1 From 6ab924a333c81d552eb92900509113bdf2fccb2e Mon Sep 17 00:00:00 2001
2 From: John Johansen <john.johansen@canonical.com>
3 Date: Mon, 4 Oct 2010 15:03:36 -0700
4 Subject: [PATCH 1/3] AppArmor: compatibility patch for v5 network controll
6 Add compatibility for v5 network rules.
8 Signed-off-by: John Johansen <john.johansen@canonical.com>
10 include/linux/lsm_audit.h | 4 +
11 security/apparmor/Makefile | 6 +-
12 security/apparmor/include/net.h | 40 +++++++++
13 security/apparmor/include/policy.h | 3 +
14 security/apparmor/lsm.c | 112 +++++++++++++++++++++++
15 security/apparmor/net.c | 170 ++++++++++++++++++++++++++++++++++++
16 security/apparmor/policy.c | 1 +
17 security/apparmor/policy_unpack.c | 48 ++++++++++-
18 8 files changed, 382 insertions(+), 2 deletions(-)
19 create mode 100644 security/apparmor/include/net.h
20 create mode 100644 security/apparmor/net.c
22 diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
23 index 112a550..d5f3dd7 100644
24 --- a/include/linux/lsm_audit.h
25 +++ b/include/linux/lsm_audit.h
26 @@ -123,6 +123,10 @@ struct common_audit_data {
35 } apparmor_audit_data;
37 diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
38 index f204869..a9a1db0 100644
39 --- a/security/apparmor/Makefile
40 +++ b/security/apparmor/Makefile
41 @@ -4,17 +4,21 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
43 apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
44 path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
45 - resource.o sid.o file.o
46 + resource.o sid.o file.o net.o
48 clean-files: capability_names.h af_names.h
50 quiet_cmd_make-caps = GEN $@
51 cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ; sed -n -e "/CAP_FS_MASK/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@
53 +quiet_cmd_make-af = GEN $@
54 +cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ; sed -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "s/^\#define[ \\t]\\+AF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@
56 quiet_cmd_make-rlim = GEN $@
57 cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ; sed -n --e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+RLIMIT_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@ ; echo "static const int rlim_map[] = {" >> $@ ; sed -n -e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+\\(RLIMIT_[A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/\\1,/p" $< >> $@ ; echo "};" >> $@
59 $(obj)/capability.o : $(obj)/capability_names.h
60 +$(obj)/net.o : $(obj)/af_names.h
61 $(obj)/resource.o : $(obj)/rlim_names.h
62 $(obj)/capability_names.h : $(srctree)/include/linux/capability.h
64 diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
66 index 0000000..3c7d599
68 +++ b/security/apparmor/include/net.h
71 + * AppArmor security module
73 + * This file contains AppArmor network mediation definitions.
75 + * Copyright (C) 1998-2008 Novell/SUSE
76 + * Copyright 2009-2010 Canonical Ltd.
78 + * This program is free software; you can redistribute it and/or
79 + * modify it under the terms of the GNU General Public License as
80 + * published by the Free Software Foundation, version 2 of the
87 +#include <net/sock.h>
89 +/* struct aa_net - network confinement data
90 + * @allowed: basic network families permissions
91 + * @audit_network: which network permissions to force audit
92 + * @quiet_network: which network permissions to quiet rejects
100 +extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
101 + int type, int protocol, struct sock *sk);
102 +extern int aa_revalidate_sk(int op, struct sock *sk);
104 +static inline void aa_free_net_rules(struct aa_net *new)
109 +#endif /* __AA_NET_H */
110 diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
111 index aeda5cf..6776929 100644
112 --- a/security/apparmor/include/policy.h
113 +++ b/security/apparmor/include/policy.h
115 #include "capability.h"
119 #include "resource.h"
121 extern const char *profile_mode_names[];
122 @@ -145,6 +146,7 @@ struct aa_namespace {
123 * @size: the memory consumed by this profiles rules
124 * @file: The set of rules governing basic file access and domain transitions
