[packages/kernel.git] / 0013-apparmor-move-new_null_profile-to-after-profile-look.patch

From 50d30adbef98a0b6cc531a9413d05f564eb633ee Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Wed, 16 Aug 2017 08:59:57 -0700
Subject: [PATCH 13/17] apparmor: move new_null_profile to after profile lookup
 fns()

new_null_profile will need to use some of the profile lookup fns()
so move instead of doing forward fn declarations.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit cf1e50dfc6f627bc2989b57076b129c330fb3f0a)
---
 security/apparmor/policy.c | 158 ++++++++++++++++++++++-----------------------
 1 file changed, 79 insertions(+), 79 deletions(-)

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 244ea4a4a8f0..a81a384a63b1 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -289,85 +289,6 @@ struct aa_profile *aa_alloc_profile(const char *hname, struct aa_proxy *proxy,
 	return NULL;
 }
 
-/**
- * aa_new_null_profile - create or find a null-X learning profile
- * @parent: profile that caused this profile to be created (NOT NULL)
- * @hat: true if the null- learning profile is a hat
- * @base: name to base the null profile off of
- * @gfp: type of allocation
- *
- * Find/Create a null- complain mode profile used in learning mode.  The
- * name of the profile is unique and follows the format of parent//null-XXX.
- * where XXX is based on the @name or if that fails or is not supplied
- * a unique number
- *
- * null profiles are added to the profile list but the list does not
- * hold a count on them so that they are automatically released when
- * not in use.
- *
- * Returns: new refcounted profile else NULL on failure
- */
-struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
-				       const char *base, gfp_t gfp)
-{
-	struct aa_profile *profile;
-	char *name;
-
-	AA_BUG(!parent);
-
-	if (base) {
-		name = kmalloc(strlen(parent->base.hname) + 8 + strlen(base),
-			       gfp);
-		if (name) {
-			sprintf(name, "%s//null-%s", parent->base.hname, base);
-			goto name;
-		}
-		/* fall through to try shorter uniq */
-	}
-
-	name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, gfp);
-	if (!name)
-		return NULL;
-	sprintf(name, "%s//null-%x", parent->base.hname,
-		atomic_inc_return(&parent->ns->uniq_null));
-
-name:
-	/* lookup to see if this is a dup creation */
-	profile = aa_find_child(parent, basename(name));
-	if (profile)
-		goto out;
-
-	profile = aa_alloc_profile(name, NULL, gfp);
-	if (!profile)
-		goto fail;
-
-	profile->mode = APPARMOR_COMPLAIN;
-	profile->label.flags |= FLAG_NULL;
-	if (hat)
-		profile->label.flags |= FLAG_HAT;
-	profile->path_flags = parent->path_flags;
-
-	/* released on free_profile */
-	rcu_assign_pointer(profile->parent, aa_get_profile(parent));
-	profile->ns = aa_get_ns(parent->ns);
-	profile->file.dfa = aa_get_dfa(nulldfa);
-	profile->policy.dfa = aa_get_dfa(nulldfa);
-
-	mutex_lock(&profile->ns->lock);
-	__add_profile(&parent->base.profiles, profile);
-	mutex_unlock(&profile->ns->lock);
-
-	/* refcount released by caller */
-out:
-	kfree(name);
-
-	return profile;
-
-fail:
-	aa_free_profile(profile);
-	return NULL;
-}
-
 /* TODO: profile accounting - setup in remove */
 
 /**
@@ -559,6 +480,85 @@ struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
 }
 
