Commit 90917d5b authored by John Johansen's avatar John Johansen

apparmor: extend permissions to support a label and tag string

add indexes for label and tag entries. Rename the domain table to the
str_table as its a shared string table with label and tags.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent caa9f579
...@@ -29,24 +29,6 @@ ...@@ -29,24 +29,6 @@
#include "include/policy.h" #include "include/policy.h"
#include "include/policy_ns.h" #include "include/policy_ns.h"
/**
* aa_free_domain_entries - free entries in a domain table
* @domain: the domain table to free (MAYBE NULL)
*/
void aa_free_domain_entries(struct aa_domain *domain)
{
int i;
if (domain) {
if (!domain->table)
return;
for (i = 0; i < domain->size; i++)
kfree_sensitive(domain->table[i]);
kfree_sensitive(domain->table);
domain->table = NULL;
}
}
/** /**
* may_change_ptraced_domain - check if can change profile on ptraced task * may_change_ptraced_domain - check if can change profile on ptraced task
* @to_label: profile to change to (NOT NULL) * @to_label: profile to change to (NOT NULL)
......
...@@ -16,11 +16,6 @@ ...@@ -16,11 +16,6 @@
#ifndef __AA_DOMAIN_H #ifndef __AA_DOMAIN_H
#define __AA_DOMAIN_H #define __AA_DOMAIN_H
struct aa_domain {
int size;
char **table;
};
#define AA_CHANGE_NOFLAGS 0 #define AA_CHANGE_NOFLAGS 0
#define AA_CHANGE_TEST 1 #define AA_CHANGE_TEST 1
#define AA_CHANGE_CHILD 2 #define AA_CHANGE_CHILD 2
...@@ -32,7 +27,6 @@ struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex, ...@@ -32,7 +27,6 @@ struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex,
int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm); int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm);
void aa_free_domain_entries(struct aa_domain *domain);
int aa_change_hat(const char *hats[], int count, u64 token, int flags); int aa_change_hat(const char *hats[], int count, u64 token, int flags);
int aa_change_profile(const char *fqname, int flags); int aa_change_profile(const char *fqname, int flags);
......
...@@ -99,6 +99,12 @@ static inline bool path_mediated_fs(struct dentry *dentry) ...@@ -99,6 +99,12 @@ static inline bool path_mediated_fs(struct dentry *dentry)
return !(dentry->d_sb->s_flags & SB_NOUSER); return !(dentry->d_sb->s_flags & SB_NOUSER);
} }
struct aa_str_table {
int size;
char **table;
};
void aa_free_str_table(struct aa_str_table *table);
struct counted_str { struct counted_str {
struct kref count; struct kref count;
......
...@@ -79,6 +79,8 @@ struct aa_perms { ...@@ -79,6 +79,8 @@ struct aa_perms {
u32 hide; /* set only when ~allow | deny */ u32 hide; /* set only when ~allow | deny */
u32 xindex; u32 xindex;
u32 tag; /* tag string index, if present */
u32 label; /* label string index, if present */
}; };
#define ALL_PERMS_MASK 0xffffffff #define ALL_PERMS_MASK 0xffffffff
......
...@@ -72,12 +72,14 @@ enum profile_mode { ...@@ -72,12 +72,14 @@ enum profile_mode {
/* struct aa_policydb - match engine for a policy /* struct aa_policydb - match engine for a policy
* dfa: dfa pattern match * dfa: dfa pattern match
* perms: table of permissions
* strs: table of strings, index by x
* start: set of start states for the different classes of data * start: set of start states for the different classes of data
*/ */
struct aa_policydb { struct aa_policydb {
struct aa_dfa *dfa; struct aa_dfa *dfa;
struct aa_perms *perms; struct aa_perms *perms;
struct aa_domain trans; struct aa_str_table trans;
aa_state_t start[AA_CLASS_LAST + 1]; aa_state_t start[AA_CLASS_LAST + 1];
}; };
...@@ -86,7 +88,7 @@ static inline void aa_destroy_policydb(struct aa_policydb *policy) ...@@ -86,7 +88,7 @@ static inline void aa_destroy_policydb(struct aa_policydb *policy)
aa_put_dfa(policy->dfa); aa_put_dfa(policy->dfa);
if (policy->perms) if (policy->perms)
kvfree(policy->perms); kvfree(policy->perms);
aa_free_domain_entries(&policy->trans); aa_free_str_table(&policy->trans);
} }
......
...@@ -25,6 +25,25 @@ struct aa_perms allperms = { .allow = ALL_PERMS_MASK, ...@@ -25,6 +25,25 @@ struct aa_perms allperms = { .allow = ALL_PERMS_MASK,
.quiet = ALL_PERMS_MASK, .quiet = ALL_PERMS_MASK,
.hide = ALL_PERMS_MASK }; .hide = ALL_PERMS_MASK };
/**
* aa_free_str_table - free entries str table
* @str: the string table to free (MAYBE NULL)
*/
void aa_free_str_table(struct aa_str_table *t)
{
int i;
if (t) {
if (!t->table)
return;
for (i = 0; i < t->size; i++)
kfree_sensitive(t->table[i]);
kfree_sensitive(t->table);
t->table = NULL;
}
}
/** /**
* aa_split_fqname - split a fqname into a profile and namespace name * aa_split_fqname - split a fqname into a profile and namespace name
* @fqname: a full qualified name in namespace profile format (NOT NULL) * @fqname: a full qualified name in namespace profile format (NOT NULL)
......
...@@ -534,7 +534,7 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) ...@@ -534,7 +534,7 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
return true; return true;
fail: fail:
aa_free_domain_entries(&profile->file.trans); aa_free_str_table(&profile->file.trans);
e->pos = saved_pos; e->pos = saved_pos;
return false; return false;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment