| apparmorfs.c (a481f4d917835cad86701fc0d1e620c74bb5cd5f) | apparmorfs.c (c97204baf840bf850e14ef4f5f43251239ca43b6) |
|---|---|
| 1/* 2 * AppArmor security module 3 * 4 * This file contains AppArmor /sys/kernel/security/apparmor interface functions 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * --- 22 unchanged lines hidden (view full) --- 31#include "include/audit.h" 32#include "include/context.h" 33#include "include/crypto.h" 34#include "include/policy.h" 35#include "include/policy_ns.h" 36#include "include/resource.h" 37#include "include/policy_unpack.h" 38 | 1/* 2 * AppArmor security module 3 * 4 * This file contains AppArmor /sys/kernel/security/apparmor interface functions 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * --- 22 unchanged lines hidden (view full) --- 31#include "include/audit.h" 32#include "include/context.h" 33#include "include/crypto.h" 34#include "include/policy.h" 35#include "include/policy_ns.h" 36#include "include/resource.h" 37#include "include/policy_unpack.h" 38 |
| 39/* 40 * The apparmor filesystem interface used for policy load and introspection 41 * The interface is split into two main components based on their function 42 * a securityfs component: 43 * used for static files that are always available, and which allows 44 * userspace to specificy the location of the security filesystem. 45 * 46 * fns and data are prefixed with 47 * aa_sfs_ 48 * 49 * an apparmorfs component: 50 * used loaded policy content and introspection. It is not part of a 51 * regular mounted filesystem and is available only through the magic 52 * policy symlink in the root of the securityfs apparmor/ directory. 53 * Tasks queries will be magically redirected to the correct portion 54 * of the policy tree based on their confinement. 55 * 56 * fns and data are prefixed with 57 * aafs_ 58 * 59 * The aa_fs_ prefix is used to indicate the fn is used by both the 60 * securityfs and apparmorfs filesystems. 61 */ 62 63 64/* 65 * support fns 66 */ 67 |
|
| 39/** 40 * aa_mangle_name - mangle a profile name to std profile layout form 41 * @name: profile name to mangle (NOT NULL) 42 * @target: buffer to store mangled name, same length as @name (MAYBE NULL) 43 * 44 * Returns: length of mangled name 45 */ 46static int mangle_name(const char *name, char *target) --- 554 unchanged lines hidden (view full) --- 601 if (len < 0) 602 return len; 603 604 simple_transaction_set(file, len); 605 606 return count; 607} 608 | 68/** 69 * aa_mangle_name - mangle a profile name to std profile layout form 70 * @name: profile name to mangle (NOT NULL) 71 * @target: buffer to store mangled name, same length as @name (MAYBE NULL) 72 * 73 * Returns: length of mangled name 74 */ 75static int mangle_name(const char *name, char *target) --- 554 unchanged lines hidden (view full) --- 630 if (len < 0) 631 return len; 632 633 simple_transaction_set(file, len); 634 635 return count; 636} 637 |
| 609static const struct file_operations aa_fs_access = { | 638static const struct file_operations aa_sfs_access = { |
| 610 .write = aa_write_access, 611 .read = simple_transaction_read, 612 .release = simple_transaction_release, 613 .llseek = generic_file_llseek, 614}; 615 | 639 .write = aa_write_access, 640 .read = simple_transaction_read, 641 .release = simple_transaction_release, 642 .llseek = generic_file_llseek, 643}; 644 |
| 616static int aa_fs_seq_show(struct seq_file *seq, void *v) | 645static int aa_sfs_seq_show(struct seq_file *seq, void *v) |
| 617{ | 646{ |
| 618 struct aa_fs_entry *fs_file = seq->private; | 647 struct aa_sfs_entry *fs_file = seq->private; |
| 619 620 if (!fs_file) 621 return 0; 622 623 switch (fs_file->v_type) { | 648 649 if (!fs_file) 650 return 0; 651 652 switch (fs_file->v_type) { |
| 624 case AA_FS_TYPE_BOOLEAN: | 653 case AA_SFS_TYPE_BOOLEAN: |
| 625 seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no"); 626 break; | 654 seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no"); 655 break; |
| 627 case AA_FS_TYPE_STRING: | 656 case AA_SFS_TYPE_STRING: |
| 628 seq_printf(seq, "%s\n", fs_file->v.string); 629 break; | 657 seq_printf(seq, "%s\n", fs_file->v.string); 658 break; |
| 630 case AA_FS_TYPE_U64: | 659 case AA_SFS_TYPE_U64: |
| 631 seq_printf(seq, "%#08lx\n", fs_file->v.u64); 632 break; 633 default: 634 /* Ignore unpritable entry types. */ 635 break; 636 } 637 638 return 0; 639} 640 | 660 seq_printf(seq, "%#08lx\n", fs_file->v.u64); 661 break; 662 default: 663 /* Ignore unpritable entry types. */ 664 break; 665 } 666 667 return 0; 668} 669 |
| 641static int aa_fs_seq_open(struct inode *inode, struct file *file) | 670static int aa_sfs_seq_open(struct inode *inode, struct file *file) |
| 642{ | 671{ |
| 643 return single_open(file, aa_fs_seq_show, inode->i_private); | 672 return single_open(file, aa_sfs_seq_show, inode->i_private); |
| 644} 645 | 673} 674 |
| 646const struct file_operations aa_fs_seq_file_ops = { | 675const struct file_operations aa_sfs_seq_file_ops = { |
| 647 .owner = THIS_MODULE, | 676 .owner = THIS_MODULE, |
| 648 .open = aa_fs_seq_open, | 677 .open = aa_sfs_seq_open, |
| 649 .read = seq_read, 650 .llseek = seq_lseek, 651 .release = single_release, 652}; 653 654/* 655 * profile based file operations 656 * policy/profiles/XXXX/profiles/ * --- 334 unchanged lines hidden (view full) --- 991 992fail: 993 remove_rawdata_dents(rawdata); 994 995 return PTR_ERR(dent); 996} 997 998/** fns to setup dynamic per profile/namespace files **/ | 678 .read = seq_read, 679 .llseek = seq_lseek, 680 .release = single_release, 681}; 682 683/* 684 * profile based file operations 685 * policy/profiles/XXXX/profiles/ * --- 334 unchanged lines hidden (view full) --- 1020 1021fail: 1022 remove_rawdata_dents(rawdata); 1023 1024 return PTR_ERR(dent); 1025} 1026 1027/** fns to setup dynamic per profile/namespace files **/ |
| 999void __aa_fs_profile_rmdir(struct aa_profile *profile) | 1028 1029/** 1030 * 1031 * Requires: @profile->ns->lock held 1032 */ 1033void __aafs_profile_rmdir(struct aa_profile *profile) |
| 1000{ 1001 struct aa_profile *child; 1002 int i; 1003 1004 if (!profile) 1005 return; 1006 1007 list_for_each_entry(child, &profile->base.profiles, base.list) | 1034{ 1035 struct aa_profile *child; 1036 int i; 1037 1038 if (!profile) 1039 return; 1040 1041 list_for_each_entry(child, &profile->base.profiles, base.list) |
| 1008 __aa_fs_profile_rmdir(child); | 1042 __aafs_profile_rmdir(child); |
| 1009 1010 for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) { 1011 struct aa_proxy *proxy; 1012 if (!profile->dents[i]) 1013 continue; 1014 1015 proxy = d_inode(profile->dents[i])->i_private; 1016 securityfs_remove(profile->dents[i]); 1017 aa_put_proxy(proxy); 1018 profile->dents[i] = NULL; 1019 } 1020} 1021 | 1043 1044 for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) { 1045 struct aa_proxy *proxy; 1046 if (!profile->dents[i]) 1047 continue; 1048 1049 proxy = d_inode(profile->dents[i])->i_private; 1050 securityfs_remove(profile->dents[i]); 1051 aa_put_proxy(proxy); 1052 profile->dents[i] = NULL; 1053 } 1054} 1055 |
| 1022void __aa_fs_profile_migrate_dents(struct aa_profile *old, 1023 struct aa_profile *new) | 1056/** 1057 * 1058 * Requires: @old->ns->lock held 1059 */ 1060void __aafs_profile_migrate_dents(struct aa_profile *old, 1061 struct aa_profile *new) |
| 1024{ 1025 int i; 1026 1027 for (i = 0; i < AAFS_PROF_SIZEOF; i++) { 1028 new->dents[i] = old->dents[i]; 1029 if (new->dents[i]) 1030 new->dents[i]->d_inode->i_mtime = current_time(new->dents[i]->d_inode); 1031 old->dents[i] = NULL; --- 44 unchanged lines hidden (view full) --- 1076 return -ENAMETOOLONG; 1077 1078 return 0; 1079} 1080 1081/* 1082 * Requires: @profile->ns->lock held 1083 */ | 1062{ 1063 int i; 1064 1065 for (i = 0; i < AAFS_PROF_SIZEOF; i++) { 1066 new->dents[i] = old->dents[i]; 1067 if (new->dents[i]) 1068 new->dents[i]->d_inode->i_mtime = current_time(new->dents[i]->d_inode); 1069 old->dents[i] = NULL; --- 44 unchanged lines hidden (view full) --- 1114 return -ENAMETOOLONG; 1115 1116 return 0; 1117} 1118 1119/* 1120 * Requires: @profile->ns->lock held 1121 */ |
