Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openeuler
raspberrypi-kernel
提交
98849dff
R
raspberrypi-kernel
项目概览
openeuler
/
raspberrypi-kernel
通知
13
Star
1
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
raspberrypi-kernel
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
98849dff
编写于
1月 16, 2017
作者:
J
John Johansen
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
apparmor: rename namespace to ns to improve code line lengths
Signed-off-by:
N
John Johansen
<
john.johansen@canonical.com
>
上级
cff281f6
变更
8
隐藏空白更改
内联
并排
Showing
8 changed file
with
122 addition
and
128 deletion
+122
-128
security/apparmor/apparmorfs.c
security/apparmor/apparmorfs.c
+23
-26
security/apparmor/domain.c
security/apparmor/domain.c
+12
-12
security/apparmor/include/apparmorfs.h
security/apparmor/include/apparmorfs.h
+4
-4
security/apparmor/include/policy.h
security/apparmor/include/policy.h
+4
-4
security/apparmor/include/policy_ns.h
security/apparmor/include/policy_ns.h
+21
-22
security/apparmor/policy.c
security/apparmor/policy.c
+16
-16
security/apparmor/policy_ns.c
security/apparmor/policy_ns.c
+40
-42
security/apparmor/procattr.c
security/apparmor/procattr.c
+2
-2
未找到文件。
security/apparmor/apparmorfs.c
浏览文件 @
98849dff
...
@@ -478,9 +478,9 @@ int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
...
@@ -478,9 +478,9 @@ int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
return
error
;
return
error
;
}
}
void
__aa_fs_n
amespace_rmdir
(
struct
aa_namespace
*
ns
)
void
__aa_fs_n
s_rmdir
(
struct
aa_ns
*
ns
)
{
{
struct
aa_n
amespace
*
sub
;
struct
aa_n
s
*
sub
;
struct
aa_profile
*
child
;
struct
aa_profile
*
child
;
int
i
;
int
i
;
...
@@ -492,7 +492,7 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns)
...
@@ -492,7 +492,7 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns)
list_for_each_entry
(
sub
,
&
ns
->
sub_ns
,
base
.
list
)
{
list_for_each_entry
(
sub
,
&
ns
->
sub_ns
,
base
.
list
)
{
mutex_lock
(
&
sub
->
lock
);
mutex_lock
(
&
sub
->
lock
);
__aa_fs_n
amespace
_rmdir
(
sub
);
__aa_fs_n
s
_rmdir
(
sub
);
mutex_unlock
(
&
sub
->
lock
);
mutex_unlock
(
&
sub
->
lock
);
}
}
...
@@ -502,10 +502,9 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns)
...
@@ -502,10 +502,9 @@ void __aa_fs_namespace_rmdir(struct aa_namespace *ns)
}
}
}
}
int
__aa_fs_namespace_mkdir
(
struct
aa_namespace
*
ns
,
struct
dentry
*
parent
,
int
__aa_fs_ns_mkdir
(
struct
aa_ns
*
ns
,
struct
dentry
*
parent
,
const
char
*
name
)
const
char
*
name
)
{
{
struct
aa_n
amespace
*
sub
;
struct
aa_n
s
*
sub
;
struct
aa_profile
*
child
;
struct
aa_profile
*
child
;
struct
dentry
*
dent
,
*
dir
;
struct
dentry
*
dent
,
*
dir
;
int
error
;
int
error
;
...
@@ -536,7 +535,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
...
@@ -536,7 +535,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
list_for_each_entry
(
sub
,
&
ns
->
sub_ns
,
base
.
list
)
{
list_for_each_entry
(
sub
,
&
ns
->
sub_ns
,
base
.
list
)
{
mutex_lock
(
&
sub
->
lock
);
mutex_lock
(
&
sub
->
lock
);
error
=
__aa_fs_n
amespace
_mkdir
(
sub
,
ns_subns_dir
(
ns
),
NULL
);
error
=
__aa_fs_n
s
_mkdir
(
sub
,
ns_subns_dir
(
ns
),
NULL
);
mutex_unlock
(
&
sub
->
lock
);
mutex_unlock
(
&
sub
->
lock
);
if
(
error
)
if
(
error
)
goto
fail2
;
goto
fail2
;
...
@@ -548,7 +547,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
...
@@ -548,7 +547,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
error
=
PTR_ERR
(
dent
);
error
=
PTR_ERR
(
dent
);
fail2:
fail2:
__aa_fs_n
amespace
_rmdir
(
ns
);
__aa_fs_n
s
_rmdir
(
ns
);
return
error
;
return
error
;
}
}
...
@@ -557,7 +556,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
...
@@ -557,7 +556,7 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
#define list_entry_is_head(pos, head, member) (&pos->member == (head))
#define list_entry_is_head(pos, head, member) (&pos->member == (head))
/**
/**
* __next_n
amespace
- find the next namespace to list
* __next_n
s
- find the next namespace to list
* @root: root namespace to stop search at (NOT NULL)
* @root: root namespace to stop search at (NOT NULL)
* @ns: current ns position (NOT NULL)
* @ns: current ns position (NOT NULL)
*
*
...
@@ -568,10 +567,9 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
...
@@ -568,10 +567,9 @@ int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
* Requires: ns->parent->lock to be held
* Requires: ns->parent->lock to be held
* NOTE: will not unlock root->lock
* NOTE: will not unlock root->lock
*/
*/
static
struct
aa_namespace
*
__next_namespace
(
struct
aa_namespace
*
root
,
static
struct
aa_ns
*
__next_ns
(
struct
aa_ns
*
root
,
struct
aa_ns
*
ns
)
struct
aa_namespace
*
ns
)
{
{
struct
aa_n
amespace
*
parent
,
*
next
;
struct
aa_n
s
*
parent
,
*
next
;
/* is next namespace a child */
/* is next namespace a child */
if
(
!
list_empty
(
&
ns
->
sub_ns
))
{
if
(
!
list_empty
(
&
ns
->
sub_ns
))
{
...
@@ -604,10 +602,10 @@ static struct aa_namespace *__next_namespace(struct aa_namespace *root,
...
@@ -604,10 +602,10 @@ static struct aa_namespace *__next_namespace(struct aa_namespace *root,
* Returns: unrefcounted profile or NULL if no profile
* Returns: unrefcounted profile or NULL if no profile
* Requires: profile->ns.lock to be held
* Requires: profile->ns.lock to be held
*/
*/
static
struct
aa_profile
*
__first_profile
(
struct
aa_n
amespace
*
root
,
static
struct
aa_profile
*
__first_profile
(
struct
aa_n
s
*
root
,
struct
aa_n
amespace
*
ns
)
struct
aa_n
s
*
ns
)
{
{
for
(;
ns
;
ns
=
__next_n
amespace
(
root
,
ns
))
{
for
(;
ns
;
ns
=
__next_n
s
(
root
,
ns
))
{
if
(
!
list_empty
(
&
ns
->
base
.
profiles
))
if
(
!
list_empty
(
&
ns
->
base
.
profiles
))
return
list_first_entry
(
&
ns
->
base
.
profiles
,
return
list_first_entry
(
&
ns
->
base
.
profiles
,
struct
aa_profile
,
base
.
list
);
struct
aa_profile
,
base
.
list
);
...
@@ -627,7 +625,7 @@ static struct aa_profile *__first_profile(struct aa_namespace *root,
...
@@ -627,7 +625,7 @@ static struct aa_profile *__first_profile(struct aa_namespace *root,
static
struct
aa_profile
*
__next_profile
(
struct
aa_profile
*
p
)
static
struct
aa_profile
*
__next_profile
(
struct
aa_profile
*
p
)
{
{
struct
aa_profile
*
parent
;
struct
aa_profile
*
parent
;
struct
aa_n
amespace
*
ns
=
p
->
ns
;
struct
aa_n
s
*
ns
=
p
->
ns
;
/* is next profile a child */
/* is next profile a child */
if
(
!
list_empty
(
&
p
->
base
.
profiles
))
if
(
!
list_empty
(
&
p
->
base
.
profiles
))
...
@@ -661,7 +659,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p)
...
@@ -661,7 +659,7 @@ static struct aa_profile *__next_profile(struct aa_profile *p)
*
*
* Returns: next profile or NULL if there isn't one
* Returns: next profile or NULL if there isn't one
*/
*/
static
struct
aa_profile
*
next_profile
(
struct
aa_n
amespace
*
root
,
static
struct
aa_profile
*
next_profile
(
struct
aa_n
s
*
root
,
struct
aa_profile
*
profile
)
struct
aa_profile
*
profile
)
{
{
struct
aa_profile
*
next
=
__next_profile
(
profile
);
struct
aa_profile
*
next
=
__next_profile
(
profile
);
...
@@ -669,7 +667,7 @@ static struct aa_profile *next_profile(struct aa_namespace *root,
...
@@ -669,7 +667,7 @@ static struct aa_profile *next_profile(struct aa_namespace *root,
return
next
;
return
next
;
/* finished all profiles in namespace move to next namespace */
/* finished all profiles in namespace move to next namespace */
return
__first_profile
(
root
,
__next_n
amespace
(
root
,
profile
->
ns
));
return
__first_profile
(
root
,
__next_n
s
(
root
,
profile
->
ns
));
}
}
/**
/**
...
@@ -684,9 +682,9 @@ static struct aa_profile *next_profile(struct aa_namespace *root,
...
@@ -684,9 +682,9 @@ static struct aa_profile *next_profile(struct aa_namespace *root,
static
void
*
p_start
(
struct
seq_file
*
f
,
loff_t
*
pos
)
static
void
*
p_start
(
struct
seq_file
*
f
,
loff_t
*
pos
)
{
{
struct
aa_profile
*
profile
=
NULL
;
struct
aa_profile
*
profile
=
NULL
;
struct
aa_n
amespace
*
root
=
aa_current_profile
()
->
ns
;
struct
aa_n
s
*
root
=
aa_current_profile
()
->
ns
;
loff_t
l
=
*
pos
;
loff_t
l
=
*
pos
;
f
->
private
=
aa_get_n
amespace
(
root
);
f
->
private
=
aa_get_n
s
(
root
);
/* find the first profile */
/* find the first profile */
...
@@ -713,7 +711,7 @@ static void *p_start(struct seq_file *f, loff_t *pos)
...
@@ -713,7 +711,7 @@ static void *p_start(struct seq_file *f, loff_t *pos)
static
void
*
p_next
(
struct
seq_file
*
f
,
void
*
p
,
loff_t
*
pos
)
static
void
*
p_next
(
struct
seq_file
*
f
,
void
*
p
,
loff_t
*
pos
)
{
{
struct
aa_profile
*
profile
=
p
;
struct
aa_profile
*
profile
=
p
;
struct
aa_n
amespace
*
ns
=
f
->
private
;
struct
aa_n
s
*
ns
=
f
->
private
;
(
*
pos
)
++
;
(
*
pos
)
++
;
return
next_profile
(
ns
,
profile
);
return
next_profile
(
ns
,
profile
);
...
@@ -729,14 +727,14 @@ static void *p_next(struct seq_file *f, void *p, loff_t *pos)
...
@@ -729,14 +727,14 @@ static void *p_next(struct seq_file *f, void *p, loff_t *pos)
static
void
p_stop
(
struct
seq_file
*
f
,
void
*
p
)
static
void
p_stop
(
struct
seq_file
*
f
,
void
*
p
)
{
{
struct
aa_profile
*
profile
=
p
;
struct
aa_profile
*
profile
=
p
;
struct
aa_n
amespace
*
root
=
f
->
private
,
*
ns
;
struct
aa_n
s
*
root
=
f
->
private
,
*
ns
;
if
(
profile
)
{
if
(
profile
)
{
for
(
ns
=
profile
->
ns
;
ns
&&
ns
!=
root
;
ns
=
ns
->
parent
)
for
(
ns
=
profile
->
ns
;
ns
&&
ns
!=
root
;
ns
=
ns
->
parent
)
mutex_unlock
(
&
ns
->
lock
);
mutex_unlock
(
&
ns
->
lock
);
}
}
mutex_unlock
(
&
root
->
lock
);
mutex_unlock
(
&
root
->
lock
);
aa_put_n
amespace
(
root
);
aa_put_n
s
(
root
);
}
}
/**
/**
...
@@ -749,7 +747,7 @@ static void p_stop(struct seq_file *f, void *p)
...
@@ -749,7 +747,7 @@ static void p_stop(struct seq_file *f, void *p)
static
int
seq_show_profile
(
struct
seq_file
*
f
,
void
*
p
)
static
int
seq_show_profile
(
struct
seq_file
*
f
,
void
*
p
)
{
{
struct
aa_profile
*
profile
=
(
struct
aa_profile
*
)
p
;
struct
aa_profile
*
profile
=
(
struct
aa_profile
*
)
p
;
struct
aa_n
amespace
*
root
=
f
->
private
;
struct
aa_n
s
*
root
=
f
->
private
;
if
(
profile
->
ns
!=
root
)
if
(
profile
->
ns
!=
root
)
seq_printf
(
f
,
":%s://"
,
aa_ns_name
(
root
,
profile
->
ns
));
seq_printf
(
f
,
":%s://"
,
aa_ns_name
(
root
,
profile
->
ns
));
...
@@ -951,8 +949,7 @@ static int __init aa_create_aafs(void)
...
@@ -951,8 +949,7 @@ static int __init aa_create_aafs(void)
if
(
error
)
if
(
error
)
goto
error
;
goto
error
;
error
=
__aa_fs_namespace_mkdir
(
root_ns
,
aa_fs_entry
.
dentry
,
error
=
__aa_fs_ns_mkdir
(
root_ns
,
aa_fs_entry
.
dentry
,
"policy"
);
"policy"
);
if
(
error
)
if
(
error
)
goto
error
;
goto
error
;
...
...
security/apparmor/domain.c
浏览文件 @
98849dff
...
@@ -94,7 +94,7 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile)
...
@@ -94,7 +94,7 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile)
* Returns: permission set
* Returns: permission set
*/
*/
static
struct
file_perms
change_profile_perms
(
struct
aa_profile
*
profile
,
static
struct
file_perms
change_profile_perms
(
struct
aa_profile
*
profile
,
struct
aa_n
amespace
*
ns
,
struct
aa_n
s
*
ns
,
const
char
*
name
,
u32
request
,
const
char
*
name
,
u32
request
,
unsigned
int
start
)
unsigned
int
start
)
{
{
...
@@ -171,7 +171,7 @@ static struct aa_profile *__attach_match(const char *name,
...
@@ -171,7 +171,7 @@ static struct aa_profile *__attach_match(const char *name,
*
*
* Returns: profile or NULL if no match found
* Returns: profile or NULL if no match found
*/
*/
static
struct
aa_profile
*
find_attach
(
struct
aa_n
amespace
*
ns
,
static
struct
aa_profile
*
find_attach
(
struct
aa_n
s
*
ns
,
struct
list_head
*
list
,
const
char
*
name
)
struct
list_head
*
list
,
const
char
*
name
)
{
{
struct
aa_profile
*
profile
;
struct
aa_profile
*
profile
;
...