125 * @caps: capabilities for the profile
126 + * @net: network controls for the profile
127 * @rlimits: rlimits for the profile
129 * The AppArmor profile contains the basic confinement data. Each profile
130 @@ -181,6 +183,7 @@ struct aa_profile {
132 struct aa_file_rules file;
135 struct aa_rlimit rlimits;
138 diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
139 index cf1de44..324ab91 100644
140 --- a/security/apparmor/lsm.c
141 +++ b/security/apparmor/lsm.c
143 #include "include/context.h"
144 #include "include/file.h"
145 #include "include/ipc.h"
146 +#include "include/net.h"
147 #include "include/path.h"
148 #include "include/policy.h"
149 #include "include/procattr.h"
150 @@ -619,6 +620,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
154 +static int apparmor_socket_create(int family, int type, int protocol, int kern)
156 + struct aa_profile *profile;
162 + profile = __aa_current_profile();
163 + if (!unconfined(profile))
164 + error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
169 +static int apparmor_socket_bind(struct socket *sock,
170 + struct sockaddr *address, int addrlen)
172 + struct sock *sk = sock->sk;
174 + return aa_revalidate_sk(OP_BIND, sk);
177 +static int apparmor_socket_connect(struct socket *sock,
178 + struct sockaddr *address, int addrlen)
180 + struct sock *sk = sock->sk;
182 + return aa_revalidate_sk(OP_CONNECT, sk);
185 +static int apparmor_socket_listen(struct socket *sock, int backlog)
187 + struct sock *sk = sock->sk;
189 + return aa_revalidate_sk(OP_LISTEN, sk);
192 +static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
194 + struct sock *sk = sock->sk;
196 + return aa_revalidate_sk(OP_ACCEPT, sk);
199 +static int apparmor_socket_sendmsg(struct socket *sock,
200 + struct msghdr *msg, int size)
202 + struct sock *sk = sock->sk;
204 + return aa_revalidate_sk(OP_SENDMSG, sk);
207 +static int apparmor_socket_recvmsg(struct socket *sock,
208 + struct msghdr *msg, int size, int flags)
210 + struct sock *sk = sock->sk;
212 + return aa_revalidate_sk(OP_RECVMSG, sk);
215 +static int apparmor_socket_getsockname(struct socket *sock)
217 + struct sock *sk = sock->sk;
219 + return aa_revalidate_sk(OP_GETSOCKNAME, sk);
222 +static int apparmor_socket_getpeername(struct socket *sock)
224 + struct sock *sk = sock->sk;
226 + return aa_revalidate_sk(OP_GETPEERNAME, sk);
229 +static int apparmor_socket_getsockopt(struct socket *sock, int level,
232 + struct sock *sk = sock->sk;
234 + return aa_revalidate_sk(OP_GETSOCKOPT, sk);
237 +static int apparmor_socket_setsockopt(struct socket *sock, int level,
240 + struct sock *sk = sock->sk;
242 + return aa_revalidate_sk(OP_SETSOCKOPT, sk);
245 +static int apparmor_socket_shutdown(struct socket *sock, int how)
247 + struct sock *sk = sock->sk;
249 + return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
252 static struct security_operations apparmor_ops = {
255 @@ -650,6 +749,19 @@ static struct security_operations apparmor_ops = {
256 .getprocattr = apparmor_getprocattr,
257 .setprocattr = apparmor_setprocattr,
259 + .socket_create = apparmor_socket_create,
260 + .socket_bind = apparmor_socket_bind,
261 + .socket_connect = apparmor_socket_connect,
262 + .socket_listen = apparmor_socket_listen,
263 + .socket_accept = apparmor_socket_accept,
264 + .socket_sendmsg = apparmor_socket_sendmsg,
265 + .socket_recvmsg = apparmor_socket_recvmsg,
266 + .socket_getsockname = apparmor_socket_getsockname,
267 + .socket_getpeername = apparmor_socket_getpeername,
268 + .socket_getsockopt = apparmor_socket_getsockopt,
269 + .socket_setsockopt = apparmor_socket_setsockopt,
270 + .socket_shutdown = apparmor_socket_shutdown,
272 .cred_alloc_blank = apparmor_cred_alloc_blank,
273 .cred_free = apparmor_cred_free,
274 .cred_prepare = apparmor_cred_prepare,
275 diff --git a/security/apparmor/net.c b/security/apparmor/net.c
277 index 0000000..1765901
279 +++ b/security/apparmor/net.c
282 + * AppArmor security module
284 + * This file contains AppArmor network mediation
286 + * Copyright (C) 1998-2008 Novell/SUSE
287 + * Copyright 2009-2010 Canonical Ltd.