| 1084int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) | 1122int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) |
| 1085{ 1086 struct aa_profile *child; 1087 struct dentry *dent = NULL, *dir; 1088 int error; 1089 1090 if (!parent) { 1091 struct aa_profile *p; 1092 p = aa_deref_parent(profile); --- 79 unchanged lines hidden (view full) --- 1172 goto fail2; 1173 dent = securityfs_create_symlink("raw_data", dir, target, NULL); 1174 if (IS_ERR(dent)) 1175 goto fail; 1176 profile->dents[AAFS_PROF_RAW_DATA] = dent; 1177 } 1178 1179 list_for_each_entry(child, &profile->base.profiles, base.list) { | 1123{ 1124 struct aa_profile *child; 1125 struct dentry *dent = NULL, *dir; 1126 int error; 1127 1128 if (!parent) { 1129 struct aa_profile *p; 1130 p = aa_deref_parent(profile); --- 79 unchanged lines hidden (view full) --- 1210 goto fail2; 1211 dent = securityfs_create_symlink("raw_data", dir, target, NULL); 1212 if (IS_ERR(dent)) 1213 goto fail; 1214 profile->dents[AAFS_PROF_RAW_DATA] = dent; 1215 } 1216 1217 list_for_each_entry(child, &profile->base.profiles, base.list) { |
| 1180 error = __aa_fs_profile_mkdir(child, prof_child_dir(profile)); | 1218 error = __aafs_profile_mkdir(child, prof_child_dir(profile)); |
| 1181 if (error) 1182 goto fail2; 1183 } 1184 1185 return 0; 1186 1187fail: 1188 error = PTR_ERR(dent); 1189 1190fail2: | 1219 if (error) 1220 goto fail2; 1221 } 1222 1223 return 0; 1224 1225fail: 1226 error = PTR_ERR(dent); 1227 1228fail2: |
| 1191 __aa_fs_profile_rmdir(profile); | 1229 __aafs_profile_rmdir(profile); |
| 1192 1193 return error; 1194} 1195 1196static void __aa_fs_list_remove_rawdata(struct aa_ns *ns) 1197{ 1198 struct aa_loaddata *ent, *tmp; 1199 1200 AA_BUG(!mutex_is_locked(&ns->lock)); 1201 1202 list_for_each_entry_safe(ent, tmp, &ns->rawdata_list, list) 1203 __aa_fs_remove_rawdata(ent); 1204} 1205 | 1230 1231 return error; 1232} 1233 1234static void __aa_fs_list_remove_rawdata(struct aa_ns *ns) 1235{ 1236 struct aa_loaddata *ent, *tmp; 1237 1238 AA_BUG(!mutex_is_locked(&ns->lock)); 1239 1240 list_for_each_entry_safe(ent, tmp, &ns->rawdata_list, list) 1241 __aa_fs_remove_rawdata(ent); 1242} 1243 |
| 1206void __aa_fs_ns_rmdir(struct aa_ns *ns) | 1244/** 1245 * 1246 * Requires: @ns->lock held 1247 */ 1248void __aafs_ns_rmdir(struct aa_ns *ns) |
| 1207{ 1208 struct aa_ns *sub; 1209 struct aa_profile *child; 1210 int i; 1211 1212 if (!ns) 1213 return; 1214 1215 list_for_each_entry(child, &ns->base.profiles, base.list) | 1249{ 1250 struct aa_ns *sub; 1251 struct aa_profile *child; 1252 int i; 1253 1254 if (!ns) 1255 return; 1256 1257 list_for_each_entry(child, &ns->base.profiles, base.list) |
| 1216 __aa_fs_profile_rmdir(child); | 1258 __aafs_profile_rmdir(child); |
| 1217 1218 list_for_each_entry(sub, &ns->sub_ns, base.list) { 1219 mutex_lock(&sub->lock); | 1259 1260 list_for_each_entry(sub, &ns->sub_ns, base.list) { 1261 mutex_lock(&sub->lock); |
| 1220 __aa_fs_ns_rmdir(sub); | 1262 __aafs_ns_rmdir(sub); |
| 1221 mutex_unlock(&sub->lock); 1222 } 1223 1224 __aa_fs_list_remove_rawdata(ns); 1225 1226 if (ns_subns_dir(ns)) { 1227 sub = d_inode(ns_subns_dir(ns))->i_private; 1228 aa_put_ns(sub); --- 13 unchanged lines hidden (view full) --- 1242 1243 for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) { 1244 securityfs_remove(ns->dents[i]); 1245 ns->dents[i] = NULL; 1246 } 1247} 1248 1249/* assumes cleanup in caller */ | 1263 mutex_unlock(&sub->lock); 1264 } 1265 1266 __aa_fs_list_remove_rawdata(ns); 1267 1268 if (ns_subns_dir(ns)) { 1269 sub = d_inode(ns_subns_dir(ns))->i_private; 1270 aa_put_ns(sub); --- 13 unchanged lines hidden (view full) --- 1284 1285 for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) { 1286 securityfs_remove(ns->dents[i]); 1287 ns->dents[i] = NULL; 1288 } 1289} 1290 1291/* assumes cleanup in caller */ |