 /**
+ * aa_new_null_profile - create or find a null-X learning profile
+ * @parent: profile that caused this profile to be created (NOT NULL)
+ * @hat: true if the null- learning profile is a hat
+ * @base: name to base the null profile off of
+ * @gfp: type of allocation
+ *
+ * Find/Create a null- complain mode profile used in learning mode.  The
+ * name of the profile is unique and follows the format of parent//null-XXX.
+ * where XXX is based on the @name or if that fails or is not supplied
+ * a unique number
+ *
+ * null profiles are added to the profile list but the list does not
+ * hold a count on them so that they are automatically released when
+ * not in use.
+ *
+ * Returns: new refcounted profile else NULL on failure
+ */
+struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
+				       const char *base, gfp_t gfp)
+{
+	struct aa_profile *profile;
+	char *name;
+
+	AA_BUG(!parent);
+
+	if (base) {
+		name = kmalloc(strlen(parent->base.hname) + 8 + strlen(base),
+			       gfp);
+		if (name) {
+			sprintf(name, "%s//null-%s", parent->base.hname, base);
+			goto name;
+		}
+		/* fall through to try shorter uniq */
+	}
+
+	name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, gfp);
+	if (!name)
+		return NULL;
+	sprintf(name, "%s//null-%x", parent->base.hname,
+		atomic_inc_return(&parent->ns->uniq_null));
+
+name:
+	/* lookup to see if this is a dup creation */
+	profile = aa_find_child(parent, basename(name));
+	if (profile)
+		goto out;
+
+	profile = aa_alloc_profile(name, NULL, gfp);
+	if (!profile)
+		goto fail;
+
+	profile->mode = APPARMOR_COMPLAIN;
+	profile->label.flags |= FLAG_NULL;
+	if (hat)
+		profile->label.flags |= FLAG_HAT;
+	profile->path_flags = parent->path_flags;
+
+	/* released on free_profile */
+	rcu_assign_pointer(profile->parent, aa_get_profile(parent));
+	profile->ns = aa_get_ns(parent->ns);
+	profile->file.dfa = aa_get_dfa(nulldfa);
+	profile->policy.dfa = aa_get_dfa(nulldfa);
+
+	mutex_lock(&profile->ns->lock);
+	__add_profile(&parent->base.profiles, profile);
+	mutex_unlock(&profile->ns->lock);
+
+	/* refcount released by caller */
+out:
+	kfree(name);
+
+	return profile;
+
+fail:
+	aa_free_profile(profile);
+	return NULL;
+}
+
+/**
  * replacement_allowed - test to see if replacement is allowed
  * @profile: profile to test if it can be replaced  (MAYBE NULL)
  * @noreplace: true if replacement shouldn't be allowed but addition is okay
-- 
2.11.0
Commit	Line	Data
daaa955e AM	1	From 50d30adbef98a0b6cc531a9413d05f564eb633ee Mon Sep 17 00:00:00 2001
	2	From: John Johansen <john.johansen@canonical.com>
	3	Date: Wed, 16 Aug 2017 08:59:57 -0700
	4	Subject: [PATCH 13/17] apparmor: move new_null_profile to after profile lookup
	5	fns()
	6
	7	new_null_profile will need to use some of the profile lookup fns()
	8	so move instead of doing forward fn declarations.
	9
	10	Signed-off-by: John Johansen <john.johansen@canonical.com>
	11	(cherry picked from commit cf1e50dfc6f627bc2989b57076b129c330fb3f0a)
	12	---
	13	security/apparmor/policy.c \| 158 ++++++++++++++++++++++-----------------------
	14	1 file changed, 79 insertions(+), 79 deletions(-)
	15
	16	diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
	17	index 244ea4a4a8f0..a81a384a63b1 100644
	18	--- a/security/apparmor/policy.c
	19	+++ b/security/apparmor/policy.c
	20	@@ -289,85 +289,6 @@ struct aa_profile aa_alloc_profile(const char hname, struct aa_proxy *proxy,
	21	return NULL;
	22	}
	23
	24	-/**
	25	- * aa_new_null_profile - create or find a null-X learning profile
	26	- * @parent: profile that caused this profile to be created (NOT NULL)
	27	- * @hat: true if the null- learning profile is a hat
	28	- * @base: name to base the null profile off of
	29	- * @gfp: type of allocation
	30	- *
	31	- * Find/Create a null- complain mode profile used in learning mode. The
	32	- * name of the profile is unique and follows the format of parent//null-XXX.
	33	- * where XXX is based on the @name or if that fails or is not supplied
	34	- * a unique number
	35	- *
	36	- * null profiles are added to the profile list but the list does not
	37	- * hold a count on them so that they are automatically released when
	38	- * not in use.
	39	- *
	40	- * Returns: new refcounted profile else NULL on failure
	41	- */
	42	-struct aa_profile aa_new_null_profile(struct aa_profile parent, bool hat,
	43	- const char *base, gfp_t gfp)
	44	-{
	45	- struct aa_profile *profile;
	46	- char *name;
	47	-
	48	- AA_BUG(!parent);
	49	-
	50	- if (base) {
	51	- name = kmalloc(strlen(parent->base.hname) + 8 + strlen(base),
	52	- gfp);
	53	- if (name) {
	54	- sprintf(name, "%s//null-%s", parent->base.hname, base);
	55	- goto name;
	56	- }
	57	- /* fall through to try shorter uniq */
	58	- }
	59	-
	60	- name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, gfp);
	61	- if (!name)
	62	- return NULL;
	63	- sprintf(name, "%s//null-%x", parent->base.hname,
	64	- atomic_inc_return(&parent->ns->uniq_null));
65	-
66	-name:
67	- /* lookup to see if this is a dup creation */
68	- profile = aa_find_child(parent, basename(name));
69	- if (profile)
70	- goto out;
71	-
72	- profile = aa_alloc_profile(name, NULL, gfp);
73	- if (!profile)
74	- goto fail;
75	-
76	- profile->mode = APPARMOR_COMPLAIN;
77	- profile->label.flags \|= FLAG_NULL;
78	- if (hat)
79	- profile->label.flags \|= FLAG_HAT;
80	- profile->path_flags = parent->path_flags;
81	-
82	- /* released on free_profile */
83	- rcu_assign_pointer(profile->parent, aa_get_profile(parent));
84	- profile->ns = aa_get_ns(parent->ns);
85	- profile->file.dfa = aa_get_dfa(nulldfa);
86	- profile->policy.dfa = aa_get_dfa(nulldfa);
87	-
88	- mutex_lock(&profile->ns->lock);
89	- __add_profile(&parent->base.profiles, profile);
90	- mutex_unlock(&profile->ns->lock);
91	-
92	- /* refcount released by caller */
93	-out:
94	- kfree(name);
95	-
96	- return profile;
97	-
98	-fail:
99	- aa_free_profile(profile);
100	- return NULL;
101	-}
102	-
103	/* TODO: profile accounting - setup in remove */
104
105	/**
106	@@ -559,6 +480,85 @@ struct aa_profile aa_fqlookupn_profile(struct aa_label base,
107	}
108
109	/**
110	+ * aa_new_null_profile - create or find a null-X learning profile
111	+ * @parent: profile that caused this profile to be created (NOT NULL)
112	+ * @hat: true if the null- learning profile is a hat
113	+ * @base: name to base the null profile off of
114	+ * @gfp: type of allocation
115	+ *
116	+ * Find/Create a null- complain mode profile used in learning mode. The
117	+ * name of the profile is unique and follows the format of parent//null-XXX.
118	+ * where XXX is based on the @name or if that fails or is not supplied
119	+ * a unique number
120	+ *
121	+ * null profiles are added to the profile list but the list does not
122	+ * hold a count on them so that they are automatically released when
123	+ * not in use.
124	+ *
125	+ * Returns: new refcounted profile else NULL on failure
126	+ */
127	+struct aa_profile aa_new_null_profile(struct aa_profile parent, bool hat,
128	+ const char *base, gfp_t gfp)
129	+{
130	+ struct aa_profile *profile;
131	+ char *name;
132	+
133	+ AA_BUG(!parent);
134	+
135	+ if (base) {
136	+ name = kmalloc(strlen(parent->base.hname) + 8 + strlen(base),
137	+ gfp);
138	+ if (name) {
139	+ sprintf(name, "%s//null-%s", parent->base.hname, base);
140	+ goto name;
141	+ }
142	+ /* fall through to try shorter uniq */
143	+ }
144	+
145	+ name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, gfp);
146	+ if (!name)
147	+ return NULL;
148	+ sprintf(name, "%s//null-%x", parent->base.hname,
149	+ atomic_inc_return(&parent->ns->uniq_null));
150	+
151	+name:
152	+ /* lookup to see if this is a dup creation */
153	+ profile = aa_find_child(parent, basename(name));
154	+ if (profile)
155	+ goto out;
156	+
157	+ profile = aa_alloc_profile(name, NULL, gfp);
158	+ if (!profile)
159	+ goto fail;
160	+
161	+ profile->mode = APPARMOR_COMPLAIN;
162	+ profile->label.flags \|= FLAG_NULL;
163	+ if (hat)
164	+ profile->label.flags \|= FLAG_HAT;
165	+ profile->path_flags = parent->path_flags;
166	+
167	+ /* released on free_profile */
168	+ rcu_assign_pointer(profile->parent, aa_get_profile(parent));
169	+ profile->ns = aa_get_ns(parent->ns);
170	+ profile->file.dfa = aa_get_dfa(nulldfa);
171	+ profile->policy.dfa = aa_get_dfa(nulldfa);
172	+
173	+ mutex_lock(&profile->ns->lock);
174	+ __add_profile(&parent->base.profiles, profile);
175	+ mutex_unlock(&profile->ns->lock);
176	+
177	+ /* refcount released by caller */
178	+out:
179	+ kfree(name);
180	+
181	+ return profile;
182	+
183	+fail:
184	+ aa_free_profile(profile);
185	+ return NULL;
186	+}
187	+
188	+/**
189	* replacement_allowed - test to see if replacement is allowed
190	* @profile: profile to test if it can be replaced (MAYBE NULL)
191	* @noreplace: true if replacement shouldn't be allowed but addition is okay
192	--
193	2.11.0
194