@@ -240,7 +240,7 @@ static const char *next_name(int xtype, const char *name)
...
@@ -240,7 +240,7 @@ static const char *next_name(int xtype, const char *name)
static
struct
aa_profile
*
x_table_lookup
(
struct
aa_profile
*
profile
,
u32
xindex
)
static
struct
aa_profile
*
x_table_lookup
(
struct
aa_profile
*
profile
,
u32
xindex
)
{
{
struct
aa_profile
*
new_profile
=
NULL
;
struct
aa_profile
*
new_profile
=
NULL
;
struct
aa_n
amespace
*
ns
=
profile
->
ns
;
struct
aa_n
s
*
ns
=
profile
->
ns
;
u32
xtype
=
xindex
&
AA_X_TYPE_MASK
;
u32
xtype
=
xindex
&
AA_X_TYPE_MASK
;
int
index
=
xindex
&
AA_X_INDEX_MASK
;
int
index
=
xindex
&
AA_X_INDEX_MASK
;
const
char
*
name
;
const
char
*
name
;
...
@@ -248,7 +248,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
...
@@ -248,7 +248,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
/* index is guaranteed to be in range, validated at load time */
/* index is guaranteed to be in range, validated at load time */
for
(
name
=
profile
->
file
.
trans
.
table
[
index
];
!
new_profile
&&
name
;
for
(
name
=
profile
->
file
.
trans
.
table
[
index
];
!
new_profile
&&
name
;
name
=
next_name
(
xtype
,
name
))
{
name
=
next_name
(
xtype
,
name
))
{
struct
aa_n
amespace
*
new_ns
;
struct
aa_n
s
*
new_ns
;
const
char
*
xname
=
NULL
;
const
char
*
xname
=
NULL
;
new_ns
=
NULL
;
new_ns
=
NULL
;
...
@@ -268,7 +268,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
...
@@ -268,7 +268,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
;
;
}
}
/* released below */
/* released below */
new_ns
=
aa_find_n
amespace
(
ns
,
ns_name
);
new_ns
=
aa_find_n
s
(
ns
,
ns_name
);
if
(
!
new_ns
)
if
(
!
new_ns
)
continue
;
continue
;
}
else
if
(
*
name
==
'@'
)
{
}
else
if
(
*
name
==
'@'
)
{
...
@@ -281,7 +281,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
...
@@ -281,7 +281,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
/* released by caller */
/* released by caller */
new_profile
=
aa_lookup_profile
(
new_ns
?
new_ns
:
ns
,
xname
);
new_profile
=
aa_lookup_profile
(
new_ns
?
new_ns
:
ns
,
xname
);
aa_put_n
amespace
(
new_ns
);
aa_put_n
s
(
new_ns
);
}
}
/* released by caller */
/* released by caller */
...
@@ -302,7 +302,7 @@ static struct aa_profile *x_to_profile(struct aa_profile *profile,
...
@@ -302,7 +302,7 @@ static struct aa_profile *x_to_profile(struct aa_profile *profile,
const
char
*
name
,
u32
xindex
)
const
char
*
name
,
u32
xindex
)
{
{
struct
aa_profile
*
new_profile
=
NULL
;
struct
aa_profile
*
new_profile
=
NULL
;
struct
aa_n
amespace
*
ns
=
profile
->
ns
;
struct
aa_n
s
*
ns
=
profile
->
ns
;
u32
xtype
=
xindex
&
AA_X_TYPE_MASK
;
u32
xtype
=
xindex
&
AA_X_TYPE_MASK
;
switch
(
xtype
)
{
switch
(
xtype
)
{
...
@@ -339,7 +339,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
...
@@ -339,7 +339,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
{
{
struct
aa_task_cxt
*
cxt
;
struct
aa_task_cxt
*
cxt
;
struct
aa_profile
*
profile
,
*
new_profile
=
NULL
;
struct
aa_profile
*
profile
,
*
new_profile
=
NULL
;
struct
aa_n
amespace
*
ns
;
struct
aa_n
s
*
ns
;
char
*
buffer
=
NULL
;
char
*
buffer
=
NULL
;
unsigned
int
state
;
unsigned
int
state
;
struct
file_perms
perms
=
{};
struct
file_perms
perms
=
{};
...
@@ -746,7 +746,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
...
@@ -746,7 +746,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
{
{
const
struct
cred
*
cred
;
const
struct
cred
*
cred
;
struct
aa_profile
*
profile
,
*
target
=
NULL
;
struct
aa_profile
*
profile
,
*
target
=
NULL
;
struct
aa_n
amespace
*
ns
=
NULL
;
struct
aa_n
s
*
ns
=
NULL
;
struct
file_perms
perms
=
{};
struct
file_perms
perms
=
{};
const
char
*
name
=
NULL
,
*
info
=
NULL
;
const
char
*
name
=
NULL
,
*
info
=
NULL
;
int
op
,
error
=
0
;
int
op
,
error
=
0
;
...
@@ -780,7 +780,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
...
@@ -780,7 +780,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
if
(
ns_name
)
{
if
(
ns_name
)
{
/* released below */
/* released below */
ns
=
aa_find_n
amespace
(
profile
->
ns
,
ns_name
);
ns
=
aa_find_n
s
(
profile
->
ns
,
ns_name
);
if
(
!
ns
)
{
if
(
!
ns
)
{
/* we don't create new namespace in complain mode */
/* we don't create new namespace in complain mode */
name
=
ns_name
;
name
=
ns_name
;
...
@@ -790,7 +790,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
...
@@ -790,7 +790,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
}
}
}
else
}
else
/* released below */
/* released below */
ns
=
aa_get_n
amespace
(
profile
->
ns
);
ns
=
aa_get_n
s
(
profile
->
ns
);
/* if the name was not specified, use the name of the current profile */
/* if the name was not specified, use the name of the current profile */
if
(
!
hname
)
{
if
(
!
hname
)
{
...
@@ -843,7 +843,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
...
@@ -843,7 +843,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
error
=
aa_audit_file
(
profile
,
&
perms
,
GFP_KERNEL
,
op
,
request
,
error
=
aa_audit_file
(
profile
,
&
perms
,
GFP_KERNEL
,
op
,
request
,
name
,
hname
,
GLOBAL_ROOT_UID
,
info
,
error
);
name
,
hname
,
GLOBAL_ROOT_UID
,
info
,
error
);
aa_put_n
amespace
(
ns
);
aa_put_n
s
(
ns
);
aa_put_profile
(
target
);
aa_put_profile
(
target
);
put_cred
(
cred
);
put_cred
(
cred
);
...
...
security/apparmor/include/apparmorfs.h
浏览文件 @
98849dff
...
@@ -62,7 +62,7 @@ extern const struct file_operations aa_fs_seq_file_ops;
...
@@ -62,7 +62,7 @@ extern const struct file_operations aa_fs_seq_file_ops;
extern
void
__init
aa_destroy_aafs
(
void
);
extern
void
__init
aa_destroy_aafs
(
void
);
struct
aa_profile
;
struct
aa_profile
;
struct
aa_n
amespace
;
struct
aa_n
s
;
enum
aafs_ns_type
{
enum
aafs_ns_type
{
AAFS_NS_DIR
,
AAFS_NS_DIR
,
...
@@ -97,8 +97,8 @@ void __aa_fs_profile_rmdir(struct aa_profile *profile);
...
@@ -97,8 +97,8 @@ void __aa_fs_profile_rmdir(struct aa_profile *profile);
void
__aa_fs_profile_migrate_dents
(
struct
aa_profile
*
old
,
void
__aa_fs_profile_migrate_dents
(
struct
aa_profile
*
old
,
struct
aa_profile
*
new
);
struct
aa_profile
*
new
);
int
__aa_fs_profile_mkdir
(
struct
aa_profile
*
profile
,
struct
dentry
*
parent
);
int
__aa_fs_profile_mkdir
(
struct
aa_profile
*
profile
,
struct
dentry
*
parent
);
void
__aa_fs_n
amespace_rmdir
(
struct
aa_namespace
*
ns
);
void
__aa_fs_n
s_rmdir
(
struct
aa_ns
*
ns
);
int
__aa_fs_n
amespace_mkdir
(
struct
aa_namespace
*
ns
,
struct
dentry
*
parent
,
int
__aa_fs_n
s_mkdir
(
struct
aa_ns
*
ns
,
struct
dentry
*
parent
,
const
char
*
name
);
const
char
*
name
);
#endif
/* __AA_APPARMORFS_H */
#endif
/* __AA_APPARMORFS_H */
security/apparmor/include/policy.h
浏览文件 @
98849dff
...
@@ -31,7 +31,7 @@
...
@@ -31,7 +31,7 @@
#include "resource.h"
#include "resource.h"
struct
aa_n
amespace
;
struct
aa_n
s
;
extern
const
char
*
const
aa_profile_mode_names
[];
extern
const
char
*
const
aa_profile_mode_names
[];
#define APPARMOR_MODE_NAMES_MAX_INDEX 4
#define APPARMOR_MODE_NAMES_MAX_INDEX 4
...
@@ -141,7 +141,7 @@ struct aa_profile {
...
@@ -141,7 +141,7 @@ struct aa_profile {
struct
rcu_head
rcu
;
struct
rcu_head
rcu
;
struct
aa_profile
__rcu
*
parent
;
struct
aa_profile
__rcu
*
parent
;
struct
aa_n
amespace
*
ns
;
struct
aa_n
s
*
ns
;
struct
aa_replacedby
*
replacedby
;
struct
aa_replacedby
*
replacedby
;
const
char
*
rename
;
const
char
*
rename
;
...
@@ -177,8 +177,8 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat);
...
@@ -177,8 +177,8 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat);
void
aa_free_profile
(
struct
aa_profile
*
profile
);
void
aa_free_profile
(
struct
aa_profile
*
profile
);
void
aa_free_profile_kref
(
struct
kref
*
kref
);
void
aa_free_profile_kref
(
struct
kref
*
kref
);
struct
aa_profile
*
aa_find_child
(
struct
aa_profile
*
parent
,
const
char
*
name
);
struct
aa_profile
*
aa_find_child
(
struct
aa_profile
*
parent
,
const
char
*
name
);
struct
aa_profile
*
aa_lookup_profile
(
struct
aa_n
amespace
*
ns
,
const
char
*
name
);
struct
aa_profile
*
aa_lookup_profile
(
struct
aa_n
s
*
ns
,
const
char
*
name
);
struct
aa_profile
*
aa_match_profile
(
struct
aa_n
amespace
*
ns
,
const
char
*
name
);
struct
aa_profile
*
aa_match_profile
(
struct
aa_n
s
*
ns
,
const
char
*
name
);
ssize_t
aa_replace_profiles
(
void
*
udata
,
size_t
size
,
bool
noreplace
);
ssize_t
aa_replace_profiles
(
void
*
udata
,
size_t
size
,
bool
noreplace
);
ssize_t
aa_remove_profiles
(
char
*
name
,
size_t
size
);
ssize_t
aa_remove_profiles
(
char
*
name
,
size_t
size
);
...
...
security/apparmor/include/policy_ns.h
浏览文件 @
98849dff
...
@@ -35,7 +35,7 @@ struct aa_ns_acct {
...
@@ -35,7 +35,7 @@ struct aa_ns_acct {
int
count
;
int
count
;
};
};
/* struct aa_n
amespace
- namespace for a set of profiles
/* struct aa_n
s
- namespace for a set of profiles
* @base: common policy
* @base: common policy
* @parent: parent of namespace
* @parent: parent of namespace
* @lock: lock for modifying the object
* @lock: lock for modifying the object
...
@@ -46,9 +46,9 @@ struct aa_ns_acct {
...
@@ -46,9 +46,9 @@ struct aa_ns_acct {
* @uniq_id: a unique id count for the profiles in the namespace
* @uniq_id: a unique id count for the profiles in the namespace
* @dents: dentries for the namespaces file entries in apparmorfs
* @dents: dentries for the namespaces file entries in apparmorfs
*
*
* An aa_n
amespace
defines the set profiles that are searched to determine
* An aa_n
s
defines the set profiles that are searched to determine
* which profile to attach to a task. Profiles can not be shared between
* which profile to attach to a task. Profiles can not be shared between
* aa_n
amespace
s and profile names within a namespace are guaranteed to be
* aa_n
s
s and profile names within a namespace are guaranteed to be
* unique. When profiles in separate namespaces have the same name they
* unique. When profiles in separate namespaces have the same name they
* are NOT considered to be equivalent.
* are NOT considered to be equivalent.
*
*
...
@@ -57,9 +57,9 @@ struct aa_ns_acct {
...
@@ -57,9 +57,9 @@ struct aa_ns_acct {
*
*
* Namespace names must be unique and can not contain the characters :/\0
* Namespace names must be unique and can not contain the characters :/\0
*/
*/
struct
aa_n
amespace
{
struct
aa_n
s
{
struct
aa_policy
base
;
struct
aa_policy
base
;
struct
aa_n
amespace
*
parent
;
struct
aa_n
s
*
parent
;
struct
mutex
lock
;
struct
mutex
lock
;
struct
aa_ns_acct
acct
;
struct
aa_ns_acct
acct
;
struct
aa_profile
*
unconfined
;
struct
aa_profile
*
unconfined
;
...
@@ -70,21 +70,20 @@ struct aa_namespace {
...
@@ -70,21 +70,20 @@ struct aa_namespace {
struct
dentry
*
dents
[
AAFS_NS_SIZEOF
];
struct
dentry
*
dents
[
AAFS_NS_SIZEOF
];
};
};
extern
struct
aa_n
amespace
*
root_ns
;
extern
struct
aa_n
s
*
root_ns
;
extern
const
char
*
aa_hidden_ns_name
;
extern
const
char
*
aa_hidden_ns_name
;
bool
aa_ns_visible
(
struct
aa_n
amespace
*
curr
,
struct
aa_namespace
*
view
);
bool
aa_ns_visible
(
struct
aa_n
s
*
curr
,
struct
aa_ns
*
view
);
const
char
*
aa_ns_name
(
struct
aa_n
amespace
*
parent
,
struct
aa_namespace
*
child
);
const
char
*
aa_ns_name
(
struct
aa_n
s
*
parent
,
struct
aa_ns
*
child
);
void
aa_free_n
amespace
(
struct
aa_namespace
*
ns
);
void
aa_free_n
s
(
struct
aa_ns
*
ns
);
int
aa_alloc_root_ns
(
void
);
int
aa_alloc_root_ns
(
void
);
void
aa_free_root_ns
(
void
);
void
aa_free_root_ns
(
void
);
void
aa_free_n
amespace
_kref
(
struct
kref
*
kref
);
void
aa_free_n
s
_kref
(
struct
kref
*
kref
);
struct
aa_namespace
*
aa_find_namespace
(
struct
aa_namespace
*
root
,
struct
aa_ns
*
aa_find_ns
(
struct
aa_ns
*
root
,
const
char
*
name
);
const
char
*
name
);
struct
aa_ns
*
aa_prepare_ns
(
const
char
*
name
);
struct
aa_namespace
*
aa_prepare_namespace
(
const
char
*
name
);
void
__aa_remove_ns
(
struct
aa_ns
*
ns
);
void
__aa_remove_namespace
(
struct
aa_namespace
*
ns
);
static
inline
struct
aa_profile
*
aa_deref_parent
(
struct
aa_profile
*
p
)
static
inline
struct
aa_profile
*
aa_deref_parent
(
struct
aa_profile
*
p
)
{
{
...
@@ -93,13 +92,13 @@ static inline struct aa_profile *aa_deref_parent(struct aa_profile *p)
...
@@ -93,13 +92,13 @@ static inline struct aa_profile *aa_deref_parent(struct aa_profile *p)
}
}
/**
/**
* aa_get_n
amespace
- increment references count on @ns
* aa_get_n
s
- increment references count on @ns
* @ns: namespace to increment reference count of (MAYBE NULL)
* @ns: namespace to increment reference count of (MAYBE NULL)
*
*
* Returns: pointer to @ns, if @ns is NULL returns NULL
* Returns: pointer to @ns, if @ns is NULL returns NULL
* Requires: @ns must be held with valid refcount when called
* Requires: @ns must be held with valid refcount when called
*/
*/
static
inline
struct
aa_n
amespace
*
aa_get_namespace
(
struct
aa_namespace
*
ns
)
static
inline
struct
aa_n
s
*
aa_get_ns
(
struct
aa_ns
*
ns
)
{
{
if
(
ns
)
if
(
ns
)
aa_get_profile
(
ns
->
unconfined
);
aa_get_profile
(
ns
->
unconfined
);
...
@@ -108,19 +107,19 @@ static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns)
...
@@ -108,19 +107,19 @@ static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns)
}
}
/**
/**
* aa_put_n
amespace
- decrement refcount on @ns
* aa_put_n
s
- decrement refcount on @ns
* @ns: namespace to put reference of
* @ns: namespace to put reference of
*
*
* Decrement reference count of @ns and if no longer in use free it
* Decrement reference count of @ns and if no longer in use free it
*/
*/
static
inline
void
aa_put_n
amespace
(
struct
aa_namespace
*
ns
)
static
inline
void
aa_put_n
s
(
struct
aa_ns
*
ns
)
{
{
if
(
ns
)
if
(
ns
)
aa_put_profile
(
ns
->
unconfined
);
aa_put_profile
(
ns
->
unconfined
);
}
}
/**
/**
* __aa_find_n
amespace
- find a namespace on a list by @name
* __aa_find_n
s
- find a namespace on a list by @name
* @head: list to search for namespace on (NOT NULL)
* @head: list to search for namespace on (NOT NULL)
* @name: name of namespace to look for (NOT NULL)
* @name: name of namespace to look for (NOT NULL)
*
*
...
@@ -128,10 +127,10 @@ static inline void aa_put_namespace(struct aa_namespace *ns)
...
@@ -128,10 +127,10 @@ static inline void aa_put_namespace(struct aa_namespace *ns)
*
*
* Requires: rcu_read_lock be held
* Requires: rcu_read_lock be held
*/
*/
static
inline
struct
aa_n
amespace
*
__aa_find_namespace
(
struct
list_head
*
head
,
static
inline
struct
aa_n
s
*
__aa_find_ns
(
struct
list_head
*
head
,
const
char
*
name
)
const
char
*
name
)
{
{
return
(
struct
aa_n
amespace
*
)
__policy_find
(
head
,
name
);
return
(
struct
aa_n
s
*
)
__policy_find
(
head
,
name
);
}
}
#endif
/* AA_NAMESPACE_H */
#endif
/* AA_NAMESPACE_H */
security/apparmor/policy.c
浏览文件 @
98849dff
...
@@ -213,7 +213,7 @@ void aa_free_profile(struct aa_profile *profile)
...
@@ -213,7 +213,7 @@ void aa_free_profile(struct aa_profile *profile)
aa_policy_destroy
(
&
profile
->
base
);
aa_policy_destroy
(
&
profile
->
base
);
aa_put_profile
(
rcu_access_pointer
(
profile
->
parent
));
aa_put_profile
(
rcu_access_pointer
(
profile
->
parent
));
aa_put_n
amespace
(
profile
->
ns
);
aa_put_n
s
(
profile
->
ns
);
kzfree
(
profile
->
rename
);
kzfree
(
profile
->
rename
);
aa_free_file_rules
(
&
profile
->
file
);
aa_free_file_rules
(
&
profile
->
file
);
...
@@ -237,7 +237,7 @@ static void aa_free_profile_rcu(struct rcu_head *head)
...
@@ -237,7 +237,7 @@ static void aa_free_profile_rcu(struct rcu_head *head)
{
{
struct
aa_profile
*
p
=
container_of
(
head
,
struct
aa_profile
,
rcu
);
struct
aa_profile
*
p
=
container_of
(
head
,
struct
aa_profile
,
rcu
);
if
(
p
->
flags
&
PFLAG_NS_COUNT
)
if
(
p
->
flags
&
PFLAG_NS_COUNT
)
aa_free_n
amespace
(
p
->
ns
);
aa_free_n
s
(
p
->
ns
);
else
else
aa_free_profile
(
p
);
aa_free_profile
(
p
);
}
}
...
@@ -324,7 +324,7 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat)
...
@@ -324,7 +324,7 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat)
/* released on free_profile */
/* released on free_profile */
rcu_assign_pointer
(
profile
->
parent
,
aa_get_profile
(
parent
));
rcu_assign_pointer
(
profile
->
parent
,
aa_get_profile
(
parent
));
profile
->
ns
=
aa_get_n
amespace
(
parent
->
ns
);
profile
->
ns
=
aa_get_n
s
(
parent
->
ns
);
mutex_lock
(
&
profile
->
ns
->
lock
);
mutex_lock
(
&
profile
->
ns
->
lock
);
__list_add_profile
(
&
parent
->
base
.
profiles
,
profile
);
__list_add_profile
(
&
parent
->
base
.
profiles
,
profile
);
...
@@ -403,7 +403,7 @@ struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
...
@@ -403,7 +403,7 @@ struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
*
*
* Returns: unrefcounted policy or NULL if not found
* Returns: unrefcounted policy or NULL if not found
*/
*/
static
struct
aa_policy
*
__lookup_parent
(
struct
aa_n
amespace
*
ns
,
static
struct
aa_policy
*
__lookup_parent
(
struct
aa_n
s
*
ns
,
const
char
*
hname
)
const
char
*
hname
)
{
{
struct
aa_policy
*
policy
;
struct
aa_policy
*
policy
;
...
@@ -466,7 +466,7 @@ static struct aa_profile *__lookup_profile(struct aa_policy *base,
...
@@ -466,7 +466,7 @@ static struct aa_profile *__lookup_profile(struct aa_policy *base,
*
*
* Returns: refcounted profile or NULL if not found
* Returns: refcounted profile or NULL if not found
*/
*/
struct
aa_profile
*
aa_lookup_profile
(
struct
aa_n
amespace
*
ns
,
const
char
*
hname
)
struct
aa_profile
*
aa_lookup_profile
(
struct
aa_n
s
*
ns
,
const
char
*
hname
)
{
{
struct
aa_profile
*
profile
;
struct
aa_profile
*
profile
;
...
@@ -670,7 +670,7 @@ static void __replace_profile(struct aa_profile *old, struct aa_profile *new,
...
@@ -670,7 +670,7 @@ static void __replace_profile(struct aa_profile *old, struct aa_profile *new,
*
*
* Returns: profile to replace (no ref) on success else ptr error
* Returns: profile to replace (no ref) on success else ptr error
*/
*/
static
int
__lookup_replace
(
struct
aa_n
amespace
*
ns
,
const
char
*
hname
,
static
int
__lookup_replace
(
struct
aa_n
s
*
ns
,
const
char
*
hname
,
bool
noreplace
,
struct
aa_profile
**
p
,
bool
noreplace
,
struct
aa_profile
**
p
,
const
char
**
info
)
const
char
**
info
)
{
{
...
@@ -701,7 +701,7 @@ static int __lookup_replace(struct aa_namespace *ns, const char *hname,
...
@@ -701,7 +701,7 @@ static int __lookup_replace(struct aa_namespace *ns, const char *hname,
ssize_t
aa_replace_profiles
(
void
*
udata
,
size_t
size
,
bool
noreplace
)
ssize_t
aa_replace_profiles
(
void
*
udata
,
size_t
size
,
bool
noreplace
)
{
{
const
char
*
ns_name
,
*
info
=
NULL
;
const
char
*
ns_name
,
*
info
=
NULL
;
struct
aa_n
amespace
*
ns
=
NULL
;
struct
aa_n
s
*
ns
=
NULL
;
struct
aa_load_ent
*
ent
,
*
tmp
;
struct
aa_load_ent
*
ent
,
*
tmp
;
int
op
=
OP_PROF_REPL
;
int
op
=
OP_PROF_REPL
;
ssize_t
error
;
ssize_t
error
;
...
@@ -713,7 +713,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
...
@@ -713,7 +713,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
goto
out
;
goto
out
;
/* released below */
/* released below */
ns
=
aa_prepare_n
amespace
(
ns_name
);
ns
=
aa_prepare_n
s
(
ns_name
);
if
(
!
ns
)
{
if
(
!
ns
)
{
error
=
audit_policy
(
op
,
GFP_KERNEL
,
ns_name
,
error
=
audit_policy
(
op
,
GFP_KERNEL
,
ns_name
,
"failed to prepare namespace"
,
-
ENOMEM
);
"failed to prepare namespace"
,
-
ENOMEM
);
...
@@ -738,7 +738,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
...
@@ -738,7 +738,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
}
}
/* released when @new is freed */
/* released when @new is freed */
ent
->
new
->
ns
=
aa_get_n
amespace
(
ns
);
ent
->
new
->
ns
=
aa_get_n
s
(
ns
);
if
(
ent
->
old
||
ent
->
rename
)
if
(
ent
->
old
||
ent
->
rename
)
continue
;
continue
;
...
@@ -835,7 +835,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
...
@@ -835,7 +835,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
mutex_unlock
(
&
ns
->
lock
);
mutex_unlock
(
&
ns
->
lock
);
out:
out:
aa_put_n
amespace
(
ns
);
aa_put_n
s
(
ns
);
if
(
error
)
if
(
error
)
return
error
;
return
error
;
...
@@ -881,7 +881,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
...
@@ -881,7 +881,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
*/
*/
ssize_t
aa_remove_profiles
(
char
*
fqname
,
size_t
size
)
ssize_t
aa_remove_profiles
(
char
*
fqname
,
size_t
size
)
{
{
struct
aa_n
amespace
*
root
,
*
ns
=
NULL
;
struct
aa_n
s
*
root
,
*
ns
=
NULL
;
struct
aa_profile
*
profile
=
NULL
;
struct
aa_profile
*
profile
=
NULL
;
const
char
*
name
=
fqname
,
*
info
=
NULL
;
const
char
*
name
=
fqname
,
*
info
=
NULL
;
ssize_t
error
=
0
;
ssize_t
error
=
0
;
...
@@ -898,7 +898,7 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
...
@@ -898,7 +898,7 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
char
*
ns_name
;
char
*
ns_name
;
name
=
aa_split_fqname
(
fqname
,
&
ns_name
);
name
=
aa_split_fqname
(
fqname
,
&
ns_name
);
/* released below */
/* released below */
ns
=
aa_find_n
amespace
(
root
,
ns_name
);
ns
=
aa_find_n
s
(
root
,
ns_name
);
if
(
!
ns
)
{
if
(
!
ns
)
{
info
=
"namespace does not exist"
;
info
=
"namespace does not exist"
;
error
=
-
ENOENT
;
error
=
-
ENOENT
;
...
@@ -906,12 +906,12 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
...
@@ -906,12 +906,12 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
}
}
}
else
}
else
/* released below */
/* released below */
ns
=
aa_get_n
amespace
(
root
);
ns
=
aa_get_n
s
(
root
);
if
(
!
name
)
{
if
(
!
name
)
{
/* remove namespace - can only happen if fqname[0] == ':' */
/* remove namespace - can only happen if fqname[0] == ':' */
mutex_lock
(
&
ns
->
parent
->
lock
);
mutex_lock
(
&
ns
->
parent
->
lock
);
__aa_remove_n
amespace
(
ns
);
__aa_remove_n
s
(
ns
);
mutex_unlock
(
&
ns
->
parent
->
lock
);
mutex_unlock
(
&
ns
->
parent
->
lock
);
}
else
{
}
else
{
/* remove profile */
/* remove profile */
...
@@ -929,13 +929,13 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
...
@@ -929,13 +929,13 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
/* don't fail removal if audit fails */
/* don't fail removal if audit fails */
(
void
)
audit_policy
(
OP_PROF_RM
,
GFP_KERNEL
,
name
,
info
,
error
);
(
void
)
audit_policy
(
OP_PROF_RM
,
GFP_KERNEL
,
name
,
info
,
error
);
aa_put_n
amespace
(
ns
);
aa_put_n
s
(
ns
);
aa_put_profile
(
profile
);
aa_put_profile
(
profile
);
return
size
;
return
size
;
fail_ns_lock:
fail_ns_lock:
mutex_unlock
(
&
ns
->
lock
);
mutex_unlock
(
&
ns
->
lock
);
aa_put_n
amespace
(
ns
);
aa_put_n
s
(
ns
);
fail:
fail:
(
void
)
audit_policy
(
OP_PROF_RM
,
GFP_KERNEL
,
name
,
info
,
error
);
(
void
)
audit_policy
(
OP_PROF_RM
,
GFP_KERNEL
,
name
,
info
,
error
);
...
...
security/apparmor/policy_ns.c
浏览文件 @
98849dff
...
@@ -26,7 +26,7 @@
...
@@ -26,7 +26,7 @@
#include "include/policy.h"
#include "include/policy.h"
/* root profile namespace */
/* root profile namespace */
struct
aa_n
amespace
*
root_ns
;
struct
aa_n
s
*
root_ns
;
const
char
*
aa_hidden_ns_name
=
"---"
;
const
char
*
aa_hidden_ns_name
=
"---"
;
/**
/**
...
@@ -36,7 +36,7 @@ const char *aa_hidden_ns_name = "---";
...
@@ -36,7 +36,7 @@ const char *aa_hidden_ns_name = "---";
*
*
* Returns: true if @view is visible from @curr else false
* Returns: true if @view is visible from @curr else false
*/
*/
bool
aa_ns_visible
(
struct
aa_n
amespace
*
curr
,
struct
aa_namespace
*
view
)
bool
aa_ns_visible
(
struct
aa_n
s
*
curr
,
struct
aa_ns
*
view
)
{
{
if
(
curr
==
view
)
if
(
curr
==
view
)
return
true
;
return
true
;
...
@@ -55,7 +55,7 @@ bool aa_ns_visible(struct aa_namespace *curr, struct aa_namespace *view)
...
@@ -55,7 +55,7 @@ bool aa_ns_visible(struct aa_namespace *curr, struct aa_namespace *view)
*
*
* Returns: name of @view visible from @curr
* Returns: name of @view visible from @curr
*/
*/
const
char
*
aa_ns_name
(
struct
aa_n
amespace
*
curr
,
struct
aa_namespace
*
view
)
const
char
*
aa_ns_name
(
struct
aa_n
s
*
curr
,
struct
aa_ns
*
view
)
{
{
/* if view == curr then the namespace name isn't displayed */
/* if view == curr then the namespace name isn't displayed */
if
(
curr
==
view
)
if
(
curr
==
view
)
...
@@ -75,16 +75,15 @@ const char *aa_ns_name(struct aa_namespace *curr, struct aa_namespace *view)
...
@@ -75,16 +75,15 @@ const char *aa_ns_name(struct aa_namespace *curr, struct aa_namespace *view)
}
}
/**
/**
* alloc_n
amespace
- allocate, initialize and return a new namespace
* alloc_n
s
- allocate, initialize and return a new namespace
* @prefix: parent namespace name (MAYBE NULL)
* @prefix: parent namespace name (MAYBE NULL)
* @name: a preallocated name (NOT NULL)
* @name: a preallocated name (NOT NULL)
*
*
* Returns: refcounted namespace or NULL on failure.
* Returns: refcounted namespace or NULL on failure.
*/
*/
static
struct
aa_namespace
*
alloc_namespace
(
const
char
*
prefix
,
static
struct
aa_ns
*
alloc_ns
(
const
char
*
prefix
,
const
char
*
name
)
const
char
*
name
)
{
{
struct
aa_n
amespace
*
ns
;
struct
aa_n
s
*
ns
;
ns
=
kzalloc
(
sizeof
(
*
ns
),
GFP_KERNEL
);
ns
=
kzalloc
(
sizeof
(
*
ns
),
GFP_KERNEL
);
AA_DEBUG
(
"%s(%p)
\n
"
,
__func__
,
ns
);
AA_DEBUG
(
"%s(%p)
\n
"
,
__func__
,
ns
);
...
@@ -96,7 +95,7 @@ static struct aa_namespace *alloc_namespace(const char *prefix,
...
@@ -96,7 +95,7 @@ static struct aa_namespace *alloc_namespace(const char *prefix,
INIT_LIST_HEAD
(
&
ns
->
sub_ns
);
INIT_LIST_HEAD
(
&
ns
->
sub_ns
);
mutex_init
(
&
ns
->
lock
);
mutex_init
(
&
ns
->
lock
);
/* released by
free_namespace
*/
/* released by
aa_free_ns()
*/
ns
->
unconfined
=
aa_alloc_profile
(
"unconfined"
);
ns
->
unconfined
=
aa_alloc_profile
(
"unconfined"
);
if
(
!
ns
->
unconfined
)
if
(
!
ns
->
unconfined
)
goto
fail_unconfined
;
goto
fail_unconfined
;
...
@@ -120,19 +119,19 @@ static struct aa_namespace *alloc_namespace(const char *prefix,
...
@@ -120,19 +119,19 @@ static struct aa_namespace *alloc_namespace(const char *prefix,
}
}
/**
/**
* aa_free_n
amespace
- free a profile namespace
* aa_free_n
s
- free a profile namespace
* @ns: the namespace to free (MAYBE NULL)
* @ns: the namespace to free (MAYBE NULL)
*
*
* Requires: All references to the namespace must have been put, if the
* Requires: All references to the namespace must have been put, if the
* namespace was referenced by a profile confining a task,
* namespace was referenced by a profile confining a task,
*/
*/
void
aa_free_n
amespace
(
struct
aa_namespace
*
ns
)
void
aa_free_n
s
(
struct
aa_ns
*
ns
)
{
{
if
(
!
ns
)
if
(
!
ns
)
return
;
return
;
aa_policy_destroy
(
&
ns
->
base
);
aa_policy_destroy
(
&
ns
->
base
);
aa_put_n
amespace
(
ns
->
parent
);
aa_put_n
s
(
ns
->
parent
);
ns
->
unconfined
->
ns
=
NULL
;
ns
->
unconfined
->
ns
=
NULL
;
aa_free_profile
(
ns
->
unconfined
);
aa_free_profile
(
ns
->
unconfined
);
...
@@ -140,7 +139,7 @@ void aa_free_namespace(struct aa_namespace *ns)
...
@@ -140,7 +139,7 @@ void aa_free_namespace(struct aa_namespace *ns)
}
}
/**
/**
* aa_find_n
amespace
- look up a profile namespace on the namespace list
* aa_find_n
s
- look up a profile namespace on the namespace list
* @root: namespace to search in (NOT NULL)
* @root: namespace to search in (NOT NULL)
* @name: name of namespace to find (NOT NULL)
* @name: name of namespace to find (NOT NULL)
*
*
...
@@ -149,27 +148,26 @@ void aa_free_namespace(struct aa_namespace *ns)
...
@@ -149,27 +148,26 @@ void aa_free_namespace(struct aa_namespace *ns)
*
*
* refcount released by caller
* refcount released by caller
*/
*/
struct
aa_namespace
*
aa_find_namespace
(
struct
aa_namespace
*
root
,
struct
aa_ns
*
aa_find_ns
(
struct
aa_ns
*
root
,
const
char
*
name
)
const
char
*
name
)
{
{
struct
aa_n
amespace
*
ns
=
NULL
;
struct
aa_n
s
*
ns
=
NULL
;
rcu_read_lock
();
rcu_read_lock
();
ns
=
aa_get_n
amespace
(
__aa_find_namespace
(
&
root
->
sub_ns
,
name
));
ns
=
aa_get_n
s
(
__aa_find_ns
(
&
root
->
sub_ns
,
name
));
rcu_read_unlock
();
rcu_read_unlock
();
return
ns
;
return
ns
;
}
}
/**
/**
* aa_prepare_n
amespace
- find an existing or create a new namespace of @name
* aa_prepare_n
s
- find an existing or create a new namespace of @name
* @name: the namespace to find or add (MAYBE NULL)
* @name: the namespace to find or add (MAYBE NULL)
*
*
* Returns: refcounted n
amespace
or NULL if failed to create one
* Returns: refcounted n
s
or NULL if failed to create one
*/
*/
struct
aa_n
amespace
*
aa_prepare_namespace
(
const
char
*
name
)
struct
aa_n
s
*
aa_prepare_ns
(
const
char
*
name
)
{
{
struct
aa_n
amespace
*
ns
,
*
root
;
struct
aa_n
s
*
ns
,
*
root
;
root
=
aa_current_profile
()
->
ns
;
root
=
aa_current_profile
()
->
ns
;
...
@@ -178,28 +176,28 @@ struct aa_namespace *aa_prepare_namespace(const char *name)
...