| 1250static int __aa_fs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) | 1292static int __aafs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) |
| 1251{ 1252 struct dentry *dent; 1253 1254 AA_BUG(!ns); 1255 AA_BUG(!dir); 1256 1257 dent = securityfs_create_dir("profiles", dir); 1258 if (IS_ERR(dent)) --- 30 unchanged lines hidden (view full) --- 1289 if (IS_ERR(dent)) 1290 return PTR_ERR(dent); 1291 aa_get_ns(ns); 1292 ns_subns_dir(ns) = dent; 1293 1294 return 0; 1295} 1296 | 1293{ 1294 struct dentry *dent; 1295 1296 AA_BUG(!ns); 1297 AA_BUG(!dir); 1298 1299 dent = securityfs_create_dir("profiles", dir); 1300 if (IS_ERR(dent)) --- 30 unchanged lines hidden (view full) --- 1331 if (IS_ERR(dent)) 1332 return PTR_ERR(dent); 1333 aa_get_ns(ns); 1334 ns_subns_dir(ns) = dent; 1335 1336 return 0; 1337} 1338 |
| 1297int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name) | 1339/* 1340 * Requires: @ns->lock held 1341 */ 1342int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name) |
| 1298{ 1299 struct aa_ns *sub; 1300 struct aa_profile *child; 1301 struct dentry *dent, *dir; 1302 int error; 1303 1304 AA_BUG(!ns); 1305 AA_BUG(!parent); 1306 AA_BUG(!mutex_is_locked(&ns->lock)); 1307 1308 if (!name) 1309 name = ns->base.name; 1310 1311 /* create ns dir if it doesn't already exist */ 1312 dent = securityfs_create_dir(name, parent); 1313 if (IS_ERR(dent)) 1314 goto fail; 1315 1316 ns_dir(ns) = dir = dent; | 1343{ 1344 struct aa_ns *sub; 1345 struct aa_profile *child; 1346 struct dentry *dent, *dir; 1347 int error; 1348 1349 AA_BUG(!ns); 1350 AA_BUG(!parent); 1351 AA_BUG(!mutex_is_locked(&ns->lock)); 1352 1353 if (!name) 1354 name = ns->base.name; 1355 1356 /* create ns dir if it doesn't already exist */ 1357 dent = securityfs_create_dir(name, parent); 1358 if (IS_ERR(dent)) 1359 goto fail; 1360 1361 ns_dir(ns) = dir = dent; |
| 1317 error = __aa_fs_ns_mkdir_entries(ns, dir); | 1362 error = __aafs_ns_mkdir_entries(ns, dir); |
| 1318 if (error) 1319 goto fail2; 1320 1321 /* profiles */ 1322 list_for_each_entry(child, &ns->base.profiles, base.list) { | 1363 if (error) 1364 goto fail2; 1365 1366 /* profiles */ 1367 list_for_each_entry(child, &ns->base.profiles, base.list) { |
| 1323 error = __aa_fs_profile_mkdir(child, ns_subprofs_dir(ns)); | 1368 error = __aafs_profile_mkdir(child, ns_subprofs_dir(ns)); |
| 1324 if (error) 1325 goto fail2; 1326 } 1327 1328 /* subnamespaces */ 1329 list_for_each_entry(sub, &ns->sub_ns, base.list) { 1330 mutex_lock(&sub->lock); | 1369 if (error) 1370 goto fail2; 1371 } 1372 1373 /* subnamespaces */ 1374 list_for_each_entry(sub, &ns->sub_ns, base.list) { 1375 mutex_lock(&sub->lock); |
| 1331 error = __aa_fs_ns_mkdir(sub, ns_subns_dir(ns), NULL); | 1376 error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL); |
| 1332 mutex_unlock(&sub->lock); 1333 if (error) 1334 goto fail2; 1335 } 1336 1337 return 0; 1338 1339fail: 1340 error = PTR_ERR(dent); 1341 1342fail2: | 1377 mutex_unlock(&sub->lock); 1378 if (error) 1379 goto fail2; 1380 } 1381 1382 return 0; 1383 1384fail: 1385 error = PTR_ERR(dent); 1386 1387fail2: |
| 1343 __aa_fs_ns_rmdir(ns); | 1388 __aafs_ns_rmdir(ns); |
