mirror of
https://github.com/torvalds/linux.git
synced 2026-01-24 23:16:46 +00:00
apparmor: transition from a list of rules to a vector of rules
The set of rules on a profile is not dynamically extended, instead if a new ruleset is needed a new version of the profile is created. This allows us to use a vector of rules instead of a list, slightly reducing memory usage and simplifying the code. Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
@@ -202,8 +202,7 @@ static int profile_create_perm(struct aa_profile *profile, int family,
|
||||
int type, int protocol,
|
||||
struct apparmor_audit_data *ad)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
aa_state_t state;
|
||||
|
||||
AA_BUG(!profile);
|
||||
@@ -227,9 +226,7 @@ static int profile_sk_perm(struct aa_profile *profile,
|
||||
struct apparmor_audit_data *ad,
|
||||
u32 request, struct sock *sk, struct path *path)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules),
|
||||
list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_perms *p = NULL;
|
||||
aa_state_t state;
|
||||
|
||||
@@ -257,8 +254,7 @@ static int profile_sk_perm(struct aa_profile *profile,
|
||||
static int profile_bind_perm(struct aa_profile *profile, struct sock *sk,
|
||||
struct apparmor_audit_data *ad)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_perms *p = NULL;
|
||||
aa_state_t state;
|
||||
|
||||
@@ -289,8 +285,7 @@ static int profile_bind_perm(struct aa_profile *profile, struct sock *sk,
|
||||
static int profile_listen_perm(struct aa_profile *profile, struct sock *sk,
|
||||
int backlog, struct apparmor_audit_data *ad)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_perms *p = NULL;
|
||||
aa_state_t state;
|
||||
|
||||
@@ -327,8 +322,7 @@ static int profile_accept_perm(struct aa_profile *profile,
|
||||
struct sock *sk,
|
||||
struct apparmor_audit_data *ad)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_perms *p = NULL;
|
||||
aa_state_t state;
|
||||
|
||||
@@ -358,8 +352,7 @@ static int profile_opt_perm(struct aa_profile *profile, u32 request,
|
||||
struct sock *sk, int optname,
|
||||
struct apparmor_audit_data *ad)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_perms *p = NULL;
|
||||
aa_state_t state;
|
||||
|
||||
@@ -399,8 +392,7 @@ static int profile_peer_perm(struct aa_profile *profile, u32 request,
|
||||
struct aa_label *peer_label,
|
||||
struct apparmor_audit_data *ad)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_perms *p = NULL;
|
||||
aa_state_t state;
|
||||
|
||||
|
||||
@@ -612,8 +612,7 @@ static const struct file_operations aa_fs_ns_revision_fops = {
|
||||
static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
|
||||
const char *match_str, size_t match_len)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_perms tmp = { };
|
||||
aa_state_t state = DFA_NOMATCH;
|
||||
|
||||
|
||||
@@ -69,8 +69,7 @@ static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile
|
||||
{
|
||||
const u64 AUDIT_CACHE_TIMEOUT_NS = 1000*1000*1000; /* 1 second */
|
||||
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct audit_cache *ent;
|
||||
int type = AUDIT_APPARMOR_AUTO;
|
||||
|
||||
@@ -122,8 +121,7 @@ static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile
|
||||
static int profile_capable(struct aa_profile *profile, int cap,
|
||||
unsigned int opts, struct apparmor_audit_data *ad)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
aa_state_t state;
|
||||
int error;
|
||||
|
||||
@@ -195,8 +193,7 @@ int aa_capable(const struct cred *subj_cred, struct aa_label *label,
|
||||
|
||||
kernel_cap_t aa_profile_capget(struct aa_profile *profile)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
aa_state_t state;
|
||||
|
||||
state = RULE_MEDIATES(rules, AA_CLASS_CAP);
|
||||
|
||||
@@ -93,8 +93,7 @@ static inline aa_state_t match_component(struct aa_profile *profile,
|
||||
struct aa_profile *tp,
|
||||
bool stack, aa_state_t state)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
const char *ns_name;
|
||||
|
||||
if (stack)
|
||||
@@ -131,8 +130,7 @@ static int label_compound_match(struct aa_profile *profile,
|
||||
aa_state_t state, bool subns, u32 request,
|
||||
struct aa_perms *perms)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_profile *tp;
|
||||
struct label_it i;
|
||||
struct path_cond cond = { };
|
||||
@@ -194,8 +192,7 @@ static int label_components_match(struct aa_profile *profile,
|
||||
aa_state_t start, bool subns, u32 request,
|
||||
struct aa_perms *perms)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_profile *tp;
|
||||
struct label_it i;
|
||||
struct aa_perms tmp;
|
||||
@@ -520,8 +517,7 @@ static const char *next_name(int xtype, const char *name)
|
||||
struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex,
|
||||
const char **name)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_label *label = NULL;
|
||||
u32 xtype = xindex & AA_X_TYPE_MASK;
|
||||
int index = xindex & AA_X_INDEX_MASK;
|
||||
@@ -575,8 +571,6 @@ static struct aa_label *x_to_label(struct aa_profile *profile,
|
||||
const char **lookupname,
|
||||
const char **info)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_label *new = NULL;
|
||||
struct aa_label *stack = NULL;
|
||||
struct aa_ns *ns = profile->ns;
|
||||
@@ -668,8 +662,7 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
|
||||
char *buffer, struct path_cond *cond,
|
||||
bool *secure_exec)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_label *new = NULL;
|
||||
struct aa_profile *new_profile = NULL;
|
||||
const char *info = NULL, *name = NULL, *target = NULL;
|
||||
@@ -802,8 +795,7 @@ static int profile_onexec(const struct cred *subj_cred,
|
||||
char *buffer, struct path_cond *cond,
|
||||
bool *secure_exec)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
aa_state_t state = rules->file->start[AA_CLASS_FILE];
|
||||
struct aa_perms perms = {};
|
||||
const char *xname = NULL, *info = "change_profile onexec";
|
||||
@@ -1361,8 +1353,7 @@ static int change_profile_perms_wrapper(const char *op, const char *name,
|
||||
struct aa_label *target, bool stack,
|
||||
u32 request, struct aa_perms *perms)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
const char *info = NULL;
|
||||
int error = 0;
|
||||
|
||||
|
||||
@@ -223,8 +223,7 @@ int __aa_path_perm(const char *op, const struct cred *subj_cred,
|
||||
u32 request, struct path_cond *cond, int flags,
|
||||
struct aa_perms *perms)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
int e = 0;
|
||||
|
||||
if (profile_unconfined(profile) ||
|
||||
@@ -323,8 +322,7 @@ static int profile_path_link(const struct cred *subj_cred,
|
||||
const struct path *target, char *buffer2,
|
||||
struct path_cond *cond)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
const char *lname, *tname = NULL;
|
||||
struct aa_perms lperms = {}, perms;
|
||||
const char *info = NULL;
|
||||
|
||||
