]>
Commit | Line | Data |
---|---|---|
daaa955e AM |
1 | From 50d30adbef98a0b6cc531a9413d05f564eb633ee Mon Sep 17 00:00:00 2001 |
2 | From: John Johansen <john.johansen@canonical.com> | |
3 | Date: Wed, 16 Aug 2017 08:59:57 -0700 | |
4 | Subject: [PATCH 13/17] apparmor: move new_null_profile to after profile lookup | |
5 | fns() | |
6 | ||
7 | new_null_profile will need to use some of the profile lookup fns() | |
8 | so move instead of doing forward fn declarations. | |
9 | ||
10 | Signed-off-by: John Johansen <john.johansen@canonical.com> | |
11 | (cherry picked from commit cf1e50dfc6f627bc2989b57076b129c330fb3f0a) | |
12 | --- | |
13 | security/apparmor/policy.c | 158 ++++++++++++++++++++++----------------------- | |
14 | 1 file changed, 79 insertions(+), 79 deletions(-) | |
15 | ||
16 | diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c | |
17 | index 244ea4a4a8f0..a81a384a63b1 100644 | |
18 | --- a/security/apparmor/policy.c | |
19 | +++ b/security/apparmor/policy.c | |
20 | @@ -289,85 +289,6 @@ struct aa_profile *aa_alloc_profile(const char *hname, struct aa_proxy *proxy, | |
21 | return NULL; | |
22 | } | |
23 | ||
24 | -/** | |
25 | - * aa_new_null_profile - create or find a null-X learning profile | |
26 | - * @parent: profile that caused this profile to be created (NOT NULL) | |
27 | - * @hat: true if the null- learning profile is a hat | |
28 | - * @base: name to base the null profile off of | |
29 | - * @gfp: type of allocation | |
30 | - * | |
31 | - * Find/Create a null- complain mode profile used in learning mode. The | |
32 | - * name of the profile is unique and follows the format of parent//null-XXX. | |
33 | - * where XXX is based on the @name or if that fails or is not supplied | |
34 | - * a unique number | |
35 | - * | |
36 | - * null profiles are added to the profile list but the list does not | |
37 | - * hold a count on them so that they are automatically released when | |
38 | - * not in use. | |
39 | - * | |
40 | - * Returns: new refcounted profile else NULL on failure | |
41 | - */ | |
42 | -struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat, | |
43 | - const char *base, gfp_t gfp) | |
44 | -{ | |
45 | - struct aa_profile *profile; | |
46 | - char *name; | |
47 | - | |
48 | - AA_BUG(!parent); | |
49 | - | |
50 | - if (base) { | |
51 | - name = kmalloc(strlen(parent->base.hname) + 8 + strlen(base), | |
52 | - gfp); | |
53 | - if (name) { | |
54 | - sprintf(name, "%s//null-%s", parent->base.hname, base); | |
55 | - goto name; | |
56 | - } | |
57 | - /* fall through to try shorter uniq */ | |
58 | - } | |
59 | - | |
60 | - name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, gfp); | |
61 | - if (!name) | |
62 | - return NULL; | |
63 | - sprintf(name, "%s//null-%x", parent->base.hname, | |
64 | - atomic_inc_return(&parent->ns->uniq_null)); | |
65 | - | |
66 | -name: | |
67 | - /* lookup to see if this is a dup creation */ | |
68 | - profile = aa_find_child(parent, basename(name)); | |
69 | - if (profile) | |
70 | - goto out; | |
71 | - | |
72 | - profile = aa_alloc_profile(name, NULL, gfp); | |
73 | - if (!profile) | |
74 | - goto fail; | |
75 | - | |
76 | - profile->mode = APPARMOR_COMPLAIN; | |
77 | - profile->label.flags |= FLAG_NULL; | |
78 | - if (hat) | |
79 | - profile->label.flags |= FLAG_HAT; | |
80 | - profile->path_flags = parent->path_flags; | |
81 | - | |
82 | - /* released on free_profile */ | |
83 | - rcu_assign_pointer(profile->parent, aa_get_profile(parent)); | |
84 | - profile->ns = aa_get_ns(parent->ns); | |
85 | - profile->file.dfa = aa_get_dfa(nulldfa); | |
86 | - profile->policy.dfa = aa_get_dfa(nulldfa); | |
87 | - | |
88 | - mutex_lock(&profile->ns->lock); | |
89 | - __add_profile(&parent->base.profiles, profile); | |