| 1344 1345 return error; 1346} 1347 1348 1349#define list_entry_is_head(pos, head, member) (&pos->member == (head)) 1350 1351/** --- 193 unchanged lines hidden (view full) --- 1545 if (profile->ns != root) 1546 seq_printf(f, ":%s://", aa_ns_name(root, profile->ns, true)); 1547 seq_printf(f, "%s (%s)\n", profile->base.hname, 1548 aa_profile_mode_names[profile->mode]); 1549 1550 return 0; 1551} 1552 | 1389 1390 return error; 1391} 1392 1393 1394#define list_entry_is_head(pos, head, member) (&pos->member == (head)) 1395 1396/** --- 193 unchanged lines hidden (view full) --- 1590 if (profile->ns != root) 1591 seq_printf(f, ":%s://", aa_ns_name(root, profile->ns, true)); 1592 seq_printf(f, "%s (%s)\n", profile->base.hname, 1593 aa_profile_mode_names[profile->mode]); 1594 1595 return 0; 1596} 1597 |
| 1553static const struct seq_operations aa_fs_profiles_op = { | 1598static const struct seq_operations aa_sfs_profiles_op = { |
| 1554 .start = p_start, 1555 .next = p_next, 1556 .stop = p_stop, 1557 .show = seq_show_profile, 1558}; 1559 1560static int profiles_open(struct inode *inode, struct file *file) 1561{ 1562 if (!policy_view_capable(NULL)) 1563 return -EACCES; 1564 | 1599 .start = p_start, 1600 .next = p_next, 1601 .stop = p_stop, 1602 .show = seq_show_profile, 1603}; 1604 1605static int profiles_open(struct inode *inode, struct file *file) 1606{ 1607 if (!policy_view_capable(NULL)) 1608 return -EACCES; 1609 |
| 1565 return seq_open(file, &aa_fs_profiles_op); | 1610 return seq_open(file, &aa_sfs_profiles_op); |
| 1566} 1567 1568static int profiles_release(struct inode *inode, struct file *file) 1569{ 1570 return seq_release(inode, file); 1571} 1572 | 1611} 1612 1613static int profiles_release(struct inode *inode, struct file *file) 1614{ 1615 return seq_release(inode, file); 1616} 1617 |
| 1573static const struct file_operations aa_fs_profiles_fops = { | 1618static const struct file_operations aa_sfs_profiles_fops = { |
| 1574 .open = profiles_open, 1575 .read = seq_read, 1576 .llseek = seq_lseek, 1577 .release = profiles_release, 1578}; 1579 1580 1581/** Base file system setup **/ | 1619 .open = profiles_open, 1620 .read = seq_read, 1621 .llseek = seq_lseek, 1622 .release = profiles_release, 1623}; 1624 1625 1626/** Base file system setup **/ |
| 1582static struct aa_fs_entry aa_fs_entry_file[] = { 1583 AA_FS_FILE_STRING("mask", "create read write exec append mmap_exec " \ 1584 "link lock"), | 1627static struct aa_sfs_entry aa_sfs_entry_file[] = { 1628 AA_SFS_FILE_STRING("mask", 1629 "create read write exec append mmap_exec link lock"), |
| 1585 { } 1586}; 1587 | 1630 { } 1631}; 1632 |
| 1588static struct aa_fs_entry aa_fs_entry_domain[] = { 1589 AA_FS_FILE_BOOLEAN("change_hat", 1), 1590 AA_FS_FILE_BOOLEAN("change_hatv", 1), 1591 AA_FS_FILE_BOOLEAN("change_onexec", 1), 1592 AA_FS_FILE_BOOLEAN("change_profile", 1), 1593 AA_FS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1), 1594 AA_FS_FILE_STRING("version", "1.2"), | 1633static struct aa_sfs_entry aa_sfs_entry_domain[] = { 1634 AA_SFS_FILE_BOOLEAN("change_hat", 1), 1635 AA_SFS_FILE_BOOLEAN("change_hatv", 1), 1636 AA_SFS_FILE_BOOLEAN("change_onexec", 1), 1637 AA_SFS_FILE_BOOLEAN("change_profile", 1), 1638 AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1), 1639 AA_SFS_FILE_STRING("version", "1.2"), |
| 1595 { } 1596}; 1597 | 1640 { } 1641}; 1642 |
| 1598static struct aa_fs_entry aa_fs_entry_versions[] = { 1599 AA_FS_FILE_BOOLEAN("v5", 1), | 1643static struct aa_sfs_entry aa_sfs_entry_versions[] = { 1644 AA_SFS_FILE_BOOLEAN("v5", 1), |
| 1600 { } 1601}; 1602 | 1645 { } 1646}; 1647 |
| 1603static struct aa_fs_entry aa_fs_entry_policy[] = { 1604 AA_FS_DIR("versions", aa_fs_entry_versions), 1605 AA_FS_FILE_BOOLEAN("set_load", 1), | 1648static struct aa_sfs_entry aa_sfs_entry_policy[] = { 1649 AA_SFS_DIR("versions", aa_sfs_entry_versions), 1650 AA_SFS_FILE_BOOLEAN("set_load", 1), |
| 1606 { } 1607}; 1608 | 1651 { } 1652}; 1653 |
| 1609static struct aa_fs_entry aa_fs_entry_features[] = { 1610 AA_FS_DIR("policy", aa_fs_entry_policy), 1611 AA_FS_DIR("domain", aa_fs_entry_domain), 1612 AA_FS_DIR("file", aa_fs_entry_file), 1613 AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), 1614 AA_FS_DIR("rlimit", aa_fs_entry_rlimit), 1615 AA_FS_DIR("caps", aa_fs_entry_caps), | 1654static struct aa_sfs_entry aa_sfs_entry_features[] = { 1655 AA_SFS_DIR("policy", aa_sfs_entry_policy), 1656 AA_SFS_DIR("domain", aa_sfs_entry_domain), 1657 AA_SFS_DIR("file", aa_sfs_entry_file), 1658 AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), 1659 AA_SFS_DIR("rlimit", aa_sfs_entry_rlimit), 1660 AA_SFS_DIR("caps", aa_sfs_entry_caps), |
| 1616 { } 1617}; 1618 | 1661 { } 1662}; 1663 |
| 1619static struct aa_fs_entry aa_fs_entry_apparmor[] = { 1620 AA_FS_FILE_FOPS(".access", 0640, &aa_fs_access), 1621 AA_FS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops), 1622 AA_FS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops), 1623 AA_FS_FILE_FOPS("profiles", 0440, &aa_fs_profiles_fops), 1624 AA_FS_DIR("features", aa_fs_entry_features), | 1664static struct aa_sfs_entry aa_sfs_entry_apparmor[] = { 1665 AA_SFS_FILE_FOPS(".access", 0640, &aa_sfs_access), 1666 AA_SFS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops), 1667 AA_SFS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops), 1668 AA_SFS_FILE_FOPS("profiles", 0440, &aa_sfs_profiles_fops), 1669 AA_SFS_DIR("features", aa_sfs_entry_features), |
| 1625 { } 1626}; 1627 | 1670 { } 1671}; 1672 |
| 1628static struct aa_fs_entry aa_fs_entry = 1629 AA_FS_DIR("apparmor", aa_fs_entry_apparmor); | 1673static struct aa_sfs_entry aa_sfs_entry = 1674 AA_SFS_DIR("apparmor", aa_sfs_entry_apparmor); |
| 1630 1631/** 1632 * entry_create_file - create a file entry in the apparmor securityfs | 1675 1676/** 1677 * entry_create_file - create a file entry in the apparmor securityfs |
| 1633 * @fs_file: aa_fs_entry to build an entry for (NOT NULL) | 1678 * @fs_file: aa_sfs_entry to build an entry for (NOT NULL) |
| 1634 * @parent: the parent dentry in the securityfs 1635 * 1636 * Use entry_remove_file to remove entries created with this fn. 1637 */ | 1679 * @parent: the parent dentry in the securityfs 1680 * 1681 * Use entry_remove_file to remove entries created with this fn. 1682 */ |
| 1638static int __init entry_create_file(struct aa_fs_entry *fs_file, | 1683static int __init entry_create_file(struct aa_sfs_entry *fs_file, |
| 1639 struct dentry *parent) 1640{ 1641 int error = 0; 1642 1643 fs_file->dentry = securityfs_create_file(fs_file->name, 1644 S_IFREG | fs_file->mode, 1645 parent, fs_file, 1646 fs_file->file_ops); 1647 if (IS_ERR(fs_file->dentry)) { 1648 error = PTR_ERR(fs_file->dentry); 1649 fs_file->dentry = NULL; 1650 } 1651 return error; 1652} 1653 | 1684 struct dentry *parent) 1685{ 1686 int error = 0; 1687 1688 fs_file->dentry = securityfs_create_file(fs_file->name, 1689 S_IFREG | fs_file->mode, 1690 parent, fs_file, 1691 fs_file->file_ops); 1692 if (IS_ERR(fs_file->dentry)) { 1693 error = PTR_ERR(fs_file->dentry); 1694 fs_file->dentry = NULL; 1695 } 1696 return error; 1697} 1698 |
| 1654static void __init entry_remove_dir(struct aa_fs_entry *fs_dir); | 1699static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir); |
| 1655/** 1656 * entry_create_dir - recursively create a directory entry in the securityfs | 1700/** 1701 * entry_create_dir - recursively create a directory entry in the securityfs |
| 1657 * @fs_dir: aa_fs_entry (and all child entries) to build (NOT NULL) | 1702 * @fs_dir: aa_sfs_entry (and all child entries) to build (NOT NULL) |
| 1658 * @parent: the parent dentry in the securityfs 1659 * 1660 * Use entry_remove_dir to remove entries created with this fn. 1661 */ | 1703 * @parent: the parent dentry in the securityfs 1704 * 1705 * Use entry_remove_dir to remove entries created with this fn. 1706 */ |
| 1662static int __init entry_create_dir(struct aa_fs_entry *fs_dir, 1663 struct dentry *parent) | 1707static int __init entry_create_dir(struct aa_sfs_entry *fs_dir, 1708 struct dentry *parent) |
