mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-15 09:34:17 +00:00
apparmor: pass the subject profile into profile replace/remove
This is just setup for new ns specific .load, .replace, .remove interface files. Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
parent
04dc715e24
commit
12dd7171d6
@ -133,7 +133,7 @@ static ssize_t policy_update(int binop, const char __user *buf, size_t size,
|
||||
data = aa_simple_write_to_buffer(op, buf, size, size, pos);
|
||||
error = PTR_ERR(data);
|
||||
if (!IS_ERR(data)) {
|
||||
error = aa_replace_profiles(profile->ns, binop, data);
|
||||
error = aa_replace_profiles(profile->ns, profile, binop, data);
|
||||
aa_put_loaddata(data);
|
||||
}
|
||||
|
||||
@ -192,7 +192,8 @@ static ssize_t profile_remove(struct file *f, const char __user *buf,
|
||||
error = PTR_ERR(data);
|
||||
if (!IS_ERR(data)) {
|
||||
data->data[size] = 0;
|
||||
error = aa_remove_profiles(profile->ns, data->data, size);
|
||||
error = aa_remove_profiles(profile->ns, profile, data->data,
|
||||
size);
|
||||
aa_put_loaddata(data);
|
||||
}
|
||||
out:
|
||||
|
@ -188,9 +188,10 @@ struct aa_profile *aa_fqlookupn_profile(struct aa_profile *base,
|
||||
const char *fqname, size_t n);
|
||||
struct aa_profile *aa_match_profile(struct aa_ns *ns, const char *name);
|
||||
|
||||
ssize_t aa_replace_profiles(struct aa_ns *view, bool noreplace,
|
||||
struct aa_loaddata *udata);
|
||||
ssize_t aa_remove_profiles(struct aa_ns *view, char *name, size_t size);
|
||||
ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
|
||||
bool noreplace, struct aa_loaddata *udata);
|
||||
ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_profile *profile,
|
||||
char *name, size_t size);
|
||||
void __aa_profile_list_release(struct list_head *head);
|
||||
|
||||
#define PROF_ADD 1
|
||||
|
@ -803,6 +803,7 @@ static int __lookup_replace(struct aa_ns *ns, const char *hname,
|
||||
/**
|
||||
* aa_replace_profiles - replace profile(s) on the profile list
|
||||
* @view: namespace load is viewed from
|
||||
* @label: label that is attempting to load/replace policy
|
||||
* @noreplace: true if only doing addition, no replacement allowed
|
||||
* @udata: serialized data stream (NOT NULL)
|
||||
*
|
||||
@ -812,8 +813,8 @@ static int __lookup_replace(struct aa_ns *ns, const char *hname,
|
||||
*
|
||||
* Returns: size of data consumed else error code on failure.
|
||||
*/
|
||||
ssize_t aa_replace_profiles(struct aa_ns *view, bool noreplace,
|
||||
struct aa_loaddata *udata)
|
||||
ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
|
||||
bool noreplace, struct aa_loaddata *udata)
|
||||
{
|
||||
const char *ns_name, *info = NULL;
|
||||
struct aa_ns *ns = NULL;
|
||||
@ -935,7 +936,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, bool noreplace,
|
||||
list_del_init(&ent->list);
|
||||
op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
|
||||
|
||||
audit_policy(__aa_current_profile(), op, GFP_ATOMIC, NULL,
|
||||
audit_policy(profile, op, GFP_ATOMIC, NULL,
|
||||
ent->new->base.hname, NULL, error);
|
||||
|
||||
if (ent->old) {
|
||||
@ -991,8 +992,8 @@ fail_lock:
|
||||
/* audit cause of failure */
|
||||
op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
|
||||
fail:
|
||||
audit_policy(__aa_current_profile(), op, GFP_KERNEL, ns_name,
|
||||
ent->new->base.hname, info, error);
|
||||
audit_policy(profile, op, GFP_KERNEL, ns_name, ent->new->base.hname,
|
||||
info, error);
|
||||
/* audit status that rest of profiles in the atomic set failed too */
|
||||
info = "valid profile in failed atomic policy load";
|
||||
list_for_each_entry(tmp, &lh, list) {
|
||||
@ -1002,7 +1003,7 @@ fail:
|
||||
continue;
|
||||
}
|
||||
op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
|
||||
audit_policy(__aa_current_profile(), op, GFP_KERNEL, ns_name,
|
||||
audit_policy(profile, op, GFP_KERNEL, ns_name,
|
||||
tmp->new->base.hname, info, error);
|
||||
}
|
||||
list_for_each_entry_safe(ent, tmp, &lh, list) {
|
||||
@ -1016,6 +1017,7 @@ fail:
|
||||
/**
|
||||
* aa_remove_profiles - remove profile(s) from the system
|
||||
* @view: namespace the remove is being done from
|
||||
* @subj: profile attempting to remove policy
|
||||
* @fqname: name of the profile or namespace to remove (NOT NULL)
|
||||
* @size: size of the name
|
||||
*
|
||||
@ -1026,7 +1028,8 @@ fail:
|
||||
*
|
||||
* Returns: size of data consume else error code if fails
|
||||
*/
|
||||
ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
|
||||
ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_profile *subj,
|
||||
char *fqname, size_t size)
|
||||
{
|
||||
struct aa_ns *root = NULL, *ns = NULL;
|
||||
struct aa_profile *profile = NULL;
|
||||
@ -1075,8 +1078,8 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
|
||||
}
|
||||
|
||||
/* don't fail removal if audit fails */
|
||||
(void) audit_policy(__aa_current_profile(), OP_PROF_RM, GFP_KERNEL,
|
||||
ns_name, name, info, error);
|
||||
(void) audit_policy(subj, OP_PROF_RM, GFP_KERNEL, ns_name, name, info,
|
||||
error);
|
||||
aa_put_ns(ns);
|
||||
aa_put_profile(profile);
|
||||
return size;
|
||||
@ -1086,7 +1089,7 @@ fail_ns_lock:
|
||||
aa_put_ns(ns);
|
||||
|
||||
fail:
|
||||
(void) audit_policy(__aa_current_profile(), OP_PROF_RM, GFP_KERNEL,
|
||||
ns_name, name, info, error);
|
||||
(void) audit_policy(subj, OP_PROF_RM, GFP_KERNEL, ns_name, name, info,
|
||||
error);
|
||||
return error;
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user