summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2022-07-16 12:33:43 +0200
committerJohn Johansen <john.johansen@canonical.com>2022-10-03 23:49:03 +0200
commit90917d5b6866df79d892087ba51b46c983d2fcfe (patch)
treefe97819dd9858b6fc79a8ee06665082b5df845c4 /security
parentapparmor: isolate policy backwards compatibility to its own file (diff)
downloadlinux-90917d5b6866df79d892087ba51b46c983d2fcfe.tar.xz
linux-90917d5b6866df79d892087ba51b46c983d2fcfe.zip
apparmor: extend permissions to support a label and tag string
add indexes for label and tag entries. Rename the domain table to the str_table as its a shared string table with label and tags. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/domain.c18
-rw-r--r--security/apparmor/include/domain.h6
-rw-r--r--security/apparmor/include/lib.h6
-rw-r--r--security/apparmor/include/perms.h2
-rw-r--r--security/apparmor/include/policy.h6
-rw-r--r--security/apparmor/lib.c19
-rw-r--r--security/apparmor/policy_unpack.c2
7 files changed, 32 insertions, 27 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 5883f0fc02d3..4cb046cf3a14 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -30,24 +30,6 @@
#include "include/policy_ns.h"
/**
- * aa_free_domain_entries - free entries in a domain table
- * @domain: the domain table to free (MAYBE NULL)
- */
-void aa_free_domain_entries(struct aa_domain *domain)
-{
- int i;
- if (domain) {
- if (!domain->table)
- return;
-
- for (i = 0; i < domain->size; i++)
- kfree_sensitive(domain->table[i]);
- kfree_sensitive(domain->table);
- domain->table = NULL;
- }
-}
-
-/**
* may_change_ptraced_domain - check if can change profile on ptraced task
* @to_label: profile to change to (NOT NULL)
* @info: message if there is an error
diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h
index d14928fe1c6f..77f9a0ed0f04 100644
--- a/security/apparmor/include/domain.h
+++ b/security/apparmor/include/domain.h
@@ -16,11 +16,6 @@
#ifndef __AA_DOMAIN_H
#define __AA_DOMAIN_H
-struct aa_domain {
- int size;
- char **table;
-};
-
#define AA_CHANGE_NOFLAGS 0
#define AA_CHANGE_TEST 1
#define AA_CHANGE_CHILD 2
@@ -32,7 +27,6 @@ struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex,
int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm);
-void aa_free_domain_entries(struct aa_domain *domain);
int aa_change_hat(const char *hats[], int count, u64 token, int flags);
int aa_change_profile(const char *fqname, int flags);
diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
index f176f3ced2a3..f1a29ab7ea1b 100644
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -99,6 +99,12 @@ static inline bool path_mediated_fs(struct dentry *dentry)
return !(dentry->d_sb->s_flags & SB_NOUSER);
}
+struct aa_str_table {
+ int size;
+ char **table;
+};
+
+void aa_free_str_table(struct aa_str_table *table);
struct counted_str {
struct kref count;
diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h
index 8739cef73549..d66059fcebb4 100644
--- a/security/apparmor/include/perms.h
+++ b/security/apparmor/include/perms.h
@@ -79,6 +79,8 @@ struct aa_perms {
u32 hide; /* set only when ~allow | deny */
u32 xindex;
+ u32 tag; /* tag string index, if present */
+ u32 label; /* label string index, if present */
};
#define ALL_PERMS_MASK 0xffffffff
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 3a7d165e8fcc..a28a662a0622 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -72,12 +72,14 @@ enum profile_mode {
/* struct aa_policydb - match engine for a policy
* dfa: dfa pattern match
+ * perms: table of permissions
+ * strs: table of strings, index by x
* start: set of start states for the different classes of data
*/
struct aa_policydb {
struct aa_dfa *dfa;
struct aa_perms *perms;
- struct aa_domain trans;
+ struct aa_str_table trans;
aa_state_t start[AA_CLASS_LAST + 1];
};
@@ -86,7 +88,7 @@ static inline void aa_destroy_policydb(struct aa_policydb *policy)
aa_put_dfa(policy->dfa);
if (policy->perms)
kvfree(policy->perms);
- aa_free_domain_entries(&policy->trans);
+ aa_free_str_table(&policy->trans);
}
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index 60deb4dc30c7..69aeb2dbd6d6 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -26,6 +26,25 @@ struct aa_perms allperms = { .allow = ALL_PERMS_MASK,
.hide = ALL_PERMS_MASK };
/**
+ * aa_free_str_table - free entries str table
+ * @str: the string table to free (MAYBE NULL)
+ */
+void aa_free_str_table(struct aa_str_table *t)
+{
+ int i;
+
+ if (t) {
+ if (!t->table)
+ return;
+
+ for (i = 0; i < t->size; i++)
+ kfree_sensitive(t->table[i]);
+ kfree_sensitive(t->table);
+ t->table = NULL;
+ }
+}
+
+/**
* aa_split_fqname - split a fqname into a profile and namespace name
* @fqname: a full qualified name in namespace profile format (NOT NULL)
* @ns_name: pointer to portion of the string containing the ns name (NOT NULL)
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 63196df2841b..df39ee8f4e03 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -534,7 +534,7 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
return true;
fail:
- aa_free_domain_entries(&profile->file.trans);
+ aa_free_str_table(&profile->file.trans);
e->pos = saved_pos;
return false;
}