Commit 58f89ce5 authored by John Johansen's avatar John Johansen
Browse files

apparmor: refactor code that alloc null profiles 



Bother unconfined and learning profiles use the null profile as their
base. Refactor so they are share a common base routine. This doesn't
save much atm but will be important when the feature set of the
parent is inherited.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 1f2bc06a

security/apparmor/domain.c

+6 −6
Original line number Diff line number Diff line
@@ -681,7 +681,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile, 
		/* no exec permission - learning mode */

		struct aa_profile *new_profile = NULL;



		new_profile = aa_new_null_profile(profile, false, name,

		new_profile = aa_new_learning_profile(profile, false, name,

						      GFP_KERNEL);

		if (!new_profile) {

			error = -ENOMEM;
@@ -1009,7 +1009,7 @@ static struct aa_label *build_change_hat(struct aa_profile *profile, 
	if (!hat) {

		error = -ENOENT;

		if (COMPLAIN_MODE(profile)) {

			hat = aa_new_null_profile(profile, true, name,

			hat = aa_new_learning_profile(profile, true, name,

						      GFP_KERNEL);

			if (!hat) {

				info = "failed null profile create";
@@ -1361,7 +1361,7 @@ int aa_change_profile(const char *fqname, int flags) 
		    !COMPLAIN_MODE(labels_profile(label)))

			goto audit;

		/* released below */

		tprofile = aa_new_null_profile(labels_profile(label), false,

		tprofile = aa_new_learning_profile(labels_profile(label), false,

						   fqname, GFP_KERNEL);

		if (!tprofile) {

			info = "failed null profile create";

security/apparmor/include/policy.h

+4 −2
Original line number Diff line number Diff line
@@ -234,7 +234,9 @@ void aa_free_proxy_kref(struct kref *kref); 
struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp);

struct aa_profile *aa_alloc_profile(const char *name, struct aa_proxy *proxy,

				    gfp_t gfp);

struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,

struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,

				 gfp_t gfp);

struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat,

					   const char *base, gfp_t gfp);

void aa_free_profile(struct aa_profile *profile);

void aa_free_profile_kref(struct kref *kref);

security/apparmor/policy.c

+32 −15
Original line number Diff line number Diff line
@@ -524,8 +524,36 @@ struct aa_profile *aa_fqlookupn_profile(struct aa_label *base, 
	return profile;

}





struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,

				 gfp_t gfp)

{

	struct aa_profile *profile;

	struct aa_ruleset *rules;



	profile = aa_alloc_profile(name, NULL, gfp);

	if (!profile)

		return NULL;



	/* TODO: ideally we should inherit abi from parent */

	profile->label.flags |= FLAG_NULL;

	rules = list_first_entry(&profile->rules, typeof(*rules), list);

	rules->file.dfa = aa_get_dfa(nulldfa);

	rules->policy.dfa = aa_get_dfa(nulldfa);



	if (parent) {

		profile->path_flags = parent->path_flags;



		/* released on free_profile */

		rcu_assign_pointer(profile->parent, aa_get_profile(parent));

		profile->ns = aa_get_ns(parent->ns);

	}



	return profile;

}



/**

 * aa_new_null_profile - create or find a null-X learning profile

 * aa_new_learning_profile - create or find a null-X learning profile

 * @parent: profile that caused this profile to be created (NOT NULL)

 * @hat: true if the null- learning profile is a hat

 * @base: name to base the null profile off of
@@ -542,10 +570,9 @@ struct aa_profile *aa_fqlookupn_profile(struct aa_label *base, 
 *

 * Returns: new refcounted profile else NULL on failure

 */

struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,

struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat,

					   const char *base, gfp_t gfp)

{

	struct aa_ruleset *rules;

	struct aa_profile *p, *profile;

	const char *bname;

	char *name = NULL;
@@ -575,22 +602,12 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat, 
	if (profile)

		goto out;



	profile = aa_alloc_profile(name, NULL, gfp);

	profile = aa_alloc_null(parent, name, gfp);

	if (!profile)

		goto fail;



	profile->mode = APPARMOR_COMPLAIN;

	profile->label.flags |= FLAG_NULL;

	if (hat)

		profile->label.flags |= FLAG_HAT;

	profile->path_flags = parent->path_flags;



	/* released on free_profile */

	rcu_assign_pointer(profile->parent, aa_get_profile(parent));

	profile->ns = aa_get_ns(parent->ns);

	rules = list_first_entry(&profile->rules, typeof(*rules), list);

	rules->file.dfa = aa_get_dfa(nulldfa);

	rules->policy.dfa = aa_get_dfa(nulldfa);



	mutex_lock_nested(&profile->ns->lock, profile->ns->level);

	p = __find_child(&parent->base.profiles, bname);

security/apparmor/policy_ns.c

+1 −5
Original line number Diff line number Diff line
@@ -83,18 +83,14 @@ const char *aa_ns_name(struct aa_ns *curr, struct aa_ns *view, bool subns) 
static struct aa_profile *alloc_unconfined(const char *name)

{

	struct aa_profile *profile;

	struct aa_ruleset *rules;



	profile = aa_alloc_profile(name, NULL, GFP_KERNEL);

	profile = aa_alloc_null(NULL, name, GFP_KERNEL);

	if (!profile)

		return NULL;



	profile->label.flags |= FLAG_IX_ON_NAME_ERROR |

		FLAG_IMMUTIBLE | FLAG_NS_COUNT | FLAG_UNCONFINED;

	profile->mode = APPARMOR_UNCONFINED;

	rules = list_first_entry(&profile->rules, typeof(*rules), list);

	rules->file.dfa = aa_get_dfa(nulldfa);

	rules->policy.dfa = aa_get_dfa(nulldfa);



	return profile;

}