summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2022-10-03 02:48:24 -0700
committerJohn Johansen <john.johansen@canonical.com>2022-10-24 22:35:36 -0700
commit58f89ce58bb4f5cf5963b20a19aaa2431b0412d8 (patch)
treec2d790ece0ee8b71c048c3775a70801e5927acaf /security
parent1f2bc06a8dbff73957f433b22c6fd35fccfb47a4 (diff)
apparmor: refactor code that alloc null profiles
Bother unconfined and learning profiles use the null profile as their base. Refactor so they are share a common base routine. This doesn't save much atm but will be important when the feature set of the parent is inherited. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/domain.c12
-rw-r--r--security/apparmor/include/policy.h6
-rw-r--r--security/apparmor/policy.c47
-rw-r--r--security/apparmor/policy_ns.c6
4 files changed, 43 insertions, 28 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index d4b09f061aee..b447bc13ea8e 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -681,8 +681,8 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
/* no exec permission - learning mode */
struct aa_profile *new_profile = NULL;
- new_profile = aa_new_null_profile(profile, false, name,
- GFP_KERNEL);
+ new_profile = aa_new_learning_profile(profile, false, name,
+ GFP_KERNEL);
if (!new_profile) {
error = -ENOMEM;
info = "could not create null profile";
@@ -1009,8 +1009,8 @@ static struct aa_label *build_change_hat(struct aa_profile *profile,
if (!hat) {
error = -ENOENT;
if (COMPLAIN_MODE(profile)) {
- hat = aa_new_null_profile(profile, true, name,
- GFP_KERNEL);
+ hat = aa_new_learning_profile(profile, true, name,
+ GFP_KERNEL);
if (!hat) {
info = "failed null profile create";
error = -ENOMEM;
@@ -1361,8 +1361,8 @@ int aa_change_profile(const char *fqname, int flags)
!COMPLAIN_MODE(labels_profile(label)))
goto audit;
/* released below */
- tprofile = aa_new_null_profile(labels_profile(label), false,
- fqname, GFP_KERNEL);
+ tprofile = aa_new_learning_profile(labels_profile(label), false,
+ fqname, GFP_KERNEL);
if (!tprofile) {
info = "failed null profile create";
error = -ENOMEM;
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 5cadfb20df29..545f791cabda 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -234,8 +234,10 @@ void aa_free_proxy_kref(struct kref *kref);
struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp);
struct aa_profile *aa_alloc_profile(const char *name, struct aa_proxy *proxy,
gfp_t gfp);
-struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
- const char *base, gfp_t gfp);
+struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
+ gfp_t gfp);
+struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat,
+ const char *base, gfp_t gfp);
void aa_free_profile(struct aa_profile *profile);
void aa_free_profile_kref(struct kref *kref);
struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name);
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 6f4cc8bfe03d..c17ccedd35f1 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -524,8 +524,36 @@ struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
return profile;
}
+
+struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
+ gfp_t gfp)
+{
+ struct aa_profile *profile;
+ struct aa_ruleset *rules;
+
+ profile = aa_alloc_profile(name, NULL, gfp);
+ if (!profile)
+ return NULL;
+
+ /* TODO: ideally we should inherit abi from parent */
+ profile->label.flags |= FLAG_NULL;
+ rules = list_first_entry(&profile->rules, typeof(*rules), list);
+ rules->file.dfa = aa_get_dfa(nulldfa);
+ rules->policy.dfa = aa_get_dfa(nulldfa);
+
+ if (parent) {
+ profile->path_flags = parent->path_flags;
+
+ /* released on free_profile */
+ rcu_assign_pointer(profile->parent, aa_get_profile(parent));
+ profile->ns = aa_get_ns(parent->ns);
+ }
+
+ return profile;
+}
+
/**
- * aa_new_null_profile - create or find a null-X learning profile
+ * aa_new_learning_profile - create or find a null-X learning profile
* @parent: profile that caused this profile to be created (NOT NULL)
* @hat: true if the null- learning profile is a hat
* @base: name to base the null profile off of
@@ -542,10 +570,9 @@ struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
*
* Returns: new refcounted profile else NULL on failure
*/
-struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
- const char *base, gfp_t gfp)
+struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat,
+ const char *base, gfp_t gfp)
{
- struct aa_ruleset *rules;
struct aa_profile *p, *profile;
const char *bname;
char *name = NULL;
@@ -575,22 +602,12 @@ name:
if (profile)
goto out;
- profile = aa_alloc_profile(name, NULL, gfp);
+ profile = aa_alloc_null(parent, name, gfp);
if (!profile)
goto fail;
-
profile->mode = APPARMOR_COMPLAIN;
- profile->label.flags |= FLAG_NULL;
if (hat)
profile->label.flags |= FLAG_HAT;
- profile->path_flags = parent->path_flags;
-
- /* released on free_profile */
- rcu_assign_pointer(profile->parent, aa_get_profile(parent));
- profile->ns = aa_get_ns(parent->ns);
- rules = list_first_entry(&profile->rules, typeof(*rules), list);
- rules->file.dfa = aa_get_dfa(nulldfa);
- rules->policy.dfa = aa_get_dfa(nulldfa);
mutex_lock_nested(&profile->ns->lock, profile->ns->level);
p = __find_child(&parent->base.profiles, bname);
diff --git a/security/apparmor/policy_ns.c b/security/apparmor/policy_ns.c
index 121aa79bccaa..5c38563a6dcf 100644
--- a/security/apparmor/policy_ns.c
+++ b/security/apparmor/policy_ns.c
@@ -83,18 +83,14 @@ const char *aa_ns_name(struct aa_ns *curr, struct aa_ns *view, bool subns)
static struct aa_profile *alloc_unconfined(const char *name)
{
struct aa_profile *profile;
- struct aa_ruleset *rules;
- profile = aa_alloc_profile(name, NULL, GFP_KERNEL);
+ profile = aa_alloc_null(NULL, name, GFP_KERNEL);
if (!profile)
return NULL;
profile->label.flags |= FLAG_IX_ON_NAME_ERROR |
FLAG_IMMUTIBLE | FLAG_NS_COUNT | FLAG_UNCONFINED;
profile->mode = APPARMOR_UNCONFINED;
- rules = list_first_entry(&profile->rules, typeof(*rules), list);
- rules->file.dfa = aa_get_dfa(nulldfa);
- rules->policy.dfa = aa_get_dfa(nulldfa);
return profile;
}