90 | - mutex_unlock(&profile->ns->lock); | |
91 | - | |
92 | - /* refcount released by caller */ | |
93 | -out: | |
94 | - kfree(name); | |
95 | - | |
96 | - return profile; | |
97 | - | |
98 | -fail: | |
99 | - aa_free_profile(profile); | |
100 | - return NULL; | |
101 | -} | |
102 | - | |
103 | /* TODO: profile accounting - setup in remove */ | |
104 | ||
105 | /** | |
106 | @@ -559,6 +480,85 @@ struct aa_profile *aa_fqlookupn_profile(struct aa_label *base, | |
107 | } | |
108 | ||
109 | /** | |
110 | + * aa_new_null_profile - create or find a null-X learning profile | |
111 | + * @parent: profile that caused this profile to be created (NOT NULL) | |
112 | + * @hat: true if the null- learning profile is a hat | |
113 | + * @base: name to base the null profile off of | |
114 | + * @gfp: type of allocation | |
115 | + * | |
116 | + * Find/Create a null- complain mode profile used in learning mode. The | |
117 | + * name of the profile is unique and follows the format of parent//null-XXX. | |
118 | + * where XXX is based on the @name or if that fails or is not supplied | |
119 | + * a unique number | |
120 | + * | |
121 | + * null profiles are added to the profile list but the list does not | |
122 | + * hold a count on them so that they are automatically released when | |
123 | + * not in use. | |
124 | + * | |
125 | + * Returns: new refcounted profile else NULL on failure | |
126 | + */ | |
127 | +struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat, | |
128 | + const char *base, gfp_t gfp) | |
129 | +{ | |
130 | + struct aa_profile *profile; | |
131 | + char *name; | |
132 | + | |
133 | + AA_BUG(!parent); | |
134 | + | |
135 | + if (base) { | |
136 | + name = kmalloc(strlen(parent->base.hname) + 8 + strlen(base), | |
137 | + gfp); | |
138 | + if (name) { | |
139 | + sprintf(name, "%s//null-%s", parent->base.hname, base); | |
140 | + goto name; | |
141 | + } | |
142 | + /* fall through to try shorter uniq */ | |
143 | + } | |
144 | + | |
145 | + name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, gfp); | |
146 | + if (!name) | |
147 | + return NULL; | |
148 | + sprintf(name, "%s//null-%x", parent->base.hname, | |
149 | + atomic_inc_return(&parent->ns->uniq_null)); | |
150 | + | |
151 | +name: | |
152 | + /* lookup to see if this is a dup creation */ | |
153 | + profile = aa_find_child(parent, basename(name)); | |
154 | + if (profile) | |
155 | + goto out; | |
156 | + | |
157 | + profile = aa_alloc_profile(name, NULL, gfp); | |
158 | + if (!profile) | |
159 | + goto fail; | |
160 | + | |
161 | + profile->mode = APPARMOR_COMPLAIN; | |
162 | + profile->label.flags |= FLAG_NULL; | |
163 | + if (hat) | |
164 | + profile->label.flags |= FLAG_HAT; | |
165 | + profile->path_flags = parent->path_flags; | |
166 | + | |
167 | + /* released on free_profile */ | |
168 | + rcu_assign_pointer(profile->parent, aa_get_profile(parent)); | |
169 | + profile->ns = aa_get_ns(parent->ns); | |
170 | + profile->file.dfa = aa_get_dfa(nulldfa); | |
171 | + profile->policy.dfa = aa_get_dfa(nulldfa); | |
172 | + | |
173 | + mutex_lock(&profile->ns->lock); | |
174 | + __add_profile(&parent->base.profiles, profile); | |
175 | + mutex_unlock(&profile->ns->lock); | |
176 | + | |
177 | + /* refcount released by caller */ | |
178 | +out: | |
179 | + kfree(name); | |
180 | + | |
181 | + return profile; | |
182 | + | |
183 | +fail: | |
184 | + aa_free_profile(profile); | |
185 | + return NULL; | |
186 | +} | |
187 | + | |
188 | +/** | |
189 | * replacement_allowed - test to see if replacement is allowed | |
190 | * @profile: profile to test if it can be replaced (MAYBE NULL) | |
191 | * @noreplace: true if replacement shouldn't be allowed but addition is okay | |
192 | -- | |
193 | 2.11.0 | |
194 |