@@ -19,6 +19,7 @@
|
||||
#include "lib.h"
|
||||
|
||||
struct aa_ns;
|
||||
struct aa_ruleset;
|
||||
|
||||
#define LOCAL_VEC_ENTRIES 8
|
||||
#define DEFINE_VEC(T, V) \
|
||||
@@ -109,7 +110,7 @@ struct label_it {
|
||||
int i, j;
|
||||
};
|
||||
|
||||
/* struct aa_label - lazy labeling struct
|
||||
/* struct aa_label_base - base info of label
|
||||
* @count: ref count of active users
|
||||
* @node: rbtree position
|
||||
* @rcu: rcu callback struct
|
||||
@@ -118,7 +119,10 @@ struct label_it {
|
||||
* @flags: stale and other flags - values may change under label set lock
|
||||
* @secid: secid that references this label
|
||||
* @size: number of entries in @ent[]
|
||||
* @ent: set of profiles for label, actual size determined by @size
|
||||
* @mediates: bitmask for label_mediates
|
||||
* profile: label vec when embedded in a profile FLAG_PROFILE is set
|
||||
* rules: variable length rules in a profile FLAG_PROFILE is set
|
||||
* vec: vector of profiles comprising the compound label
|
||||
*/
|
||||
struct aa_label {
|
||||
struct kref count;
|
||||
@@ -130,7 +134,17 @@ struct aa_label {
|
||||
u32 secid;
|
||||
int size;
|
||||
u64 mediates;
|
||||
struct aa_profile *vec[];
|
||||
union {
|
||||
struct {
|
||||
/* only used is the label is a profile, size of
|
||||
* rules[] is determined by the profile
|
||||
* profile[1] is poison or null as guard
|
||||
*/
|
||||
struct aa_profile *profile[2];
|
||||
DECLARE_FLEX_ARRAY(struct aa_ruleset *, rules);
|
||||
};
|
||||
DECLARE_FLEX_ARRAY(struct aa_profile *, vec);
|
||||
};
|
||||
};
|
||||
|
||||
#define last_error(E, FN) \
|
||||
|
||||
@@ -165,8 +165,6 @@ struct aa_data {
|
||||
* @secmark: secmark label match info
|
||||
*/
|
||||
struct aa_ruleset {
|
||||
struct list_head list;
|
||||
|
||||
int size;
|
||||
|
||||
/* TODO: merge policy and file */
|
||||
@@ -180,6 +178,7 @@ struct aa_ruleset {
|
||||
struct aa_secmark *secmark;
|
||||
};
|
||||
|
||||
|
||||
/* struct aa_attachment - data and rules for a profiles attachment
|
||||
* @list:
|
||||
* @xmatch_str: human readable attachment string
|
||||
@@ -218,6 +217,7 @@ struct aa_attachment {
|
||||
* @dents: set of dentries associated with the profile
|
||||
* @data: hashtable for free-form policy aa_data
|
||||
* @label - label this profile is an extension of
|
||||
* @rules - label with the rule vec on its end
|
||||
*
|
||||
* The AppArmor profile contains the basic confinement data. Each profile
|
||||
* has a name, and exists in a namespace. The @name and @exec_match are
|
||||
@@ -245,7 +245,6 @@ struct aa_profile {
|
||||
const char *disconnected;
|
||||
|
||||
struct aa_attachment attach;
|
||||
struct list_head rules;
|
||||
|
||||
struct aa_loaddata *rawdata;
|
||||
unsigned char *hash;
|
||||
@@ -253,6 +252,7 @@ struct aa_profile {
|
||||
struct dentry *dents[AAFS_PROF_SIZEOF];
|
||||
struct rhashtable *data;
|
||||
|
||||
int n_rules;
|
||||
/* special - variable length must be last entry in profile */
|
||||
struct aa_label label;
|
||||
};
|
||||
@@ -332,16 +332,6 @@ static inline aa_state_t RULE_MEDIATES_NET(struct aa_ruleset *rules)
|
||||
}
|
||||
|
||||
|
||||
static inline aa_state_t ANY_RULE_MEDIATES(struct list_head *head,
|
||||
unsigned char class)
|
||||
{
|
||||
struct aa_ruleset *rule;
|
||||
|
||||
/* TODO: change to list walk */
|
||||
rule = list_first_entry(head, typeof(*rule), list);
|
||||
return RULE_MEDIATES(rule, class);
|
||||
}
|
||||
|
||||
void aa_compute_profile_mediates(struct aa_profile *profile);
|
||||
static inline bool profile_mediates(struct aa_profile *profile,
|
||||
unsigned char class)
|
||||
|
||||
@@ -80,8 +80,7 @@ static int profile_signal_perm(const struct cred *cred,
|
||||
struct aa_label *peer, u32 request,
|
||||
struct apparmor_audit_data *ad)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_perms perms;
|
||||
aa_state_t state;
|
||||
|
||||
|
||||
@@ -182,8 +182,7 @@ static int apparmor_capget(const struct task_struct *target, kernel_cap_t *effec
|
||||
struct aa_ruleset *rules;
|
||||
kernel_cap_t allowed;
|
||||
|
||||
rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
rules = profile->label.rules[0];
|
||||
allowed = aa_profile_capget(profile);
|
||||
*effective = cap_intersect(*effective, allowed);
|
||||
*permitted = cap_intersect(*permitted, allowed);
|
||||
@@ -636,7 +635,7 @@ static int profile_uring(struct aa_profile *profile, u32 request,
|
||||
|
||||
AA_BUG(!profile);
|
||||
|
||||
rules = list_first_entry(&profile->rules, typeof(*rules), list);
|
||||
rules = profile->label.rules[0];
|
||||
state = RULE_MEDIATES(rules, AA_CLASS_IO_URING);
|
||||
if (state) {
|
||||
struct aa_perms perms = { };
|
||||
|
||||
@@ -311,8 +311,7 @@ static int match_mnt_path_str(const struct cred *subj_cred,
|
||||
{
|
||||
struct aa_perms perms = { };
|
||||
const char *mntpnt = NULL, *info = NULL;
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
int pos, error;
|
||||
|
||||
AA_BUG(!profile);
|
||||
@@ -371,8 +370,7 @@ static int match_mnt(const struct cred *subj_cred,
|
||||
bool binary)
|
||||
{
|
||||
const char *devname = NULL, *info = NULL;
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
int error = -EACCES;
|
||||
|
||||
AA_BUG(!profile);
|
||||
@@ -604,8 +602,7 @@ static int profile_umount(const struct cred *subj_cred,
|
||||
struct aa_profile *profile, const struct path *path,
|
||||
char *buffer)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_perms perms = { };
|
||||
const char *name = NULL, *info = NULL;
|
||||
aa_state_t state;
|
||||
@@ -668,8 +665,7 @@ static struct aa_label *build_pivotroot(const struct cred *subj_cred,
|
||||
const struct path *old_path,
|
||||
char *old_buffer)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
const char *old_name, *new_name = NULL, *info = NULL;
|
||||
const char *trans_name = NULL;
|
||||
struct aa_perms perms = { };
|
||||
|
||||
@@ -251,8 +251,7 @@ int aa_profile_af_perm(struct aa_profile *profile,
|
||||
struct apparmor_audit_data *ad, u32 request, u16 family,
|
||||
int type, int protocol)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_perms *p = NULL;
|
||||
aa_state_t state;
|
||||
|
||||
@@ -362,8 +361,7 @@ static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid,
|
||||
{
|
||||
int i, ret;
|
||||
struct aa_perms perms = { };
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
|
||||
if (rules->secmark_count == 0)
|
||||
return 0;
|
||||
|
||||
@@ -259,8 +259,6 @@ struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp)
|
||||
struct aa_ruleset *rules;
|
||||
|
||||
rules = kzalloc(sizeof(*rules), gfp);
|
||||
if (rules)
|
||||
INIT_LIST_HEAD(&rules->list);
|
||||
|
||||
return rules;
|
||||
}
|
||||
@@ -277,7 +275,6 @@ struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp)
|
||||
*/
|
||||
void aa_free_profile(struct aa_profile *profile)
|
||||
{
|
||||