| 1664{ | 1709{ |
| 1665 struct aa_fs_entry *fs_file; | 1710 struct aa_sfs_entry *fs_file; |
| 1666 struct dentry *dir; 1667 int error; 1668 1669 dir = securityfs_create_dir(fs_dir->name, parent); 1670 if (IS_ERR(dir)) 1671 return PTR_ERR(dir); 1672 fs_dir->dentry = dir; 1673 1674 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { | 1711 struct dentry *dir; 1712 int error; 1713 1714 dir = securityfs_create_dir(fs_dir->name, parent); 1715 if (IS_ERR(dir)) 1716 return PTR_ERR(dir); 1717 fs_dir->dentry = dir; 1718 1719 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { |
| 1675 if (fs_file->v_type == AA_FS_TYPE_DIR) | 1720 if (fs_file->v_type == AA_SFS_TYPE_DIR) |
| 1676 error = entry_create_dir(fs_file, fs_dir->dentry); 1677 else 1678 error = entry_create_file(fs_file, fs_dir->dentry); 1679 if (error) 1680 goto failed; 1681 } 1682 1683 return 0; 1684 1685failed: 1686 entry_remove_dir(fs_dir); 1687 1688 return error; 1689} 1690 1691/** | 1721 error = entry_create_dir(fs_file, fs_dir->dentry); 1722 else 1723 error = entry_create_file(fs_file, fs_dir->dentry); 1724 if (error) 1725 goto failed; 1726 } 1727 1728 return 0; 1729 1730failed: 1731 entry_remove_dir(fs_dir); 1732 1733 return error; 1734} 1735 1736/** |
| 1692 * aafs_remove_file - drop a single file entry in the apparmor securityfs 1693 * @fs_file: aa_fs_entry to detach from the securityfs (NOT NULL) | 1737 * entry_remove_file - drop a single file entry in the apparmor securityfs 1738 * @fs_file: aa_sfs_entry to detach from the securityfs (NOT NULL) |
| 1694 */ | 1739 */ |
| 1695static void __init aafs_remove_file(struct aa_fs_entry *fs_file) | 1740static void __init entry_remove_file(struct aa_sfs_entry *fs_file) |
| 1696{ 1697 if (!fs_file->dentry) 1698 return; 1699 1700 securityfs_remove(fs_file->dentry); 1701 fs_file->dentry = NULL; 1702} 1703 1704/** 1705 * entry_remove_dir - recursively drop a directory entry from the securityfs | 1741{ 1742 if (!fs_file->dentry) 1743 return; 1744 1745 securityfs_remove(fs_file->dentry); 1746 fs_file->dentry = NULL; 1747} 1748 1749/** 1750 * entry_remove_dir - recursively drop a directory entry from the securityfs |
| 1706 * @fs_dir: aa_fs_entry (and all child entries) to detach (NOT NULL) | 1751 * @fs_dir: aa_sfs_entry (and all child entries) to detach (NOT NULL) |
| 1707 */ | 1752 */ |
| 1708static void __init entry_remove_dir(struct aa_fs_entry *fs_dir) | 1753static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir) |
| 1709{ | 1754{ |
| 1710 struct aa_fs_entry *fs_file; | 1755 struct aa_sfs_entry *fs_file; |
| 1711 1712 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { | 1756 1757 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { |
| 1713 if (fs_file->v_type == AA_FS_TYPE_DIR) | 1758 if (fs_file->v_type == AA_SFS_TYPE_DIR) |
| 1714 entry_remove_dir(fs_file); 1715 else | 1759 entry_remove_dir(fs_file); 1760 else |
| 1716 aafs_remove_file(fs_file); | 1761 entry_remove_file(fs_file); |
| 1717 } 1718 | 1762 } 1763 |
| 1719 aafs_remove_file(fs_dir); | 1764 entry_remove_file(fs_dir); |
| 1720} 1721 1722/** 1723 * aa_destroy_aafs - cleanup and free aafs 1724 * 1725 * releases dentries allocated by aa_create_aafs 1726 */ 1727void __init aa_destroy_aafs(void) 1728{ | 1765} 1766 1767/** 1768 * aa_destroy_aafs - cleanup and free aafs 1769 * 1770 * releases dentries allocated by aa_create_aafs 1771 */ 1772void __init aa_destroy_aafs(void) 1773{ |
| 1729 entry_remove_dir(&aa_fs_entry); | 1774 entry_remove_dir(&aa_sfs_entry); |
| 1730} 1731 1732 1733#define NULL_FILE_NAME ".null" 1734struct path aa_null; 1735 1736static int aa_mk_null_file(struct dentry *parent) 1737{ --- 100 unchanged lines hidden (view full) --- 1838static int __init aa_create_aafs(void) 1839{ 1840 struct dentry *dent; 1841 int error; 1842 1843 if (!apparmor_initialized) 1844 return 0; 1845 | 1775} 1776 1777 1778#define NULL_FILE_NAME ".null" 1779struct path aa_null; 1780 1781static int aa_mk_null_file(struct dentry *parent) 1782{ --- 100 unchanged lines hidden (view full) --- 1883static int __init aa_create_aafs(void) 1884{ 1885 struct dentry *dent; 1886 int error; 1887 1888 if (!apparmor_initialized) 1889 return 0; 1890 |