289 + * This program is free software; you can redistribute it and/or
290 + * modify it under the terms of the GNU General Public License as
291 + * published by the Free Software Foundation, version 2 of the
295 +#include "include/apparmor.h"
296 +#include "include/audit.h"
297 +#include "include/context.h"
298 +#include "include/net.h"
299 +#include "include/policy.h"
301 +#include "af_names.h"
303 +static const char *sock_type_names[] = {
317 +/* audit callback for net specific fields */
318 +static void audit_cb(struct audit_buffer *ab, void *va)
320 + struct common_audit_data *sa = va;
322 + audit_log_format(ab, " family=");
323 + if (address_family_names[sa->u.net.family]) {
324 + audit_log_string(ab, address_family_names[sa->u.net.family]);
326 + audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family);
329 + audit_log_format(ab, " sock_type=");
330 + if (sock_type_names[sa->aad.net.type]) {
331 + audit_log_string(ab, sock_type_names[sa->aad.net.type]);
333 + audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type);
336 + audit_log_format(ab, " protocol=%d", sa->aad.net.protocol);
340 + * audit_net - audit network access
341 + * @profile: profile being enforced (NOT NULL)
342 + * @op: operation being checked
343 + * @family: network family
344 + * @type: network type
345 + * @protocol: network protocol
346 + * @sk: socket auditing is being applied to
347 + * @error: error code for failure else 0
349 + * Returns: %0 or sa->error else other errorcode on failure
351 +static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
352 + int protocol, struct sock *sk, int error)
354 + int audit_type = AUDIT_APPARMOR_AUTO;
355 + struct common_audit_data sa;
357 + COMMON_AUDIT_DATA_INIT(&sa, NET);
359 + COMMON_AUDIT_DATA_INIT(&sa, NONE);
361 + /* todo fill in socket addr info */
364 + sa.u.net.family = family;
366 + sa.aad.net.type = type;
367 + sa.aad.net.protocol = protocol;
368 + sa.aad.error = error;
370 + if (likely(!sa.aad.error)) {
371 + u16 audit_mask = profile->net.audit[sa.u.net.family];
372 + if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
373 + !(1 << sa.aad.net.type & audit_mask)))
375 + audit_type = AUDIT_APPARMOR_AUDIT;
377 + u16 quiet_mask = profile->net.quiet[sa.u.net.family];
379 + u16 denied = (1 << sa.aad.net.type) & ~quiet_mask;
381 + if (denied & kill_mask)
382 + audit_type = AUDIT_APPARMOR_KILL;
384 + if ((denied & quiet_mask) &&
385 + AUDIT_MODE(profile) != AUDIT_NOQUIET &&
386 + AUDIT_MODE(profile) != AUDIT_ALL)
387 + return COMPLAIN_MODE(profile) ? 0 : sa.aad.error;
390 + return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
394 + * aa_net_perm - very course network access check
395 + * @op: operation being checked
396 + * @profile: profile being enforced (NOT NULL)
397 + * @family: network family
398 + * @type: network type
399 + * @protocol: network protocol
401 + * Returns: %0 else error if permission denied
403 +int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
404 + int protocol, struct sock *sk)
409 + if ((family < 0) || (family >= AF_MAX))
412 + if ((type < 0) || (type >= SOCK_MAX))
415 + /* unix domain and netlink sockets are handled by ipc */
416 + if (family == AF_UNIX || family == AF_NETLINK)
419 + family_mask = profile->net.allow[family];
421 + error = (family_mask & (1 << type)) ? 0 : -EACCES;
423 + return audit_net(profile, op, family, type, protocol, sk, error);
427 + * aa_revalidate_sk - Revalidate access to a sock
428 + * @op: operation being checked
429 + * @sk: sock being revalidated (NOT NULL)
431 + * Returns: %0 else error if permission denied
433 +int aa_revalidate_sk(int op, struct sock *sk)
435 + struct aa_profile *profile;
438 + /* aa_revalidate_sk should not be called from interrupt context
439 + * don't mediate these calls as they are not task related
441 + if (in_interrupt())
444 + profile = __aa_current_profile();
445 + if (!unconfined(profile))
446 + error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
447 + sk->sk_protocol, sk);
451 diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
452 index 52cc865..3b5da44 100644
453 --- a/security/apparmor/policy.c
454 +++ b/security/apparmor/policy.c
455 @@ -745,6 +745,7 @@ static void free_profile(struct aa_profile *profile)
457 aa_free_file_rules(&profile->file);
458 aa_free_cap_rules(&profile->caps);
459 + aa_free_net_rules(&profile->net);
460 aa_free_rlimit_rules(&profile->rlimits);
462 aa_free_sid(profile->sid);
463 diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
464 index eb3700e..c2b6225 100644
465 --- a/security/apparmor/policy_unpack.c
466 +++ b/security/apparmor/policy_unpack.c
467 @@ -190,6 +190,19 @@ fail:
471 +static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
473 + if (unpack_nameX(e, AA_U16, name)) {
474 + if (!inbounds(e, sizeof(u16)))
477 + *data = le16_to_cpu(get_unaligned((u16 *) e->pos));
478 + e->pos += sizeof(u16);
484 static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
486 if (unpack_nameX(e, AA_U32, name)) {
487 @@ -468,7 +481,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
489 struct aa_profile *profile = NULL;
490 const char *name = NULL;
491 - int error = -EPROTO;
493 + int i, error = -EPROTO;
497 @@ -559,6 +573,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
498 if (!unpack_rlimits(e, profile))
501 + size = unpack_array(e, "net_allowed_af");
504 + for (i = 0; i < size; i++) {
505 + /* discard extraneous rules that this kernel will
510 + if (!unpack_u16(e, &tmp, NULL) ||
511 + !unpack_u16(e, &tmp, NULL) ||
512 + !unpack_u16(e, &tmp, NULL))
516 + if (!unpack_u16(e, &profile->net.allow[i], NULL))
518 + if (!unpack_u16(e, &profile->net.audit[i], NULL))
520 + if (!unpack_u16(e, &profile->net.quiet[i], NULL))
523 + if (!unpack_nameX(e, AA_ARRAYEND, NULL))
526 + * allow unix domain and netlink sockets they are handled
530 + profile->net.allow[AF_UNIX] = 0xffff;
531 + profile->net.allow[AF_NETLINK] = 0xffff;
534 profile->file.dfa = unpack_dfa(e);
535 if (IS_ERR(profile->file.dfa)) {
539 From 5f034900aa447abea213c434d6d262d28fd168e7 Mon Sep 17 00:00:00 2001
540 From: John Johansen <john.johansen@canonical.com>
541 Date: Thu, 22 Jul 2010 02:32:02 -0700
542 Subject: [PATCH 2/3] AppArmor: compatibility patch for v5 interface
544 Signed-off-by: John Johansen <john.johansen@canonical.com>
546 security/apparmor/Kconfig | 9 +
547 security/apparmor/Makefile | 2 +
548 security/apparmor/apparmorfs-24.c | 287 ++++++++++++++++++++++++++++++++
549 security/apparmor/apparmorfs.c | 18 ++-
550 security/apparmor/include/apparmorfs.h | 6 +
551 5 files changed, 320 insertions(+), 2 deletions(-)
552 create mode 100644 security/apparmor/apparmorfs-24.c
554 diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
555 index 9b9013b..51ebf96 100644
556 --- a/security/apparmor/Kconfig
557 +++ b/security/apparmor/Kconfig
558 @@ -29,3 +29,12 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE
561 If you are unsure how to answer this question, answer 1.
563 +config SECURITY_APPARMOR_COMPAT_24
564 + bool "Enable AppArmor 2.4 compatability"
565 + depends on SECURITY_APPARMOR
568 + This option enables compatability with AppArmor 2.4. It is
569 + recommended if compatability with older versions of AppArmor
571 diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
572 index a9a1db0..e5e8968 100644
573 --- a/security/apparmor/Makefile
574 +++ b/security/apparmor/Makefile
575 @@ -6,6 +6,8 @@ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
576 path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
577 resource.o sid.o file.o net.o
579 +apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o
581 clean-files: capability_names.h af_names.h
583 quiet_cmd_make-caps = GEN $@
584 diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
586 index 0000000..dc8c744
588 +++ b/security/apparmor/apparmorfs-24.c
591 + * AppArmor security module
593 + * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions
595 + * Copyright (C) 1998-2008 Novell/SUSE
596 + * Copyright 2009-2010 Canonical Ltd.
