
return
policy
;
}
return
NULL
;
}
/**
* __policy_strn_find - find a policy that's name matches @len chars of @str
* @head: list to search (NOT NULL)
* @str: string to search for (NOT NULL)
* @len: length of match required
*
* Requires: rcu_read_lock be held
*
* Returns: unrefcounted policy that match @str or NULL if not found
*
* if @len == strlen(@strlen) then this is equiv to __policy_find
* other wise it allows searching for policy by a partial match of name
*/
static
struct
aa_policy
*
__policy_strn_find
(
struct
list_head
*
head
,
const
char
*
str
,
int
len
)
{
struct
aa_policy
*
policy
;
list_for_each_entry_rcu
(
policy
,
head
,
list
)
{
if
(
aa_strneq
(
policy
->
name
,
str
,
len
))
return
policy
;
}
return
NULL
;
}
/*
* Routines for AppArmor namespaces
...
...
@@ -280,7 +165,7 @@ static struct aa_namespace *alloc_namespace(const char *prefix,
AA_DEBUG
(
"%s(%p)
\n
"
,
__func__
,
ns
);
if
(
!
ns
)
return
NULL
;
if
(
!
policy_init
(
&
ns
->
base
,
prefix
,
name
))
if
(
!
aa_
policy_init
(
&
ns
->
base
,
prefix
,
name
))
goto
fail_ns
;
INIT_LIST_HEAD
(
&
ns
->
sub_ns
);
...
...
@@ -321,7 +206,7 @@ static void free_namespace(struct aa_namespace *ns)
if
(
!
ns
)
return
;
policy_destroy
(
&
ns
->
base
);
aa_
policy_destroy
(
&
ns
->
base
);
aa_put_namespace
(
ns
->
parent
);
ns
->
unconfined
->
ns
=
NULL
;
...
...
@@ -595,7 +480,7 @@ void aa_free_profile(struct aa_profile *profile)
return
;
/* free children profiles */
policy_destroy
(
&
profile
->
base
);
aa_
policy_destroy
(
&
profile
->
base
);
aa_put_profile
(
rcu_access_pointer
(
profile
->
parent
));
aa_put_namespace
(
profile
->
ns
);
...
...
@@ -657,7 +542,7 @@ struct aa_profile *aa_alloc_profile(const char *hname)
goto
fail
;
kref_init
(
&
profile
->
replacedby
->
count
);
if
(
!
policy_init
(
&
profile
->
base
,
NULL
,
hname
))
if
(
!
aa_
policy_init
(
&
profile
->
base
,
NULL
,
hname
))
goto
fail
;
kref_init
(
&
profile
->
count
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment