1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor policy manipulation functions 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 * 10 * AppArmor policy is based around profiles, which contain the rules a 11 * task is confined by. Every task in the system has a profile attached 12 * to it determined either by matching "unconfined" tasks against the 13 * visible set of profiles or by following a profiles attachment rules. 14 * 15 * Each profile exists in a profile namespace which is a container of 16 * visible profiles. Each namespace contains a special "unconfined" profile, 17 * which doesn't enforce any confinement on a task beyond DAC. 18 * 19 * Namespace and profile names can be written together in either 20 * of two syntaxes. 21 * :namespace:profile - used by kernel interfaces for easy detection 22 * namespace://profile - used by policy 23 * 24 * Profile names can not start with : or @ or ^ and may not contain \0 25 * 26 * Reserved profile names 27 * unconfined - special automatically generated unconfined profile 28 * inherit - special name to indicate profile inheritance 29 * null-XXXX-YYYY - special automatically generated learning profiles 30 * 31 * Namespace names may not start with / or @ and may not contain \0 or : 32 * Reserved namespace names 33 * user-XXXX - user defined profiles 34 * 35 * a // in a profile or namespace name indicates a hierarchical name with the 36 * name before the // being the parent and the name after the child. 37 * 38 * Profile and namespace hierarchies serve two different but similar purposes. 39 * The namespace contains the set of visible profiles that are considered 40 * for attachment. The hierarchy of namespaces allows for virtualizing 41 * the namespace so that for example a chroot can have its own set of profiles 42 * which may define some local user namespaces. 43 * The profile hierarchy severs two distinct purposes, 44 * - it allows for sub profiles or hats, which allows an application to run 45 * subprograms under its own profile with different restriction than it 46 * self, and not have it use the system profile. 47 * eg. if a mail program starts an editor, the policy might make the 48 * restrictions tighter on the editor tighter than the mail program, 49 * and definitely different than general editor restrictions 50 * - it allows for binary hierarchy of profiles, so that execution history 51 * is preserved. This feature isn't exploited by AppArmor reference policy 52 * but is allowed. NOTE: this is currently suboptimal because profile 53 * aliasing is not currently implemented so that a profile for each 54 * level must be defined. 55 * eg. /bin/bash///bin/ls as a name would indicate /bin/ls was started 56 * from /bin/bash 57 * 58 * A profile or namespace name that can contain one or more // separators 59 * is referred to as an hname (hierarchical). 60 * eg. /bin/bash//bin/ls 61 * 62 * An fqname is a name that may contain both namespace and profile hnames. 63 * eg. :ns:/bin/bash//bin/ls 64 * 65 * NOTES: 66 * - locking of profile lists is currently fairly coarse. All profile 67 * lists within a namespace use the namespace lock. 68 * FIXME: move profile lists to using rcu_lists 69 */ 70 71 #include <linux/slab.h> 72 #include <linux/spinlock.h> 73 #include <linux/string.h> 74 #include <linux/cred.h> 75 #include <linux/rculist.h> 76 #include <linux/user_namespace.h> 77 78 #include "include/apparmor.h" 79 #include "include/capability.h" 80 #include "include/cred.h" 81 #include "include/file.h" 82 #include "include/ipc.h" 83 #include "include/match.h" 84 #include "include/path.h" 85 #include "include/policy.h" 86 #include "include/policy_ns.h" 87 #include "include/policy_unpack.h" 88 #include "include/resource.h" 89 90 int unprivileged_userns_apparmor_policy = 1; 91 int aa_unprivileged_unconfined_restricted; 92 93 const char *const aa_profile_mode_names[] = { 94 "enforce", 95 "complain", 96 "kill", 97 "unconfined", 98 "user", 99 }; 100 101 void aa_destroy_tags(struct aa_tags_struct *tags) 102 { 103 kfree_sensitive(tags->hdrs.table); 104 kfree_sensitive(tags->sets.table); 105 aa_destroy_str_table(&tags->strs); 106 memset(tags, 0, sizeof(*tags)); 107 } 108 109 static void aa_free_pdb(struct aa_policydb *pdb) 110 { 111 if (pdb) { 112 aa_put_dfa(pdb->dfa); 113 kvfree(pdb->perms); 114 aa_destroy_str_table(&pdb->trans); 115 aa_destroy_tags(&pdb->tags); 116 kfree(pdb); 117 } 118 } 119 120 /** 121 * aa_pdb_free_kref - free aa_policydb by kref (called by aa_put_pdb) 122 * @kref: kref callback for freeing of a dfa (NOT NULL) 123 */ 124 void aa_pdb_free_kref(struct kref *kref) 125 { 126 struct aa_policydb *pdb = container_of(kref, struct aa_policydb, count); 127 128 aa_free_pdb(pdb); 129 } 130 131 132 struct aa_policydb *aa_alloc_pdb(gfp_t gfp) 133 { 134 struct aa_policydb *pdb = kzalloc_obj(struct aa_policydb, gfp); 135 136 if (!pdb) 137 return NULL; 138 139 kref_init(&pdb->count); 140 141 return pdb; 142 } 143 144 145 /** 146 * __add_profile - add a profiles to list and label tree 147 * @list: list to add it to (NOT NULL) 148 * @profile: the profile to add (NOT NULL) 149 * 150 * refcount @profile, should be put by __list_remove_profile 151 * 152 * Requires: namespace lock be held, or list not be shared 153 */ 154 static void __add_profile(struct list_head *list, struct aa_profile *profile) 155 { 156 struct aa_label *l; 157 158 AA_BUG(!list); 159 AA_BUG(!profile); 160 AA_BUG(!profile->ns); 161 AA_BUG(!mutex_is_locked(&profile->ns->lock)); 162 163 list_add_rcu(&profile->base.list, list); 164 /* get list reference */ 165 aa_get_profile(profile); 166 l = aa_label_insert(&profile->ns->labels, &profile->label); 167 AA_BUG(l != &profile->label); 168 aa_put_label(l); 169 } 170 171 /** 172 * __list_remove_profile - remove a profile from the list it is on 173 * @profile: the profile to remove (NOT NULL) 174 * 175 * remove a profile from the list, warning generally removal should 176 * be done with __replace_profile as most profile removals are 177 * replacements to the unconfined profile. 178 * 179 * put @profile list refcount 180 * 181 * Requires: namespace lock be held, or list not have been live 182 */ 183 static void __list_remove_profile(struct aa_profile *profile) 184 { 185 AA_BUG(!profile); 186 AA_BUG(!profile->ns); 187 AA_BUG(!mutex_is_locked(&profile->ns->lock)); 188 189 list_del_rcu(&profile->base.list); 190 aa_put_profile(profile); 191 } 192 193 /** 194 * __remove_profile - remove profile, and children 195 * @profile: profile to be removed (NOT NULL) 196 * 197 * Requires: namespace list lock be held, or list not be shared 198 */ 199 static void __remove_profile(struct aa_profile *profile) 200 { 201 struct aa_profile *curr, *to_remove; 202 203 AA_BUG(!profile); 204 AA_BUG(!profile->ns); 205 AA_BUG(!mutex_is_locked(&profile->ns->lock)); 206 207 /* release any children lists first */ 208 if (!list_empty(&profile->base.profiles)) { 209 curr = list_first_entry(&profile->base.profiles, struct aa_profile, base.list); 210 211 while (curr != profile) { 212 213 while (!list_empty(&curr->base.profiles)) 214 curr = list_first_entry(&curr->base.profiles, 215 struct aa_profile, base.list); 216 217 to_remove = curr; 218 if (!list_is_last(&to_remove->base.list, 219 &aa_deref_parent(curr)->base.profiles)) 220 curr = list_next_entry(to_remove, base.list); 221 else 222 curr = aa_deref_parent(curr); 223 224 /* released by free_profile */ 225 aa_label_remove(&to_remove->label); 226 __aafs_profile_rmdir(to_remove); 227 __list_remove_profile(to_remove); 228 } 229 } 230 231 /* released by free_profile */ 232 aa_label_remove(&profile->label); 233 __aafs_profile_rmdir(profile); 234 __list_remove_profile(profile); 235 } 236 237 /** 238 * __aa_profile_list_release - remove all profiles on the list and put refs 239 * @head: list of profiles (NOT NULL) 240 * 241 * Requires: namespace lock be held 242 */ 243 void __aa_profile_list_release(struct list_head *head) 244 { 245 struct aa_profile *profile, *tmp; 246 list_for_each_entry_safe(profile, tmp, head, base.list) 247 __remove_profile(profile); 248 } 249 250 /** 251 * aa_free_data - free a data blob 252 * @ptr: data to free 253 * @arg: unused 254 */ 255 static void aa_free_data(void *ptr, void *arg) 256 { 257 struct aa_data *data = ptr; 258 259 if (!ptr) 260 return; 261 262 kvfree_sensitive(data->data, data->size); 263 kfree_sensitive(data->key); 264 kfree_sensitive(data); 265 } 266 267 static void free_attachment(struct aa_attachment *attach) 268 { 269 int i; 270 271 if (!attach) 272 return; 273 274 for (i = 0; i < attach->xattr_count; i++) 275 kfree_sensitive(attach->xattrs[i]); 276 kfree_sensitive(attach->xattrs); 277 aa_put_pdb(attach->xmatch); 278 } 279 280 static void free_ruleset(struct aa_ruleset *rules) 281 { 282 int i; 283 284 if (!rules) 285 return; 286 287 aa_put_pdb(rules->file); 288 aa_put_pdb(rules->policy); 289 aa_free_cap_rules(&rules->caps); 290 aa_free_rlimit_rules(&rules->rlimits); 291 292 for (i = 0; i < rules->secmark_count; i++) 293 kfree_sensitive(rules->secmark[i].label); 294 kfree_sensitive(rules->secmark); 295 kfree_sensitive(rules); 296 } 297 298 struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp) 299 { 300 struct aa_ruleset *rules; 301 302 rules = kzalloc_obj(*rules, gfp); 303 304 return rules; 305 } 306 307 /** 308 * aa_free_profile - free a profile 309 * @profile: the profile to free (MAYBE NULL) 310 * 311 * Free a profile, its hats and null_profile. All references to the profile, 312 * its hats and null_profile must have been put. 313 * 314 * If the profile was referenced from a task context, free_profile() will 315 * be called from an rcu callback routine, so we must not sleep here. 316 */ 317 void aa_free_profile(struct aa_profile *profile) 318 { 319 struct rhashtable *rht; 320 321 AA_DEBUG(DEBUG_POLICY, "%s(%p)\n", __func__, profile); 322 323 if (!profile) 324 return; 325 326 /* free children profiles */ 327 aa_policy_destroy(&profile->base); 328 aa_put_profile(rcu_access_pointer(profile->parent)); 329 330 aa_put_ns(profile->ns); 331 kfree_sensitive(profile->rename); 332 kfree_sensitive(profile->disconnected); 333 334 free_attachment(&profile->attach); 335 336 /* 337 * at this point there are no tasks that can have a reference 338 * to rules 339 */ 340 for (int i = 0; i < profile->n_rules; i++) 341 free_ruleset(profile->label.rules[i]); 342 343 kfree_sensitive(profile->dirname); 344 345 if (profile->data) { 346 rht = profile->data; 347 profile->data = NULL; 348 rhashtable_free_and_destroy(rht, aa_free_data, NULL); 349 kfree_sensitive(rht); 350 } 351 352 kfree_sensitive(profile->hash); 353 aa_put_profile_loaddata(profile->rawdata); 354 aa_label_destroy(&profile->label); 355 356 kfree_sensitive(profile); 357 } 358 359 /** 360 * aa_alloc_profile - allocate, initialize and return a new profile 361 * @hname: name of the profile (NOT NULL) 362 * @proxy: proxy to use OR null if to allocate a new one 363 * @gfp: allocation type 364 * 365 * Returns: refcount profile or NULL on failure 366 */ 367 struct aa_profile *aa_alloc_profile(const char *hname, struct aa_proxy *proxy, 368 gfp_t gfp) 369 { 370 struct aa_profile *profile; 371 372 /* freed by free_profile - usually through aa_put_profile 373 * this adds space for a single ruleset in the rules section of the 374 * label 375 */ 376 profile = kzalloc_flex(*profile, label.rules, 1, gfp); 377 if (!profile) 378 return NULL; 379 380 if (!aa_policy_init(&profile->base, NULL, hname, gfp)) 381 goto fail; 382 if (!aa_label_init(&profile->label, 1, gfp)) 383 goto fail; 384 385 /* allocate the first ruleset, but leave it empty */ 386 profile->label.rules[0] = aa_alloc_ruleset(gfp); 387 if (!profile->label.rules[0]) 388 goto fail; 389 profile->n_rules = 1; 390 391 /* update being set needed by fs interface */ 392 if (!proxy) { 393 proxy = aa_alloc_proxy(&profile->label, gfp); 394 if (!proxy) 395 goto fail; 396 } else 397 aa_get_proxy(proxy); 398 profile->label.proxy = proxy; 399 400 profile->label.hname = profile->base.hname; 401 profile->label.flags |= FLAG_PROFILE; 402 profile->label.vec[0] = profile; 403 404 profile->signal = SIGKILL; 405 /* refcount released by caller */ 406 return profile; 407 408 fail: 409 aa_free_profile(profile); 410 411 return NULL; 412 } 413 414 static inline bool ANY_RULE_MEDIATES(struct aa_profile *profile, 415 unsigned char class) 416 { 417 int i; 418 419 for (i = 0; i < profile->n_rules; i++) { 420 if (RULE_MEDIATES(profile->label.rules[i], class)) 421 return true; 422 } 423 return false; 424 } 425 426 /* set of rules that are mediated by unconfined */ 427 static int unconfined_mediates[] = { AA_CLASS_NS, AA_CLASS_IO_URING, 0 }; 428 429 /* must be called after profile rulesets and start information is setup */ 430 void aa_compute_profile_mediates(struct aa_profile *profile) 431 { 432 int c; 433 434 if (profile_unconfined(profile)) { 435 int *pos; 436 437 for (pos = unconfined_mediates; *pos; pos++) { 438 if (ANY_RULE_MEDIATES(profile, *pos)) 439 profile->label.mediates |= ((u64) 1) << AA_CLASS_NS; 440 } 441 return; 442 } 443 for (c = 0; c <= AA_CLASS_LAST; c++) { 444 if (ANY_RULE_MEDIATES(profile, c)) 445 profile->label.mediates |= ((u64) 1) << c; 446 } 447 } 448 449 /* TODO: profile accounting - setup in remove */ 450 451 /** 452 * __strn_find_child - find a profile on @head list using substring of @name 453 * @head: list to search (NOT NULL) 454 * @name: name of profile (NOT NULL) 455 * @len: length of @name substring to match 456 * 457 * Requires: rcu_read_lock be held 458 * 459 * Returns: unrefcounted profile ptr, or NULL if not found 460 */ 461 static struct aa_profile *__strn_find_child(struct list_head *head, 462 const char *name, int len) 463 { 464 return (struct aa_profile *)__policy_strn_find(head, name, len); 465 } 466 467 /** 468 * __find_child - find a profile on @head list with a name matching @name 469 * @head: list to search (NOT NULL) 470 * @name: name of profile (NOT NULL) 471 * 472 * Requires: rcu_read_lock be held 473 * 474 * Returns: unrefcounted profile ptr, or NULL if not found 475 */ 476 static struct aa_profile *__find_child(struct list_head *head, const char *name) 477 { 478 return __strn_find_child(head, name, strlen(name)); 479 } 480 481 /** 482 * aa_find_child - find a profile by @name in @parent 483 * @parent: profile to search (NOT NULL) 484 * @name: profile name to search for (NOT NULL) 485 * 486 * Returns: a refcounted profile or NULL if not found 487 */ 488 struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name) 489 { 490 struct aa_profile *profile; 491 492 rcu_read_lock(); 493 do { 494 profile = __find_child(&parent->base.profiles, name); 495 } while (profile && !aa_get_profile_not0(profile)); 496 rcu_read_unlock(); 497 498 /* refcount released by caller */ 499 return profile; 500 } 501 502 /** 503 * __lookup_parent - lookup the parent of a profile of name @hname 504 * @ns: namespace to lookup profile in (NOT NULL) 505 * @hname: hierarchical profile name to find parent of (NOT NULL) 506 * 507 * Lookups up the parent of a fully qualified profile name, the profile 508 * that matches hname does not need to exist, in general this 509 * is used to load a new profile. 510 * 511 * Requires: rcu_read_lock be held 512 * 513 * Returns: unrefcounted policy or NULL if not found 514 */ 515 static struct aa_policy *__lookup_parent(struct aa_ns *ns, 516 const char *hname) 517 { 518 struct aa_policy *policy; 519 struct aa_profile *profile = NULL; 520 char *split; 521 522 policy = &ns->base; 523 524 for (split = strstr(hname, "//"); split;) { 525 profile = __strn_find_child(&policy->profiles, hname, 526 split - hname); 527 if (!profile) 528 return NULL; 529 policy = &profile->base; 530 hname = split + 2; 531 split = strstr(hname, "//"); 532 } 533 if (!profile) 534 return &ns->base; 535 return &profile->base; 536 } 537 538 /** 539 * __create_missing_ancestors - create place holders for missing ancestors 540 * @ns: namespace to lookup profile in (NOT NULL) 541 * @hname: hierarchical profile name to find parent of (NOT NULL) 542 * @gfp: type of allocation. 543 * 544 * Requires: ns mutex lock held 545 * 546 * Return: unrefcounted parent policy on success or %NULL if error creating 547 * place holder profiles. 548 */ 549 static struct aa_policy *__create_missing_ancestors(struct aa_ns *ns, 550 const char *hname, 551 gfp_t gfp) 552 { 553 struct aa_policy *policy; 554 struct aa_profile *parent, *profile = NULL; 555 char *split; 556 557 AA_BUG(!ns); 558 AA_BUG(!hname); 559 560 policy = &ns->base; 561 562 for (split = strstr(hname, "//"); split;) { 563 parent = profile; 564 profile = __strn_find_child(&policy->profiles, hname, 565 split - hname); 566 if (!profile) { 567 const char *name = kstrndup(hname, split - hname, 568 gfp); 569 if (!name) 570 return NULL; 571 profile = aa_alloc_null(parent, name, gfp); 572 kfree(name); 573 if (!profile) 574 return NULL; 575 if (!parent) 576 profile->ns = aa_get_ns(ns); 577 } 578 policy = &profile->base; 579 hname = split + 2; 580 split = strstr(hname, "//"); 581 } 582 if (!profile) 583 return &ns->base; 584 return &profile->base; 585 } 586 587 /** 588 * __lookupn_profile - lookup the profile matching @hname 589 * @base: base list to start looking up profile name from (NOT NULL) 590 * @hname: hierarchical profile name (NOT NULL) 591 * @n: length of @hname 592 * 593 * Requires: rcu_read_lock be held 594 * 595 * Returns: unrefcounted profile pointer or NULL if not found 596 * 597 * Do a relative name lookup, recursing through profile tree. 598 */ 599 static struct aa_profile *__lookupn_profile(struct aa_policy *base, 600 const char *hname, size_t n) 601 { 602 struct aa_profile *profile = NULL; 603 const char *split; 604 605 for (split = strnstr(hname, "//", n); split; 606 split = strnstr(hname, "//", n)) { 607 profile = __strn_find_child(&base->profiles, hname, 608 split - hname); 609 if (!profile) 610 return NULL; 611 612 base = &profile->base; 613 n -= split + 2 - hname; 614 hname = split + 2; 615 } 616 617 if (n) 618 return __strn_find_child(&base->profiles, hname, n); 619 return NULL; 620 } 621 622 static struct aa_profile *__lookup_profile(struct aa_policy *base, 623 const char *hname) 624 { 625 return __lookupn_profile(base, hname, strlen(hname)); 626 } 627 628 /** 629 * aa_lookupn_profile - find a profile by its full or partial name 630 * @ns: the namespace to start from (NOT NULL) 631 * @hname: name to do lookup on. Does not contain namespace prefix (NOT NULL) 632 * @n: size of @hname 633 * 634 * Returns: refcounted profile or NULL if not found 635 */ 636 struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname, 637 size_t n) 638 { 639 struct aa_profile *profile; 640 641 rcu_read_lock(); 642 do { 643 profile = __lookupn_profile(&ns->base, hname, n); 644 } while (profile && !aa_get_profile_not0(profile)); 645 rcu_read_unlock(); 646 647 /* the unconfined profile is not in the regular profile list */ 648 if (!profile && strncmp(hname, "unconfined", n) == 0) 649 profile = aa_get_newest_profile(ns->unconfined); 650 651 /* refcount released by caller */ 652 return profile; 653 } 654 655 struct aa_profile *aa_fqlookupn_profile(struct aa_label *base, 656 const char *fqname, size_t n) 657 { 658 struct aa_profile *profile; 659 struct aa_ns *ns; 660 const char *name, *ns_name; 661 size_t ns_len; 662 663 name = aa_splitn_fqname(fqname, n, &ns_name, &ns_len); 664 if (ns_name) { 665 ns = aa_lookupn_ns(labels_ns(base), ns_name, ns_len); 666 if (!ns) 667 return NULL; 668 } else 669 ns = aa_get_ns(labels_ns(base)); 670 671 if (name) 672 profile = aa_lookupn_profile(ns, name, n - (name - fqname)); 673 else if (ns) 674 /* default profile for ns, currently unconfined */ 675 profile = aa_get_newest_profile(ns->unconfined); 676 else 677 profile = NULL; 678 aa_put_ns(ns); 679 680 return profile; 681 } 682 683 684 struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name, 685 gfp_t gfp) 686 { 687 struct aa_profile *profile; 688 struct aa_ruleset *rules; 689 690 profile = aa_alloc_profile(name, NULL, gfp); 691 if (!profile) 692 return NULL; 693 694 /* TODO: ideally we should inherit abi from parent */ 695 profile->label.flags |= FLAG_NULL; 696 profile->attach.xmatch = aa_get_pdb(nullpdb); 697 rules = profile->label.rules[0]; 698 rules->file = aa_get_pdb(nullpdb); 699 rules->policy = aa_get_pdb(nullpdb); 700 aa_compute_profile_mediates(profile); 701 702 if (parent) { 703 profile->path_flags = parent->path_flags; 704 /* override/inherit what is mediated from parent */ 705 profile->label.mediates = parent->label.mediates; 706 /* released on free_profile */ 707 rcu_assign_pointer(profile->parent, aa_get_profile(parent)); 708 profile->ns = aa_get_ns(parent->ns); 709 } 710 711 return profile; 712 } 713 714 /** 715 * aa_new_learning_profile - create or find a null-X learning profile 716 * @parent: profile that caused this profile to be created (NOT NULL) 717 * @hat: true if the null- learning profile is a hat 718 * @base: name to base the null profile off of 719 * @gfp: type of allocation 720 * 721 * Find/Create a null- complain mode profile used in learning mode. The 722 * name of the profile is unique and follows the format of parent//null-XXX. 723 * where XXX is based on the @name or if that fails or is not supplied 724 * a unique number 725 * 726 * null profiles are added to the profile list but the list does not 727 * hold a count on them so that they are automatically released when 728 * not in use. 729 * 730 * Returns: new refcounted profile else NULL on failure 731 */ 732 struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat, 733 const char *base, gfp_t gfp) 734 { 735 struct aa_profile *p, *profile; 736 const char *bname; 737 char *name = NULL; 738 size_t name_sz; 739 740 AA_BUG(!parent); 741 742 if (base) { 743 name_sz = strlen(parent->base.hname) + 8 + strlen(base); 744 name = kmalloc(name_sz, gfp); 745 if (name) { 746 snprintf(name, name_sz, "%s//null-%s", 747 parent->base.hname, base); 748 goto name; 749 } 750 /* fall through to try shorter uniq */ 751 } 752 753 name_sz = strlen(parent->base.hname) + 2 + 7 + 8; 754 name = kmalloc(name_sz, gfp); 755 if (!name) 756 return NULL; 757 snprintf(name, name_sz, "%s//null-%x", parent->base.hname, 758 atomic_inc_return(&parent->ns->uniq_null)); 759 760 name: 761 /* lookup to see if this is a dup creation */ 762 bname = basename(name); 763 profile = aa_find_child(parent, bname); 764 if (profile) 765 goto out; 766 767 profile = aa_alloc_null(parent, name, gfp); 768 if (!profile) 769 goto fail; 770 profile->mode = APPARMOR_COMPLAIN; 771 if (hat) 772 profile->label.flags |= FLAG_HAT; 773 774 mutex_lock_nested(&profile->ns->lock, profile->ns->level); 775 p = __find_child(&parent->base.profiles, bname); 776 if (p) { 777 aa_free_profile(profile); 778 profile = aa_get_profile(p); 779 } else { 780 __add_profile(&parent->base.profiles, profile); 781 } 782 mutex_unlock(&profile->ns->lock); 783 784 /* refcount released by caller */ 785 out: 786 kfree(name); 787 788 return profile; 789 790 fail: 791 kfree(name); 792 aa_free_profile(profile); 793 return NULL; 794 } 795 796 /** 797 * replacement_allowed - test to see if replacement is allowed 798 * @profile: profile to test if it can be replaced (MAYBE NULL) 799 * @noreplace: true if replacement shouldn't be allowed but addition is okay 800 * @info: Returns - info about why replacement failed (NOT NULL) 801 * 802 * Returns: %0 if replacement allowed else error code 803 */ 804 static int replacement_allowed(struct aa_profile *profile, int noreplace, 805 const char **info) 806 { 807 if (profile) { 808 if (profile->label.flags & FLAG_IMMUTIBLE) { 809 *info = "cannot replace immutable profile"; 810 return -EPERM; 811 } else if (noreplace) { 812 *info = "profile already exists"; 813 return -EEXIST; 814 } 815 } 816 return 0; 817 } 818 819 /* audit callback for net specific fields */ 820 static void audit_cb(struct audit_buffer *ab, void *va) 821 { 822 struct common_audit_data *sa = va; 823 struct apparmor_audit_data *ad = aad(sa); 824 825 if (ad->iface.ns) { 826 audit_log_format(ab, " ns="); 827 audit_log_untrustedstring(ab, ad->iface.ns); 828 } 829 } 830 831 /** 832 * audit_policy - Do auditing of policy changes 833 * @subj_label: label to check if it can manage policy 834 * @op: policy operation being performed 835 * @ns_name: name of namespace being manipulated 836 * @name: name of profile being manipulated (NOT NULL) 837 * @info: any extra information to be audited (MAYBE NULL) 838 * @error: error code 839 * 840 * Returns: the error to be returned after audit is done 841 */ 842 static int audit_policy(struct aa_label *subj_label, const char *op, 843 const char *ns_name, const char *name, 844 const char *info, int error) 845 { 846 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, op); 847 848 ad.iface.ns = ns_name; 849 ad.name = name; 850 ad.info = info; 851 ad.error = error; 852 ad.subj_label = subj_label; 853 854 aa_audit_msg(AUDIT_APPARMOR_STATUS, &ad, audit_cb); 855 856 return error; 857 } 858 859 /* don't call out to other LSMs in the stack for apparmor policy admin 860 * permissions 861 */ 862 static int policy_ns_capable(const struct cred *subj_cred, 863 struct aa_label *label, 864 struct user_namespace *userns, int cap) 865 { 866 int err; 867 868 /* check for MAC_ADMIN cap in cred */ 869 err = cap_capable(subj_cred, userns, cap, CAP_OPT_NONE); 870 if (!err) 871 err = aa_capable(subj_cred, label, cap, CAP_OPT_NONE); 872 873 return err; 874 } 875 876 /** 877 * aa_policy_view_capable - check if viewing policy in at @ns is allowed 878 * @subj_cred: cred of subject 879 * @label: label that is trying to view policy in ns 880 * @ns: namespace being viewed by @label (may be NULL if @label's ns) 881 * 882 * Returns: true if viewing policy is allowed 883 * 884 * If @ns is NULL then the namespace being viewed is assumed to be the 885 * tasks current namespace. 886 */ 887 bool aa_policy_view_capable(const struct cred *subj_cred, 888 struct aa_label *label, struct aa_ns *ns) 889 { 890 struct user_namespace *user_ns = subj_cred->user_ns; 891 struct aa_ns *view_ns = labels_view(label); 892 bool root_in_user_ns = uid_eq(current_euid(), make_kuid(user_ns, 0)) || 893 in_egroup_p(make_kgid(user_ns, 0)); 894 bool response = false; 895 if (!ns) 896 ns = view_ns; 897 898 if (root_in_user_ns && aa_ns_visible(view_ns, ns, true) && 899 (user_ns == &init_user_ns || 900 (unprivileged_userns_apparmor_policy != 0 && 901 user_ns->level == view_ns->level))) 902 response = true; 903 904 return response; 905 } 906 907 bool aa_policy_admin_capable(const struct cred *subj_cred, 908 struct aa_label *label, struct aa_ns *ns) 909 { 910 struct user_namespace *user_ns = subj_cred->user_ns; 911 bool capable = policy_ns_capable(subj_cred, label, user_ns, 912 CAP_MAC_ADMIN) == 0; 913 914 AA_DEBUG(DEBUG_POLICY, "cap_mac_admin? %d\n", capable); 915 AA_DEBUG(DEBUG_POLICY, "policy locked? %d\n", aa_g_lock_policy); 916 917 return aa_policy_view_capable(subj_cred, label, ns) && capable && 918 !aa_g_lock_policy; 919 } 920 921 bool aa_current_policy_view_capable(struct aa_ns *ns) 922 { 923 struct aa_label *label; 924 bool needput, res; 925 926 label = __begin_current_label_crit_section(&needput); 927 res = aa_policy_view_capable(current_cred(), label, ns); 928 __end_current_label_crit_section(label, needput); 929 930 return res; 931 } 932 933 bool aa_current_policy_admin_capable(struct aa_ns *ns) 934 { 935 struct aa_label *label; 936 bool needput, res; 937 938 label = __begin_current_label_crit_section(&needput); 939 res = aa_policy_admin_capable(current_cred(), label, ns); 940 __end_current_label_crit_section(label, needput); 941 942 return res; 943 } 944 945 static bool is_subset_of_obj_privilege(const struct cred *cred, 946 struct aa_label *label, 947 const struct cred *ocred) 948 { 949 if (cred == ocred) 950 return true; 951 952 if (!aa_label_is_subset(label, cred_label(ocred))) 953 return false; 954 /* don't allow crossing userns for now */ 955 if (cred->user_ns != ocred->user_ns) 956 return false; 957 if (!cap_issubset(cred->cap_inheritable, ocred->cap_inheritable)) 958 return false; 959 if (!cap_issubset(cred->cap_permitted, ocred->cap_permitted)) 960 return false; 961 if (!cap_issubset(cred->cap_effective, ocred->cap_effective)) 962 return false; 963 if (!cap_issubset(cred->cap_bset, ocred->cap_bset)) 964 return false; 965 if (!cap_issubset(cred->cap_ambient, ocred->cap_ambient)) 966 return false; 967 return true; 968 } 969 970 971 /** 972 * aa_may_manage_policy - can the current task manage policy 973 * @subj_cred: subjects cred 974 * @label: label to check if it can manage policy 975 * @ns: namespace being managed by @label (may be NULL if @label's ns) 976 * @ocred: object cred if request is coming from an open object 977 * @mask: contains the policy manipulation operation being done 978 * 979 * Returns: 0 if the task is allowed to manipulate policy else error 980 */ 981 int aa_may_manage_policy(const struct cred *subj_cred, struct aa_label *label, 982 struct aa_ns *ns, const struct cred *ocred, u32 mask) 983 { 984 const char *op; 985 986 if (mask & AA_MAY_REMOVE_POLICY) 987 op = OP_PROF_RM; 988 else if (mask & AA_MAY_REPLACE_POLICY) 989 op = OP_PROF_REPL; 990 else 991 op = OP_PROF_LOAD; 992 993 /* check if loading policy is locked out */ 994 if (aa_g_lock_policy) 995 return audit_policy(label, op, NULL, NULL, "policy_locked", 996 -EACCES); 997 998 if (ocred && !is_subset_of_obj_privilege(subj_cred, label, ocred)) 999 return audit_policy(label, op, NULL, NULL, 1000 "not privileged for target profile", 1001 -EACCES); 1002 1003 if (!aa_policy_admin_capable(subj_cred, label, ns)) 1004 return audit_policy(label, op, NULL, NULL, "not policy admin", 1005 -EACCES); 1006 1007 /* TODO: add fine grained mediation of policy loads */ 1008 return 0; 1009 } 1010 1011 static struct aa_profile *__list_lookup_parent(struct list_head *lh, 1012 struct aa_profile *profile) 1013 { 1014 const char *base = basename(profile->base.hname); 1015 long len = base - profile->base.hname; 1016 struct aa_load_ent *ent; 1017 1018 /* parent won't have trailing // so remove from len */ 1019 if (len <= 2) 1020 return NULL; 1021 len -= 2; 1022 1023 list_for_each_entry(ent, lh, list) { 1024 if (ent->new == profile) 1025 continue; 1026 if (strncmp(ent->new->base.hname, profile->base.hname, len) == 1027 0 && ent->new->base.hname[len] == 0) 1028 return ent->new; 1029 } 1030 1031 return NULL; 1032 } 1033 1034 /** 1035 * __replace_profile - replace @old with @new on a list 1036 * @old: profile to be replaced (NOT NULL) 1037 * @new: profile to replace @old with (NOT NULL) 1038 * 1039 * Will duplicate and refcount elements that @new inherits from @old 1040 * and will inherit @old children. 1041 * 1042 * refcount @new for list, put @old list refcount 1043 * 1044 * Requires: namespace list lock be held, or list not be shared 1045 */ 1046 static void __replace_profile(struct aa_profile *old, struct aa_profile *new) 1047 { 1048 struct aa_profile *child, *tmp; 1049 1050 if (!list_empty(&old->base.profiles)) { 1051 LIST_HEAD(lh); 1052 list_splice_init_rcu(&old->base.profiles, &lh, synchronize_rcu); 1053 1054 list_for_each_entry_safe(child, tmp, &lh, base.list) { 1055 struct aa_profile *p; 1056 1057 list_del_init(&child->base.list); 1058 p = __find_child(&new->base.profiles, child->base.name); 1059 if (p) { 1060 /* @p replaces @child */ 1061 __replace_profile(child, p); 1062 continue; 1063 } 1064 1065 /* inherit @child and its children */ 1066 /* TODO: update hname of inherited children */ 1067 /* list refcount transferred to @new */ 1068 p = aa_deref_parent(child); 1069 rcu_assign_pointer(child->parent, aa_get_profile(new)); 1070 list_add_rcu(&child->base.list, &new->base.profiles); 1071 aa_put_profile(p); 1072 } 1073 } 1074 1075 if (!rcu_access_pointer(new->parent)) { 1076 struct aa_profile *parent = aa_deref_parent(old); 1077 rcu_assign_pointer(new->parent, aa_get_profile(parent)); 1078 } 1079 aa_label_replace(&old->label, &new->label); 1080 /* migrate dents must come after label replacement b/c update */ 1081 __aafs_profile_migrate_dents(old, new); 1082 1083 if (list_empty(&new->base.list)) { 1084 /* new is not on a list already */ 1085 list_replace_rcu(&old->base.list, &new->base.list); 1086 aa_get_profile(new); 1087 aa_put_profile(old); 1088 } else 1089 __list_remove_profile(old); 1090 } 1091 1092 /** 1093 * __lookup_replace - lookup replacement information for a profile 1094 * @ns: namespace the lookup occurs in 1095 * @hname: name of profile to lookup 1096 * @noreplace: true if not replacing an existing profile 1097 * @p: Returns - profile to be replaced 1098 * @info: Returns - info string on why lookup failed 1099 * 1100 * Returns: profile to replace (no ref) on success else ptr error 1101 */ 1102 static int __lookup_replace(struct aa_ns *ns, const char *hname, 1103 bool noreplace, struct aa_profile **p, 1104 const char **info) 1105 { 1106 *p = aa_get_profile(__lookup_profile(&ns->base, hname)); 1107 if (*p) { 1108 int error = replacement_allowed(*p, noreplace, info); 1109 if (error) { 1110 *info = "profile can not be replaced"; 1111 return error; 1112 } 1113 } 1114 1115 return 0; 1116 } 1117 1118 static void share_name(struct aa_profile *old, struct aa_profile *new) 1119 { 1120 aa_put_str(new->base.hname); 1121 aa_get_str(old->base.hname); 1122 new->base.hname = old->base.hname; 1123 new->base.name = old->base.name; 1124 new->label.hname = old->label.hname; 1125 } 1126 1127 /* Update to newest version of parent after previous replacements 1128 * Returns: unrefcount newest version of parent 1129 */ 1130 static struct aa_profile *update_to_newest_parent(struct aa_profile *new) 1131 { 1132 struct aa_profile *parent, *newest; 1133 1134 parent = rcu_dereference_protected(new->parent, 1135 mutex_is_locked(&new->ns->lock)); 1136 newest = aa_get_newest_profile(parent); 1137 1138 /* parent replaced in this atomic set? */ 1139 if (newest != parent) { 1140 aa_put_profile(parent); 1141 rcu_assign_pointer(new->parent, newest); 1142 } else 1143 aa_put_profile(newest); 1144 1145 return newest; 1146 } 1147 1148 /** 1149 * aa_replace_profiles - replace profile(s) on the profile list 1150 * @policy_ns: namespace load is occurring on 1151 * @label: label that is attempting to load/replace policy 1152 * @mask: permission mask 1153 * @udata: serialized data stream (NOT NULL) 1154 * 1155 * unpack and replace a profile on the profile list and uses of that profile 1156 * by any task creds via invalidating the old version of the profile, which 1157 * tasks will notice to update their own cred. If the profile does not exist 1158 * on the profile list it is added. 1159 * 1160 * Returns: size of data consumed else error code on failure. 1161 */ 1162 ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label, 1163 u32 mask, struct aa_loaddata *udata) 1164 { 1165 const char *ns_name = NULL, *info = NULL; 1166 struct aa_ns *ns = NULL; 1167 struct aa_load_ent *ent, *tmp; 1168 struct aa_loaddata *rawdata_ent; 1169 const char *op; 1170 ssize_t count, error; 1171 LIST_HEAD(lh); 1172 1173 op = mask & AA_MAY_REPLACE_POLICY ? OP_PROF_REPL : OP_PROF_LOAD; 1174 aa_get_profile_loaddata(udata); 1175 /* released below */ 1176 error = aa_unpack(udata, &lh, &ns_name); 1177 if (error) 1178 goto out; 1179 1180 /* ensure that profiles are all for the same ns 1181 * TODO: update locking to remove this constraint. All profiles in 1182 * the load set must succeed as a set or the load will 1183 * fail. Sort ent list and take ns locks in hierarchy order 1184 */ 1185 count = 0; 1186 list_for_each_entry(ent, &lh, list) { 1187 if (ns_name) { 1188 if (ent->ns_name && 1189 strcmp(ent->ns_name, ns_name) != 0) { 1190 info = "policy load has mixed namespaces"; 1191 error = -EACCES; 1192 goto fail; 1193 } 1194 } else if (ent->ns_name) { 1195 if (count) { 1196 info = "policy load has mixed namespaces"; 1197 error = -EACCES; 1198 goto fail; 1199 } 1200 ns_name = ent->ns_name; 1201 ent->ns_name = NULL; 1202 } else 1203 count++; 1204 } 1205 if (ns_name) { 1206 ns = aa_prepare_ns(policy_ns ? policy_ns : labels_ns(label), 1207 ns_name); 1208 if (IS_ERR(ns)) { 1209 op = OP_PROF_LOAD; 1210 info = "failed to prepare namespace"; 1211 error = PTR_ERR(ns); 1212 ns = NULL; 1213 ent = NULL; 1214 goto fail; 1215 } 1216 } else 1217 ns = aa_get_ns(policy_ns ? policy_ns : labels_ns(label)); 1218 1219 mutex_lock_nested(&ns->lock, ns->level); 1220 /* check for duplicate rawdata blobs: space and file dedup */ 1221 if (!list_empty(&ns->rawdata_list)) { 1222 list_for_each_entry(rawdata_ent, &ns->rawdata_list, list) { 1223 if (aa_rawdata_eq(rawdata_ent, udata)) { 1224 struct aa_loaddata *tmp; 1225 1226 tmp = aa_get_profile_loaddata(rawdata_ent); 1227 /* check we didn't fail the race */ 1228 if (tmp) { 1229 aa_put_profile_loaddata(udata); 1230 udata = tmp; 1231 break; 1232 } 1233 } 1234 } 1235 } 1236 /* setup parent and ns info */ 1237 list_for_each_entry(ent, &lh, list) { 1238 struct aa_policy *policy; 1239 struct aa_profile *p; 1240 1241 if (aa_g_export_binary) 1242 ent->new->rawdata = aa_get_profile_loaddata(udata); 1243 error = __lookup_replace(ns, ent->new->base.hname, 1244 !(mask & AA_MAY_REPLACE_POLICY), 1245 &ent->old, &info); 1246 if (error) 1247 goto fail_lock; 1248 1249 if (ent->new->rename) { 1250 error = __lookup_replace(ns, ent->new->rename, 1251 !(mask & AA_MAY_REPLACE_POLICY), 1252 &ent->rename, &info); 1253 if (error) 1254 goto fail_lock; 1255 } 1256 1257 /* released when @new is freed */ 1258 ent->new->ns = aa_get_ns(ns); 1259 1260 if (ent->old || ent->rename) 1261 continue; 1262 1263 /* no ref on policy only use inside lock */ 1264 p = NULL; 1265 policy = __lookup_parent(ns, ent->new->base.hname); 1266 if (!policy) { 1267 /* first check for parent in the load set */ 1268 p = __list_lookup_parent(&lh, ent->new); 1269 if (!p) { 1270 /* 1271 * fill in missing parent with null 1272 * profile that doesn't have 1273 * permissions. This allows for 1274 * individual profile loading where 1275 * the child is loaded before the 1276 * parent, and outside of the current 1277 * atomic set. This unfortunately can 1278 * happen with some userspaces. The 1279 * null profile will be replaced once 1280 * the parent is loaded. 1281 */ 1282 policy = __create_missing_ancestors(ns, 1283 ent->new->base.hname, 1284 GFP_KERNEL); 1285 if (!policy) { 1286 error = -ENOENT; 1287 info = "parent does not exist"; 1288 goto fail_lock; 1289 } 1290 } 1291 } 1292 if (!p && policy != &ns->base) 1293 /* released on profile replacement or free_profile */ 1294 p = (struct aa_profile *) policy; 1295 rcu_assign_pointer(ent->new->parent, aa_get_profile(p)); 1296 } 1297 1298 /* create new fs entries for introspection if needed */ 1299 if (!udata->dents[AAFS_LOADDATA_DIR] && aa_g_export_binary) { 1300 error = __aa_fs_create_rawdata(ns, udata); 1301 if (error) { 1302 info = "failed to create raw_data dir and files"; 1303 ent = NULL; 1304 goto fail_lock; 1305 } 1306 } 1307 list_for_each_entry(ent, &lh, list) { 1308 if (!ent->old) { 1309 struct dentry *parent; 1310 if (rcu_access_pointer(ent->new->parent)) { 1311 struct aa_profile *p; 1312 p = aa_deref_parent(ent->new); 1313 parent = prof_child_dir(p); 1314 } else 1315 parent = ns_subprofs_dir(ent->new->ns); 1316 error = __aafs_profile_mkdir(ent->new, parent); 1317 } 1318 1319 if (error) { 1320 info = "failed to create"; 1321 goto fail_lock; 1322 } 1323 } 1324 1325 /* Done with checks that may fail - do actual replacement */ 1326 __aa_bump_ns_revision(ns); 1327 if (aa_g_export_binary) 1328 __aa_loaddata_update(udata, ns->revision); 1329 list_for_each_entry_safe(ent, tmp, &lh, list) { 1330 list_del_init(&ent->list); 1331 op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL; 1332 1333 if (ent->old && ent->old->rawdata == ent->new->rawdata && 1334 ent->new->rawdata) { 1335 /* dedup actual profile replacement */ 1336 audit_policy(label, op, ns_name, ent->new->base.hname, 1337 "same as current profile, skipping", 1338 error); 1339 /* break refcount cycle with proxy. */ 1340 aa_put_proxy(ent->new->label.proxy); 1341 ent->new->label.proxy = NULL; 1342 goto skip; 1343 } 1344 1345 /* 1346 * TODO: finer dedup based on profile range in data. Load set 1347 * can differ but profile may remain unchanged 1348 */ 1349 audit_policy(label, op, ns_name, ent->new->base.hname, NULL, 1350 error); 1351 1352 if (ent->old) { 1353 share_name(ent->old, ent->new); 1354 __replace_profile(ent->old, ent->new); 1355 } else { 1356 struct list_head *lh; 1357 1358 if (rcu_access_pointer(ent->new->parent)) { 1359 struct aa_profile *parent; 1360 1361 parent = update_to_newest_parent(ent->new); 1362 lh = &parent->base.profiles; 1363 } else 1364 lh = &ns->base.profiles; 1365 __add_profile(lh, ent->new); 1366 } 1367 skip: 1368 aa_load_ent_free(ent); 1369 } 1370 __aa_labelset_update_subtree(ns); 1371 mutex_unlock(&ns->lock); 1372 1373 out: 1374 aa_put_ns(ns); 1375 aa_put_profile_loaddata(udata); 1376 kfree(ns_name); 1377 1378 if (error) 1379 return error; 1380 return udata->size; 1381 1382 fail_lock: 1383 mutex_unlock(&ns->lock); 1384 1385 /* audit cause of failure */ 1386 op = (ent && !ent->old) ? OP_PROF_LOAD : OP_PROF_REPL; 1387 fail: 1388 audit_policy(label, op, ns_name, ent ? ent->new->base.hname : NULL, 1389 info, error); 1390 /* audit status that rest of profiles in the atomic set failed too */ 1391 info = "valid profile in failed atomic policy load"; 1392 list_for_each_entry(tmp, &lh, list) { 1393 if (tmp == ent) { 1394 info = "unchecked profile in failed atomic policy load"; 1395 /* skip entry that caused failure */ 1396 continue; 1397 } 1398 op = (!tmp->old) ? OP_PROF_LOAD : OP_PROF_REPL; 1399 audit_policy(label, op, ns_name, tmp->new->base.hname, info, 1400 error); 1401 } 1402 list_for_each_entry_safe(ent, tmp, &lh, list) { 1403 list_del_init(&ent->list); 1404 aa_load_ent_free(ent); 1405 } 1406 1407 goto out; 1408 } 1409 1410 /** 1411 * aa_remove_profiles - remove profile(s) from the system 1412 * @policy_ns: namespace the remove is being done from 1413 * @subj: label attempting to remove policy 1414 * @fqname: name of the profile or namespace to remove (NOT NULL) 1415 * @size: size of the name 1416 * 1417 * Remove a profile or sub namespace from the current namespace, so that 1418 * they can not be found anymore and mark them as replaced by unconfined 1419 * 1420 * NOTE: removing confinement does not restore rlimits to preconfinement values 1421 * 1422 * Returns: size of data consume else error code if fails 1423 */ 1424 ssize_t aa_remove_profiles(struct aa_ns *policy_ns, struct aa_label *subj, 1425 char *fqname, size_t size) 1426 { 1427 struct aa_ns *ns = NULL; 1428 struct aa_profile *profile = NULL; 1429 const char *name = fqname, *info = NULL; 1430 const char *ns_name = NULL; 1431 ssize_t error = 0; 1432 1433 if (*fqname == 0) { 1434 info = "no profile specified"; 1435 error = -ENOENT; 1436 goto fail; 1437 } 1438 1439 if (fqname[0] == ':') { 1440 size_t ns_len; 1441 1442 name = aa_splitn_fqname(fqname, size, &ns_name, &ns_len); 1443 /* released below */ 1444 ns = aa_lookupn_ns(policy_ns ? policy_ns : labels_ns(subj), 1445 ns_name, ns_len); 1446 if (!ns) { 1447 info = "namespace does not exist"; 1448 error = -ENOENT; 1449 goto fail; 1450 } 1451 } else 1452 /* released below */ 1453 ns = aa_get_ns(policy_ns ? policy_ns : labels_ns(subj)); 1454 1455 if (!name) { 1456 /* remove namespace - can only happen if fqname[0] == ':' */ 1457 mutex_lock_nested(&ns->parent->lock, ns->parent->level); 1458 __aa_bump_ns_revision(ns); 1459 __aa_remove_ns(ns); 1460 mutex_unlock(&ns->parent->lock); 1461 } else { 1462 /* remove profile */ 1463 mutex_lock_nested(&ns->lock, ns->level); 1464 profile = aa_get_profile(__lookup_profile(&ns->base, name)); 1465 if (!profile) { 1466 error = -ENOENT; 1467 info = "profile does not exist"; 1468 goto fail_ns_lock; 1469 } 1470 name = profile->base.hname; 1471 __aa_bump_ns_revision(ns); 1472 __remove_profile(profile); 1473 __aa_labelset_update_subtree(ns); 1474 mutex_unlock(&ns->lock); 1475 } 1476 1477 /* don't fail removal if audit fails */ 1478 (void) audit_policy(subj, OP_PROF_RM, ns_name, name, info, 1479 error); 1480 aa_put_ns(ns); 1481 aa_put_profile(profile); 1482 return size; 1483 1484 fail_ns_lock: 1485 mutex_unlock(&ns->lock); 1486 aa_put_ns(ns); 1487 1488 fail: 1489 (void) audit_policy(subj, OP_PROF_RM, ns_name, name, info, 1490 error); 1491 return error; 1492 } 1493