598 + * This program is free software; you can redistribute it and/or
599 + * modify it under the terms of the GNU General Public License as
600 + * published by the Free Software Foundation, version 2 of the
604 + * This file contain functions providing an interface for <= AppArmor 2.4
605 + * compatibility. It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24
606 + * being set (see Makefile).
609 +#include <linux/security.h>
610 +#include <linux/vmalloc.h>
611 +#include <linux/module.h>
612 +#include <linux/seq_file.h>
613 +#include <linux/uaccess.h>
614 +#include <linux/namei.h>
616 +#include "include/apparmor.h"
617 +#include "include/audit.h"
618 +#include "include/context.h"
619 +#include "include/policy.h"
622 +/* apparmor/matching */
623 +static ssize_t aa_matching_read(struct file *file, char __user *buf,
624 + size_t size, loff_t *ppos)
626 + const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
629 + return simple_read_from_buffer(buf, size, ppos, matching,
630 + sizeof(matching) - 1);
633 +const struct file_operations aa_fs_matching_fops = {
634 + .read = aa_matching_read,
637 +/* apparmor/features */
638 +static ssize_t aa_features_read(struct file *file, char __user *buf,
639 + size_t size, loff_t *ppos)
641 + const char features[] = "file=3.1 capability=2.0 network=1.0 "
642 + "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1";
644 + return simple_read_from_buffer(buf, size, ppos, features,
645 + sizeof(features) - 1);
648 +const struct file_operations aa_fs_features_fops = {
649 + .read = aa_features_read,
653 + * __next_namespace - find the next namespace to list
654 + * @root: root namespace to stop search at (NOT NULL)
655 + * @ns: current ns position (NOT NULL)
657 + * Find the next namespace from @ns under @root and handle all locking needed
658 + * while switching current namespace.
660 + * Returns: next namespace or NULL if at last namespace under @root
661 + * NOTE: will not unlock root->lock
663 +static struct aa_namespace *__next_namespace(struct aa_namespace *root,
664 + struct aa_namespace *ns)
666 + struct aa_namespace *parent;
668 + /* is next namespace a child */
669 + if (!list_empty(&ns->sub_ns)) {
670 + struct aa_namespace *next;
671 + next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
672 + read_lock(&next->lock);
676 + /* check if the next ns is a sibling, parent, gp, .. */
677 + parent = ns->parent;
679 + read_unlock(&ns->lock);
680 + list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
681 + read_lock(&ns->lock);
684 + if (parent == root)
687 + parent = parent->parent;
694 + * __first_profile - find the first profile in a namespace
695 + * @root: namespace that is root of profiles being displayed (NOT NULL)
696 + * @ns: namespace to start in (NOT NULL)
698 + * Returns: unrefcounted profile or NULL if no profile
700 +static struct aa_profile *__first_profile(struct aa_namespace *root,
701 + struct aa_namespace *ns)
703 + for ( ; ns; ns = __next_namespace(root, ns)) {
704 + if (!list_empty(&ns->base.profiles))
705 + return list_first_entry(&ns->base.profiles,
706 + struct aa_profile, base.list);
712 + * __next_profile - step to the next profile in a profile tree
713 + * @profile: current profile in tree (NOT NULL)
715 + * Perform a depth first taversal on the profile tree in a namespace
717 + * Returns: next profile or NULL if done
718 + * Requires: profile->ns.lock to be held
720 +static struct aa_profile *__next_profile(struct aa_profile *p)
722 + struct aa_profile *parent;
723 + struct aa_namespace *ns = p->ns;
725 + /* is next profile a child */
726 + if (!list_empty(&p->base.profiles))
727 + return list_first_entry(&p->base.profiles, typeof(*p),
730 + /* is next profile a sibling, parent sibling, gp, subling, .. */
731 + parent = p->parent;
733 + list_for_each_entry_continue(p, &parent->base.profiles,
737 + parent = parent->parent;
740 + /* is next another profile in the namespace */
741 + list_for_each_entry_continue(p, &ns->base.profiles, base.list)
748 + * next_profile - step to the next profile in where ever it may be
749 + * @root: root namespace (NOT NULL)
750 + * @profile: current profile (NOT NULL)
752 + * Returns: next profile or NULL if there isn't one
754 +static struct aa_profile *next_profile(struct aa_namespace *root,