struct aa_ruleset *rule, *tmp;
|
||||
struct rhashtable *rht;
|
||||
|
||||
AA_DEBUG(DEBUG_POLICY, "%s(%p)\n", __func__, profile);
|
||||
@@ -299,10 +296,9 @@ void aa_free_profile(struct aa_profile *profile)
|
||||
* at this point there are no tasks that can have a reference
|
||||
* to rules
|
||||
*/
|
||||
list_for_each_entry_safe(rule, tmp, &profile->rules, list) {
|
||||
list_del_init(&rule->list);
|
||||
free_ruleset(rule);
|
||||
}
|
||||
for (int i = 0; i < profile->n_rules; i++)
|
||||
free_ruleset(profile->label.rules[i]);
|
||||
|
||||
kfree_sensitive(profile->dirname);
|
||||
|
||||
if (profile->data) {
|
||||
@@ -331,25 +327,25 @@ struct aa_profile *aa_alloc_profile(const char *hname, struct aa_proxy *proxy,
|
||||
gfp_t gfp)
|
||||
{
|
||||
struct aa_profile *profile;
|
||||
struct aa_ruleset *rules;
|
||||
|
||||
/* freed by free_profile - usually through aa_put_profile */
|
||||
profile = kzalloc(struct_size(profile, label.vec, 2), gfp);
|
||||
/* freed by free_profile - usually through aa_put_profile
|
||||
* this adds space for a single ruleset in the rules section of the
|
||||
* label
|
||||
*/
|
||||
profile = kzalloc(struct_size(profile, label.rules, 1), gfp);
|
||||
if (!profile)
|
||||
return NULL;
|
||||
profile->n_rules = 1;
|
||||
|
||||
if (!aa_policy_init(&profile->base, NULL, hname, gfp))
|
||||
goto fail;
|
||||
if (!aa_label_init(&profile->label, 1, gfp))
|
||||
goto fail;
|
||||
|
||||
INIT_LIST_HEAD(&profile->rules);
|
||||
|
||||
/* allocate the first ruleset, but leave it empty */
|
||||
rules = aa_alloc_ruleset(gfp);
|
||||
if (!rules)
|
||||
profile->label.rules[0] = aa_alloc_ruleset(gfp);
|
||||
if (!profile->label.rules[0])
|
||||
goto fail;
|
||||
list_add(&rules->list, &profile->rules);
|
||||
|
||||
/* update being set needed by fs interface */
|
||||
if (!proxy) {
|
||||
@@ -374,6 +370,18 @@ fail:
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static inline bool ANY_RULE_MEDIATES(struct aa_profile *profile,
|
||||
unsigned char class)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < profile->n_rules; i++) {
|
||||
if (RULE_MEDIATES(profile->label.rules[i], class))
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/* set of rules that are mediated by unconfined */
|
||||
static int unconfined_mediates[] = { AA_CLASS_NS, AA_CLASS_IO_URING, 0 };
|
||||
|
||||
@@ -386,14 +394,13 @@ void aa_compute_profile_mediates(struct aa_profile *profile)
|
||||
int *pos;
|
||||
|
||||
for (pos = unconfined_mediates; *pos; pos++) {
|
||||
if (ANY_RULE_MEDIATES(&profile->rules, AA_CLASS_NS) !=
|
||||
DFA_NOMATCH)
|
||||
if (ANY_RULE_MEDIATES(profile, *pos))
|
||||
profile->label.mediates |= ((u64) 1) << AA_CLASS_NS;
|
||||
}
|
||||
return;
|
||||
}
|
||||
for (c = 0; c <= AA_CLASS_LAST; c++) {
|
||||
if (ANY_RULE_MEDIATES(&profile->rules, c) != DFA_NOMATCH)
|
||||
if (ANY_RULE_MEDIATES(profile, c))
|
||||
profile->label.mediates |= ((u64) 1) << c;
|
||||
}
|
||||
}
|
||||
@@ -646,7 +653,7 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
|
||||
/* TODO: ideally we should inherit abi from parent */
|
||||
profile->label.flags |= FLAG_NULL;
|
||||
profile->attach.xmatch = aa_get_pdb(nullpdb);
|
||||
rules = list_first_entry(&profile->rules, typeof(*rules), list);
|
||||
rules = profile->label.rules[0];
|
||||
rules->file = aa_get_pdb(nullpdb);
|
||||
rules->policy = aa_get_pdb(nullpdb);
|
||||
aa_compute_profile_mediates(profile);
|
||||
|