| 1846 if (aa_fs_entry.dentry) { | 1891 if (aa_sfs_entry.dentry) { |
| 1847 AA_ERROR("%s: AppArmor securityfs already exists\n", __func__); 1848 return -EEXIST; 1849 } 1850 1851 /* setup apparmorfs used to virtualize policy/ */ 1852 aafs_mnt = kern_mount(&aafs_ops); 1853 if (IS_ERR(aafs_mnt)) 1854 panic("can't set apparmorfs up\n"); 1855 aafs_mnt->mnt_sb->s_flags &= ~MS_NOUSER; 1856 1857 /* Populate fs tree. */ | 1892 AA_ERROR("%s: AppArmor securityfs already exists\n", __func__); 1893 return -EEXIST; 1894 } 1895 1896 /* setup apparmorfs used to virtualize policy/ */ 1897 aafs_mnt = kern_mount(&aafs_ops); 1898 if (IS_ERR(aafs_mnt)) 1899 panic("can't set apparmorfs up\n"); 1900 aafs_mnt->mnt_sb->s_flags &= ~MS_NOUSER; 1901 1902 /* Populate fs tree. */ |
| 1858 error = entry_create_dir(&aa_fs_entry, NULL); | 1903 error = entry_create_dir(&aa_sfs_entry, NULL); |
| 1859 if (error) 1860 goto error; 1861 | 1904 if (error) 1905 goto error; 1906 |
| 1862 dent = securityfs_create_file(".load", 0666, aa_fs_entry.dentry, | 1907 dent = securityfs_create_file(".load", 0666, aa_sfs_entry.dentry, |
| 1863 NULL, &aa_fs_profile_load); 1864 if (IS_ERR(dent)) { 1865 error = PTR_ERR(dent); 1866 goto error; 1867 } 1868 ns_subload(root_ns) = dent; 1869 | 1908 NULL, &aa_fs_profile_load); 1909 if (IS_ERR(dent)) { 1910 error = PTR_ERR(dent); 1911 goto error; 1912 } 1913 ns_subload(root_ns) = dent; 1914 |
| 1870 dent = securityfs_create_file(".replace", 0666, aa_fs_entry.dentry, | 1915 dent = securityfs_create_file(".replace", 0666, aa_sfs_entry.dentry, |
| 1871 NULL, &aa_fs_profile_replace); 1872 if (IS_ERR(dent)) { 1873 error = PTR_ERR(dent); 1874 goto error; 1875 } 1876 ns_subreplace(root_ns) = dent; 1877 | 1916 NULL, &aa_fs_profile_replace); 1917 if (IS_ERR(dent)) { 1918 error = PTR_ERR(dent); 1919 goto error; 1920 } 1921 ns_subreplace(root_ns) = dent; 1922 |
| 1878 dent = securityfs_create_file(".remove", 0666, aa_fs_entry.dentry, | 1923 dent = securityfs_create_file(".remove", 0666, aa_sfs_entry.dentry, |
| 1879 NULL, &aa_fs_profile_remove); 1880 if (IS_ERR(dent)) { 1881 error = PTR_ERR(dent); 1882 goto error; 1883 } 1884 ns_subremove(root_ns) = dent; 1885 1886 mutex_lock(&root_ns->lock); | 1924 NULL, &aa_fs_profile_remove); 1925 if (IS_ERR(dent)) { 1926 error = PTR_ERR(dent); 1927 goto error; 1928 } 1929 ns_subremove(root_ns) = dent; 1930 1931 mutex_lock(&root_ns->lock); |
| 1887 error = __aa_fs_ns_mkdir(root_ns, aa_fs_entry.dentry, "policy"); | 1932 error = __aafs_ns_mkdir(root_ns, aa_sfs_entry.dentry, "policy"); |
| 1888 mutex_unlock(&root_ns->lock); 1889 1890 if (error) 1891 goto error; 1892 | 1933 mutex_unlock(&root_ns->lock); 1934 1935 if (error) 1936 goto error; 1937 |
| 1893 error = aa_mk_null_file(aa_fs_entry.dentry); | 1938 error = aa_mk_null_file(aa_sfs_entry.dentry); |
| 1894 if (error) 1895 goto error; 1896 1897 /* TODO: add default profile to apparmorfs */ 1898 1899 /* Report that AppArmor fs is enabled */ 1900 aa_info_message("AppArmor Filesystem Enabled"); 1901 return 0; 1902 1903error: 1904 aa_destroy_aafs(); 1905 AA_ERROR("Error creating AppArmor securityfs\n"); 1906 return error; 1907} 1908 1909fs_initcall(aa_create_aafs); | 1939 if (error) 1940 goto error; 1941 1942 /* TODO: add default profile to apparmorfs */ 1943 1944 /* Report that AppArmor fs is enabled */ 1945 aa_info_message("AppArmor Filesystem Enabled"); 1946 return 0; 1947 1948error: 1949 aa_destroy_aafs(); 1950 AA_ERROR("Error creating AppArmor securityfs\n"); 1951 return error; 1952} 1953 1954fs_initcall(aa_create_aafs); |