apparmor: refactor code that alloc null profiles

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Bother unconfined and learning profiles use the null profile as their
base. Refactor so they are share a common base routine. This doesn't
save much atm but will be important when the feature set of the
parent is inherited.

Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 3 years ago 58f89ce5 1f2bc06a

+43 -28

4 changed files

expand all

security

apparmor

domain.c

include

policy.h

policy.c

policy_ns.c

+6 -6

security/apparmor/domain.c

··· 681 681 /* no exec permission - learning mode */ 682 682 struct aa_profile *new_profile = NULL; 683 683 684 - new_profile = aa_new_null_profile(profile, false, name, 685 - GFP_KERNEL); 684 + new_profile = aa_new_learning_profile(profile, false, name, 685 + GFP_KERNEL); 686 686 if (!new_profile) { 687 687 error = -ENOMEM; 688 688 info = "could not create null profile"; ··· 1009 1009 if (!hat) { 1010 1010 error = -ENOENT; 1011 1011 if (COMPLAIN_MODE(profile)) { 1012 - hat = aa_new_null_profile(profile, true, name, 1013 - GFP_KERNEL); 1012 + hat = aa_new_learning_profile(profile, true, name, 1013 + GFP_KERNEL); 1014 1014 if (!hat) { 1015 1015 info = "failed null profile create"; 1016 1016 error = -ENOMEM; ··· 1361 1361 !COMPLAIN_MODE(labels_profile(label))) 1362 1362 goto audit; 1363 1363 /* released below */ 1364 - tprofile = aa_new_null_profile(labels_profile(label), false, 1365 - fqname, GFP_KERNEL); 1364 + tprofile = aa_new_learning_profile(labels_profile(label), false, 1365 + fqname, GFP_KERNEL); 1366 1366 if (!tprofile) { 1367 1367 info = "failed null profile create"; 1368 1368 error = -ENOMEM;

+4 -2

security/apparmor/include/policy.h

··· 234 234 struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp); 235 235 struct aa_profile *aa_alloc_profile(const char *name, struct aa_proxy *proxy, 236 236 gfp_t gfp); 237 - struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat, 238 - const char *base, gfp_t gfp); 237 + struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name, 238 + gfp_t gfp); 239 + struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat, 240 + const char *base, gfp_t gfp); 239 241 void aa_free_profile(struct aa_profile *profile); 240 242 void aa_free_profile_kref(struct kref *kref); 241 243 struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name);

+32 -15

security/apparmor/policy.c

··· 524 524 return profile; 525 525 } 526 526 527 + 528 + struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name, 529 + gfp_t gfp) 530 + { 531 + struct aa_profile *profile; 532 + struct aa_ruleset *rules; 533 + 534 + profile = aa_alloc_profile(name, NULL, gfp); 535 + if (!profile) 536 + return NULL; 537 + 538 + /* TODO: ideally we should inherit abi from parent */ 539 + profile->label.flags |= FLAG_NULL; 540 + rules = list_first_entry(&profile->rules, typeof(*rules), list); 541 + rules->file.dfa = aa_get_dfa(nulldfa); 542 + rules->policy.dfa = aa_get_dfa(nulldfa); 543 + 544 + if (parent) { 545 + profile->path_flags = parent->path_flags; 546 + 547 + /* released on free_profile */ 548 + rcu_assign_pointer(profile->parent, aa_get_profile(parent)); 549 + profile->ns = aa_get_ns(parent->ns); 550 + } 551 + 552 + return profile; 553 + } 554 + 527 555 /** 528 - * aa_new_null_profile - create or find a null-X learning profile 556 + * aa_new_learning_profile - create or find a null-X learning profile 529 557 * @parent: profile that caused this profile to be created (NOT NULL) 530 558 * @hat: true if the null- learning profile is a hat 531 559 * @base: name to base the null profile off of ··· 570 542 * 571 543 * Returns: new refcounted profile else NULL on failure 572 544 */ 573 - struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat, 574 - const char *base, gfp_t gfp) 545 + struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat, 546 + const char *base, gfp_t gfp) 575 547 { 576 - struct aa_ruleset *rules; 577 548 struct aa_profile *p, *profile; 578 549 const char *bname; 579 550 char *name = NULL; ··· 602 575 if (profile) 603 576 goto out; 604 577 605 - profile = aa_alloc_profile(name, NULL, gfp); 578 + profile = aa_alloc_null(parent, name, gfp); 606 579 if (!profile) 607 580 goto fail; 608 - 609 581 profile->mode = APPARMOR_COMPLAIN; 610 - profile->label.flags |= FLAG_NULL; 611 582 if (hat) 612 583 profile->label.flags |= FLAG_HAT; 613 - profile->path_flags = parent->path_flags; 614 - 615 - /* released on free_profile */ 616 - rcu_assign_pointer(profile->parent, aa_get_profile(parent)); 617 - profile->ns = aa_get_ns(parent->ns); 618 - rules = list_first_entry(&profile->rules, typeof(*rules), list); 619 - rules->file.dfa = aa_get_dfa(nulldfa); 620 - rules->policy.dfa = aa_get_dfa(nulldfa); 621 584 622 585 mutex_lock_nested(&profile->ns->lock, profile->ns->level); 623 586 p = __find_child(&parent->base.profiles, bname);

+1 -5

security/apparmor/policy_ns.c

··· 83 83 static struct aa_profile *alloc_unconfined(const char *name) 84 84 { 85 85 struct aa_profile *profile; 86 - struct aa_ruleset *rules; 87 86 88 - profile = aa_alloc_profile(name, NULL, GFP_KERNEL); 87 + profile = aa_alloc_null(NULL, name, GFP_KERNEL); 89 88 if (!profile) 90 89 return NULL; 91 90 92 91 profile->label.flags |= FLAG_IX_ON_NAME_ERROR | 93 92 FLAG_IMMUTIBLE | FLAG_NS_COUNT | FLAG_UNCONFINED; 94 93 profile->mode = APPARMOR_UNCONFINED; 95 - rules = list_first_entry(&profile->rules, typeof(*rules), list); 96 - rules->file.dfa = aa_get_dfa(nulldfa); 97 - rules->policy.dfa = aa_get_dfa(nulldfa); 98 94 99 95 return profile; 100 96 }