||||
@@ -885,7 +885,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
|
||||
error = -ENOMEM;
|
||||
goto fail;
|
||||
}
|
||||
rules = list_first_entry(&profile->rules, typeof(*rules), list);
|
||||
rules = profile->label.rules[0];
|
||||
|
||||
/* profile renaming is optional */
|
||||
(void) aa_unpack_str(e, &profile->rename, "rename");
|
||||
@@ -1285,8 +1285,8 @@ static bool verify_perms(struct aa_policydb *pdb)
|
||||
*/
|
||||
static int verify_profile(struct aa_profile *profile)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
|
||||
if (!rules)
|
||||
return 0;
|
||||
|
||||
|
||||
@@ -89,8 +89,7 @@ static int profile_setrlimit(const struct cred *subj_cred,
|
||||
struct aa_profile *profile, unsigned int resource,
|
||||
struct rlimit *new_rlim)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
int e = 0;
|
||||
|
||||
if (rules->rlimits.mask & (1 << resource) && new_rlim->rlim_max >
|
||||
@@ -165,9 +164,7 @@ void __aa_transition_rlimits(struct aa_label *old_l, struct aa_label *new_l)
|
||||
* to the lesser of the tasks hard limit and the init tasks soft limit
|
||||
*/
|
||||
label_for_each_confined(i, old_l, old) {
|
||||
struct aa_ruleset *rules = list_first_entry(&old->rules,
|
||||
typeof(*rules),
|
||||
list);
|
||||
struct aa_ruleset *rules = old->label.rules[0];
|
||||
if (rules->rlimits.mask) {
|
||||
int j;
|
||||
|
||||
@@ -185,9 +182,7 @@ void __aa_transition_rlimits(struct aa_label *old_l, struct aa_label *new_l)
|
||||
|
||||
/* set any new hard limits as dictated by the new profile */
|
||||
label_for_each_confined(i, new_l, new) {
|
||||
struct aa_ruleset *rules = list_first_entry(&new->rules,
|
||||
typeof(*rules),
|
||||
list);
|
||||
struct aa_ruleset *rules = new->label.rules[0];
|
||||
int j;
|
||||
|
||||
if (!rules->rlimits.mask)
|
||||
|
||||
@@ -228,8 +228,7 @@ static int profile_ptrace_perm(const struct cred *cred,
|
||||
struct aa_label *peer, u32 request,
|
||||
struct apparmor_audit_data *ad)
|
||||
{
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules), list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
struct aa_perms perms = { };
|
||||
|
||||
ad->subj_cred = cred;
|
||||
@@ -246,7 +245,7 @@ static int profile_tracee_perm(const struct cred *cred,
|
||||
struct apparmor_audit_data *ad)
|
||||
{
|
||||
if (profile_unconfined(tracee) || unconfined(tracer) ||
|
||||
!ANY_RULE_MEDIATES(&tracee->rules, AA_CLASS_PTRACE))
|
||||
!label_mediates(&tracee->label, AA_CLASS_PTRACE))
|
||||
return 0;
|
||||
|
||||
return profile_ptrace_perm(cred, tracee, tracer, request, ad);
|
||||
@@ -260,7 +259,7 @@ static int profile_tracer_perm(const struct cred *cred,
|
||||
if (profile_unconfined(tracer))
|
||||
return 0;
|
||||
|
||||
if (ANY_RULE_MEDIATES(&tracer->rules, AA_CLASS_PTRACE))
|
||||
if (label_mediates(&tracer->label, AA_CLASS_PTRACE))
|
||||
return profile_ptrace_perm(cred, tracer, tracee, request, ad);
|
||||
|
||||
/* profile uses the old style capability check for ptrace */
|
||||
@@ -324,9 +323,7 @@ int aa_profile_ns_perm(struct aa_profile *profile,
|
||||
ad->request = request;
|
||||
|
||||
if (!profile_unconfined(profile)) {
|
||||
struct aa_ruleset *rules = list_first_entry(&profile->rules,
|
||||
typeof(*rules),
|
||||
list);
|
||||
struct aa_ruleset *rules = profile->label.rules[0];
|
||||
aa_state_t state;
|
||||
|
||||
state = RULE_MEDIATES(rules, ad->class);
|
||||
|
||||
Reference in New Issue
Block a user