apparmor: add fn to lookup profiles by fqname

Signed-off-by: N John Johansen <john.johansen@canonical.com>

apparmor: add fn to lookup profiles by fqname
Signed-off-by: N John Johansen <john.johansen@canonical.com>
31617ddf · John Johansen · 3b0aaf58 · 31617ddf · 31617ddf · 31617ddf
4 changed file
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -180,6 +180,8 @@ struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name);
 struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
 				      size_t n);
 struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *name);
+struct aa_profile *aa_fqlookupn_profile(struct aa_profile *base,
+					const char *fqname, size_t n);
 struct aa_profile *aa_match_profile(struct aa_ns *ns, const char *name);

 ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace);

--- a/security/apparmor/include/policy_ns.h
+++ b/security/apparmor/include/policy_ns.h
@@ -46,11 +46,11 @@ struct aa_ns_acct {
 * @uniq_id: a unique id count for the profiles in the namespace
 * @dents: dentries for the namespaces file entries in apparmorfs
 *
- * An aa_ns defines the set profiles that are searched to determine
- * which profile to attach to a task.  Profiles can not be shared between
- * aa_nss and profile names within a namespace are guaranteed to be
- * unique.  When profiles in separate namespaces have the same name they
- * are NOT considered to be equivalent.
+ * An aa_ns defines the set profiles that are searched to determine which
+ * profile to attach to a task.  Profiles can not be shared between aa_ns
+ * and profile names within a namespace are guaranteed to be unique.  When
+ * profiles in separate namespaces have the same name they are NOT considered
+ * to be equivalent.
 *
 * Namespaces are hierarchical and only namespaces and profiles below the
 * current namespace are visible.

--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -498,6 +498,35 @@ struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *hname)
 {
 	return aa_lookupn_profile(ns, hname, strlen(hname));
 }
+
+struct aa_profile *aa_fqlookupn_profile(struct aa_profile *base,
+					const char *fqname, size_t n)
+{
+	struct aa_profile *profile;
+	struct aa_ns *ns;
+	const char *name, *ns_name;
+	size_t ns_len;
+
+	name = aa_splitn_fqname(fqname, n, &ns_name, &ns_len);
+	if (ns_name) {
+		ns = aa_findn_ns(base->ns, ns_name, ns_len);
+		if (!ns)
+			return NULL;
+	} else
+		ns = aa_get_ns(base->ns);
+
+	if (name)
+		profile = aa_lookupn_profile(ns, name, n - (name - fqname));
+	else if (ns)
+		/* default profile for ns, currently unconfined */
+		profile = aa_get_newest_profile(ns->unconfined);
+	else
+		profile = NULL;
+	aa_put_ns(ns);
+
+	return profile;
+}
+
 /**
 * replacement_allowed - test to see if replacement is allowed
 * @profile: profile to test if it can be replaced  (MAYBE NULL)

--- a/security/apparmor/policy_ns.c
+++ b/security/apparmor/policy_ns.c
@@ -226,7 +226,7 @@ static void __ns_list_release(struct list_head *head);

 /**
 * destroy_ns - remove everything contained by @ns
- * @ns: ns to have it contents removed  (NOT NULL)
+ * @ns: namespace to have it contents removed  (NOT NULL)
 */
 static void destroy_ns(struct aa_ns *ns)
 {
@@ -276,7 +276,7 @@ static void __ns_list_release(struct list_head *head)
 }

 /**
- * aa_alloc_root_ns - allocate the root profile namespcae
+ * aa_alloc_root_ns - allocate the root profile namespace
 *
 * Returns: %0 on success else error
 *