@@ -178,28 +176,28 @@ struct aa_namespace *aa_prepare_namespace(const char *name)
/* if name isn't specified the profile is loaded to the current ns */
/* if name isn't specified the profile is loaded to the current ns */
if
(
!
name
)
{
if
(
!
name
)
{
/* released by caller */
/* released by caller */
ns
=
aa_get_n
amespace
(
root
);
ns
=
aa_get_n
s
(
root
);
goto
out
;
goto
out
;
}
}
/* try and find the specified ns and if it doesn't exist create it */
/* try and find the specified ns and if it doesn't exist create it */
/* released by caller */
/* released by caller */
ns
=
aa_get_n
amespace
(
__aa_find_namespace
(
&
root
->
sub_ns
,
name
));
ns
=
aa_get_n
s
(
__aa_find_ns
(
&
root
->
sub_ns
,
name
));
if
(
!
ns
)
{
if
(
!
ns
)
{
ns
=
alloc_n
amespace
(
root
->
base
.
hname
,
name
);
ns
=
alloc_n
s
(
root
->
base
.
hname
,
name
);
if
(
!
ns
)
if
(
!
ns
)
goto
out
;
goto
out
;
if
(
__aa_fs_n
amespace
_mkdir
(
ns
,
ns_subns_dir
(
root
),
name
))
{
if
(
__aa_fs_n
s
_mkdir
(
ns
,
ns_subns_dir
(
root
),
name
))
{
AA_ERROR
(
"Failed to create interface for ns %s
\n
"
,
AA_ERROR
(
"Failed to create interface for ns %s
\n
"
,
ns
->
base
.
name
);
ns
->
base
.
name
);
aa_free_n
amespace
(
ns
);
aa_free_n
s
(
ns
);
ns
=
NULL
;
ns
=
NULL
;
goto
out
;
goto
out
;
}
}
ns
->
parent
=
aa_get_n
amespace
(
root
);
ns
->
parent
=
aa_get_n
s
(
root
);
list_add_rcu
(
&
ns
->
base
.
list
,
&
root
->
sub_ns
);
list_add_rcu
(
&
ns
->
base
.
list
,
&
root
->
sub_ns
);
/* add list ref */
/* add list ref */
aa_get_n
amespace
(
ns
);
aa_get_n
s
(
ns
);
}
}
out:
out:
mutex_unlock
(
&
root
->
lock
);
mutex_unlock
(
&
root
->
lock
);
...
@@ -211,10 +209,10 @@ struct aa_namespace *aa_prepare_namespace(const char *name)
...
@@ -211,10 +209,10 @@ struct aa_namespace *aa_prepare_namespace(const char *name)
static
void
__ns_list_release
(
struct
list_head
*
head
);
static
void
__ns_list_release
(
struct
list_head
*
head
);
/**
/**
* destroy_n
amespace
- remove everything contained by @ns
* destroy_n
s
- remove everything contained by @ns
* @ns: n
amespace
to have it contents removed (NOT NULL)
* @ns: n
s
to have it contents removed (NOT NULL)
*/
*/
static
void
destroy_n
amespace
(
struct
aa_namespace
*
ns
)
static
void
destroy_n
s
(
struct
aa_ns
*
ns
)
{
{
if
(
!
ns
)
if
(
!
ns
)
return
;
return
;
...
@@ -228,22 +226,22 @@ static void destroy_namespace(struct aa_namespace *ns)
...
@@ -228,22 +226,22 @@ static void destroy_namespace(struct aa_namespace *ns)
if
(
ns
->
parent
)
if
(
ns
->
parent
)
__aa_update_replacedby
(
ns
->
unconfined
,
ns
->
parent
->
unconfined
);
__aa_update_replacedby
(
ns
->
unconfined
,
ns
->
parent
->
unconfined
);
__aa_fs_n
amespace
_rmdir
(
ns
);
__aa_fs_n
s
_rmdir
(
ns
);
mutex_unlock
(
&
ns
->
lock
);
mutex_unlock
(
&
ns
->
lock
);
}
}
/**
/**
* __aa_remove_n
amespace
- remove a namespace and all its children
* __aa_remove_n
s
- remove a namespace and all its children
* @ns: namespace to be removed (NOT NULL)
* @ns: namespace to be removed (NOT NULL)
*
*
* Requires: ns->parent->lock be held and ns removed from parent.
* Requires: ns->parent->lock be held and ns removed from parent.
*/
*/
void
__aa_remove_n
amespace
(
struct
aa_namespace
*
ns
)
void
__aa_remove_n
s
(
struct
aa_ns
*
ns
)
{
{
/* remove ns from namespace list */
/* remove ns from namespace list */
list_del_rcu
(
&
ns
->
base
.
list
);
list_del_rcu
(
&
ns
->
base
.
list
);
destroy_n
amespace
(
ns
);
destroy_n
s
(
ns
);
aa_put_n
amespace
(
ns
);
aa_put_n
s
(
ns
);
}
}
/**
/**
...
@@ -254,15 +252,15 @@ void __aa_remove_namespace(struct aa_namespace *ns)
...
@@ -254,15 +252,15 @@ void __aa_remove_namespace(struct aa_namespace *ns)
*/
*/
static
void
__ns_list_release
(
struct
list_head
*
head
)
static
void
__ns_list_release
(
struct
list_head
*
head
)
{
{
struct
aa_n
amespace
*
ns
,
*
tmp
;
struct
aa_n
s
*
ns
,
*
tmp
;
list_for_each_entry_safe
(
ns
,
tmp
,
head
,
base
.
list
)
list_for_each_entry_safe
(
ns
,
tmp
,
head
,
base
.
list
)
__aa_remove_n
amespace
(
ns
);
__aa_remove_n
s
(
ns
);
}
}
/**
/**
* aa_alloc_root_ns - allocate the root profile namesp
ac
e
* aa_alloc_root_ns - allocate the root profile namesp
ca
e
*
*
* Returns: %0 on success else error
* Returns: %0 on success else error
*
*
...
@@ -270,7 +268,7 @@ static void __ns_list_release(struct list_head *head)
...
@@ -270,7 +268,7 @@ static void __ns_list_release(struct list_head *head)
int
__init
aa_alloc_root_ns
(
void
)
int
__init
aa_alloc_root_ns
(
void
)
{
{
/* released by aa_free_root_ns - used as list ref*/
/* released by aa_free_root_ns - used as list ref*/
root_ns
=
alloc_n
amespace
(
NULL
,
"root"
);
root_ns
=
alloc_n
s
(
NULL
,
"root"
);
if
(
!
root_ns
)
if
(
!
root_ns
)
return
-
ENOMEM
;
return
-
ENOMEM
;
...
@@ -282,10 +280,10 @@ int __init aa_alloc_root_ns(void)
...
@@ -282,10 +280,10 @@ int __init aa_alloc_root_ns(void)
*/
*/
void
__init
aa_free_root_ns
(
void
)
void
__init
aa_free_root_ns
(
void
)
{
{
struct
aa_n
amespace
*
ns
=
root_ns
;
struct
aa_n
s
*
ns
=
root_ns
;
root_ns
=
NULL
;
root_ns
=
NULL
;
destroy_n
amespace
(
ns
);
destroy_n
s
(
ns
);
aa_put_n
amespace
(
ns
);
aa_put_n
s
(
ns
);
}
}
security/apparmor/procattr.c
浏览文件 @
98849dff
...
@@ -40,8 +40,8 @@ int aa_getprocattr(struct aa_profile *profile, char **string)
...
@@ -40,8 +40,8 @@ int aa_getprocattr(struct aa_profile *profile, char **string)
int
len
=
0
,
mode_len
=
0
,
ns_len
=
0
,
name_len
;
int
len
=
0
,
mode_len
=
0
,
ns_len
=
0
,
name_len
;
const
char
*
mode_str
=
aa_profile_mode_names
[
profile
->
mode
];
const
char
*
mode_str
=
aa_profile_mode_names
[
profile
->
mode
];
const
char
*
ns_name
=
NULL
;
const
char
*
ns_name
=
NULL
;
struct
aa_n
amespace
*
ns
=
profile
->
ns
;
struct
aa_n
s
*
ns
=
profile
->
ns
;
struct
aa_n
amespace
*
current_ns
=
__aa_current_profile
()
->
ns
;
struct
aa_n
s
*
current_ns
=
__aa_current_profile
()
->
ns
;
char
*
s
;
char
*
s
;
if
(
!
aa_ns_visible
(
current_ns
,
ns
))
if
(
!
aa_ns_visible
(
current_ns
,
ns
))
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录