755 + struct aa_profile *profile)
757 + struct aa_profile *next = __next_profile(profile);
761 + /* finished all profiles in namespace move to next namespace */
762 + return __first_profile(root, __next_namespace(root, profile->ns));
766 + * p_start - start a depth first traversal of profile tree
767 + * @f: seq_file to fill
768 + * @pos: current position
770 + * Returns: first profile under current namespace or NULL if none found
772 + * acquires first ns->lock
774 +static void *p_start(struct seq_file *f, loff_t *pos)
775 + __acquires(root->lock)
777 + struct aa_profile *profile = NULL;
778 + struct aa_namespace *root = aa_current_profile()->ns;
780 + f->private = aa_get_namespace(root);
783 + /* find the first profile */
784 + read_lock(&root->lock);
785 + profile = __first_profile(root, root);
787 + /* skip to position */
788 + for (; profile && l > 0; l--)
789 + profile = next_profile(root, profile);
795 + * p_next - read the next profile entry
796 + * @f: seq_file to fill
797 + * @p: profile previously returned
798 + * @pos: current position
800 + * Returns: next profile after @p or NULL if none
802 + * may acquire/release locks in namespace tree as necessary
804 +static void *p_next(struct seq_file *f, void *p, loff_t *pos)
806 + struct aa_profile *profile = p;
807 + struct aa_namespace *root = f->private;
810 + return next_profile(root, profile);
814 + * p_stop - stop depth first traversal
815 + * @f: seq_file we are filling
816 + * @p: the last profile writen
818 + * Release all locking done by p_start/p_next on namespace tree
820 +static void p_stop(struct seq_file *f, void *p)
821 + __releases(root->lock)
823 + struct aa_profile *profile = p;
824 + struct aa_namespace *root = f->private, *ns;
827 + for (ns = profile->ns; ns && ns != root; ns = ns->parent)
828 + read_unlock(&ns->lock);
830 + read_unlock(&root->lock);
831 + aa_put_namespace(root);
835 + * seq_show_profile - show a profile entry
836 + * @f: seq_file to file
837 + * @p: current position (profile) (NOT NULL)
839 + * Returns: error on failure
841 +static int seq_show_profile(struct seq_file *f, void *p)
843 + struct aa_profile *profile = (struct aa_profile *)p;
844 + struct aa_namespace *root = f->private;
846 + if (profile->ns != root)
847 + seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
848 + seq_printf(f, "%s (%s)\n", profile->base.hname,
849 + COMPLAIN_MODE(profile) ? "complain" : "enforce");
854 +static const struct seq_operations aa_fs_profiles_op = {
858 + .show = seq_show_profile,
861 +static int profiles_open(struct inode *inode, struct file *file)
863 + return seq_open(file, &aa_fs_profiles_op);
866 +static int profiles_release(struct inode *inode, struct file *file)
868 + return seq_release(inode, file);
871 +const struct file_operations aa_fs_profiles_fops = {
872 + .open = profiles_open,
874 + .llseek = seq_lseek,
875 + .release = profiles_release,
877 diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
878 index 7320331..0e27449 100644
879 --- a/security/apparmor/apparmorfs.c
880 +++ b/security/apparmor/apparmorfs.c
881 @@ -182,7 +182,11 @@ void __init aa_destroy_aafs(void)
882 aafs_remove(".remove");
883 aafs_remove(".replace");
884 aafs_remove(".load");
886 +#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
887 + aafs_remove("profiles");
888 + aafs_remove("matching");
889 + aafs_remove("features");
891 securityfs_remove(aa_fs_dentry);
894 @@ -213,7 +217,17 @@ int __init aa_create_aafs(void)
899 +#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
900 + error = aafs_create("matching", 0444, &aa_fs_matching_fops);
903 + error = aafs_create("features", 0444, &aa_fs_features_fops);
907 + error = aafs_create("profiles", 0440, &aa_fs_profiles_fops);
910 error = aafs_create(".load", 0640, &aa_fs_profile_load);
913 diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
914 index cb1e93a..14f955c 100644
915 --- a/security/apparmor/include/apparmorfs.h
916 +++ b/security/apparmor/include/apparmorfs.h
919 extern void __init aa_destroy_aafs(void);
921 +#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
922 +extern const struct file_operations aa_fs_matching_fops;
923 +extern const struct file_operations aa_fs_features_fops;
924 +extern const struct file_operations aa_fs_profiles_fops;
927 #endif /* __AA_APPARMORFS_H */