mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-28 13:22:57 +00:00
apparmor: extend permissions to support a label and tag string
add indexes for label and tag entries. Rename the domain table to the str_table as its a shared string table with label and tags. Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
parent
caa9f579ca
commit
90917d5b68
7 changed files with 32 additions and 27 deletions
|
@ -29,24 +29,6 @@
|
|||
#include "include/policy.h"
|
||||
#include "include/policy_ns.h"
|
||||
|
||||
/**
|
||||
* aa_free_domain_entries - free entries in a domain table
|
||||
* @domain: the domain table to free (MAYBE NULL)
|
||||
*/
|
||||
void aa_free_domain_entries(struct aa_domain *domain)
|
||||
{
|
||||
int i;
|
||||
if (domain) {
|
||||
if (!domain->table)
|
||||
return;
|
||||
|
||||
for (i = 0; i < domain->size; i++)
|
||||
kfree_sensitive(domain->table[i]);
|
||||
kfree_sensitive(domain->table);
|
||||
domain->table = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* may_change_ptraced_domain - check if can change profile on ptraced task
|
||||
* @to_label: profile to change to (NOT NULL)
|
||||
|
|
|
@ -16,11 +16,6 @@
|
|||
#ifndef __AA_DOMAIN_H
|
||||
#define __AA_DOMAIN_H
|
||||
|
||||
struct aa_domain {
|
||||
int size;
|
||||
char **table;
|
||||
};
|
||||
|
||||
#define AA_CHANGE_NOFLAGS 0
|
||||
#define AA_CHANGE_TEST 1
|
||||
#define AA_CHANGE_CHILD 2
|
||||
|
@ -32,7 +27,6 @@ struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex,
|
|||
|
||||
int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm);
|
||||
|
||||
void aa_free_domain_entries(struct aa_domain *domain);
|
||||
int aa_change_hat(const char *hats[], int count, u64 token, int flags);
|
||||
int aa_change_profile(const char *fqname, int flags);
|
||||
|
||||
|
|
|
@ -99,6 +99,12 @@ static inline bool path_mediated_fs(struct dentry *dentry)
|
|||
return !(dentry->d_sb->s_flags & SB_NOUSER);
|
||||
}
|
||||
|
||||
struct aa_str_table {
|
||||
int size;
|
||||
char **table;
|
||||
};
|
||||
|
||||
void aa_free_str_table(struct aa_str_table *table);
|
||||
|
||||
struct counted_str {
|
||||
struct kref count;
|
||||
|
|
|
@ -79,6 +79,8 @@ struct aa_perms {
|
|||
u32 hide; /* set only when ~allow | deny */
|
||||
|
||||
u32 xindex;
|
||||
u32 tag; /* tag string index, if present */
|
||||
u32 label; /* label string index, if present */
|
||||
};
|
||||
|
||||
#define ALL_PERMS_MASK 0xffffffff
|
||||
|
|
|
@ -72,12 +72,14 @@ enum profile_mode {
|
|||
|
||||
/* struct aa_policydb - match engine for a policy
|
||||
* dfa: dfa pattern match
|
||||
* perms: table of permissions
|
||||
* strs: table of strings, index by x
|
||||
* start: set of start states for the different classes of data
|
||||
*/
|
||||
struct aa_policydb {
|
||||
struct aa_dfa *dfa;
|
||||
struct aa_perms *perms;
|
||||
struct aa_domain trans;
|
||||
struct aa_str_table trans;
|
||||
aa_state_t start[AA_CLASS_LAST + 1];
|
||||
};
|
||||
|
||||
|
@ -86,7 +88,7 @@ static inline void aa_destroy_policydb(struct aa_policydb *policy)
|
|||
aa_put_dfa(policy->dfa);
|
||||
if (policy->perms)
|
||||
kvfree(policy->perms);
|
||||
aa_free_domain_entries(&policy->trans);
|
||||
aa_free_str_table(&policy->trans);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -25,6 +25,25 @@ struct aa_perms allperms = { .allow = ALL_PERMS_MASK,
|
|||
.quiet = ALL_PERMS_MASK,
|
||||
.hide = ALL_PERMS_MASK };
|
||||
|
||||
/**
|
||||
* aa_free_str_table - free entries str table
|
||||
* @str: the string table to free (MAYBE NULL)
|
||||
*/
|
||||
void aa_free_str_table(struct aa_str_table *t)
|
||||
{
|
||||
int i;
|
||||
|
||||
if (t) {
|
||||
if (!t->table)
|
||||
return;
|
||||
|
||||
for (i = 0; i < t->size; i++)
|
||||
kfree_sensitive(t->table[i]);
|
||||
kfree_sensitive(t->table);
|
||||
t->table = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* aa_split_fqname - split a fqname into a profile and namespace name
|
||||
* @fqname: a full qualified name in namespace profile format (NOT NULL)
|
||||
|
|
|
@ -534,7 +534,7 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
|
|||
return true;
|
||||
|
||||
fail:
|
||||
aa_free_domain_entries(&profile->file.trans);
|
||||
aa_free_str_table(&profile->file.trans);
|
||||
e->pos = saved_pos;
|
||||
return false;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue