Commit 637f688d authored by John Johansen's avatar John Johansen

apparmor: switch from profiles to using labels on contexts

Begin the actual switch to using domain labels by storing them on
the context and converting the label to a singular profile where
possible.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent f1bd9041
......@@ -4,7 +4,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
resource.o secid.o file.o policy_ns.o
resource.o secid.o file.o policy_ns.o label.o
apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o
clean-files := capability_names.h rlim_names.h
......
This diff is collapsed.
......@@ -77,14 +77,24 @@ static void audit_pre(struct audit_buffer *ab, void *ca)
audit_log_format(ab, " error=%d", aad(sa)->error);
}
if (aad(sa)->profile) {
struct aa_profile *profile = aad(sa)->profile;
if (profile->ns != root_ns) {
audit_log_format(ab, " namespace=");
audit_log_untrustedstring(ab, profile->ns->base.hname);
if (aad(sa)->label) {
struct aa_label *label = aad(sa)->label;
if (label_isprofile(label)) {
struct aa_profile *profile = labels_profile(label);
if (profile->ns != root_ns) {
audit_log_format(ab, " namespace=");
audit_log_untrustedstring(ab,
profile->ns->base.hname);
}
audit_log_format(ab, " profile=");
audit_log_untrustedstring(ab, profile->base.hname);
} else {
audit_log_format(ab, " label=");
aa_label_xaudit(ab, root_ns, label, FLAG_VIEW_SUBNS,
GFP_ATOMIC);
}
audit_log_format(ab, " profile=");
audit_log_untrustedstring(ab, profile->base.hname);
}
if (aad(sa)->name) {
......@@ -139,8 +149,7 @@ int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
type = AUDIT_APPARMOR_KILL;
if (!unconfined(profile))
aad(sa)->profile = profile;
aad(sa)->label = &profile->label;
aa_audit_msg(type, sa, cb);
......
......@@ -14,9 +14,9 @@
*
*
* AppArmor sets confinement on every task, via the the aa_task_ctx and
* the aa_task_ctx.profile, both of which are required and are not allowed
* the aa_task_ctx.label, both of which are required and are not allowed
* to be NULL. The aa_task_ctx is not reference counted and is unique
* to each cred (which is reference count). The profile pointed to by
* to each cred (which is reference count). The label pointed to by
* the task_ctx is reference counted.
*
* TODO
......@@ -47,9 +47,9 @@ struct aa_task_ctx *aa_alloc_task_context(gfp_t flags)
void aa_free_task_context(struct aa_task_ctx *ctx)
{
if (ctx) {
aa_put_profile(ctx->profile);
aa_put_profile(ctx->previous);
aa_put_profile(ctx->onexec);
aa_put_label(ctx->label);
aa_put_label(ctx->previous);
aa_put_label(ctx->onexec);
kzfree(ctx);
}
......@@ -63,41 +63,41 @@ void aa_free_task_context(struct aa_task_ctx *ctx)
void aa_dup_task_context(struct aa_task_ctx *new, const struct aa_task_ctx *old)
{
*new = *old;
aa_get_profile(new->profile);
aa_get_profile(new->previous);
aa_get_profile(new->onexec);
aa_get_label(new->label);
aa_get_label(new->previous);
aa_get_label(new->onexec);
}
/**
* aa_get_task_profile - Get another task's profile
* aa_get_task_label - Get another task's label
* @task: task to query (NOT NULL)
*
* Returns: counted reference to @task's profile
* Returns: counted reference to @task's label
*/
struct aa_profile *aa_get_task_profile(struct task_struct *task)
struct aa_label *aa_get_task_label(struct task_struct *task)
{
struct aa_profile *p;
struct aa_label *p;
rcu_read_lock();
p = aa_get_newest_profile(__aa_task_raw_profile(task));
p = aa_get_newest_label(__aa_task_raw_label(task));
rcu_read_unlock();
return p;
}
/**
* aa_replace_current_profile - replace the current tasks profiles
* @profile: new profile (NOT NULL)
* aa_replace_current_label - replace the current tasks label
* @label: new label (NOT NULL)
*
* Returns: 0 or error on failure
*/
int aa_replace_current_profile(struct aa_profile *profile)
int aa_replace_current_label(struct aa_label *label)
{
struct aa_task_ctx *ctx = current_ctx();
struct cred *new;
AA_BUG(!profile);
AA_BUG(!label);
if (ctx->profile == profile)
if (ctx->label == label)
return 0;
if (current_cred() != current_real_cred())
......@@ -108,8 +108,8 @@ int aa_replace_current_profile(struct aa_profile *profile)
return -ENOMEM;
ctx = cred_ctx(new);
if (unconfined(profile) || (ctx->profile->ns != profile->ns))
/* if switching to unconfined or a different profile namespace
if (unconfined(label) || (labels_ns(ctx->label) != labels_ns(label)))
/* if switching to unconfined or a different label namespace
* clear out context state
*/
aa_clear_task_ctx_trans(ctx);
......@@ -120,9 +120,9 @@ int aa_replace_current_profile(struct aa_profile *profile)
* keeping @profile valid, so make sure to get its reference before
* dropping the reference on ctx->profile
*/
aa_get_profile(profile);
aa_put_profile(ctx->profile);
ctx->profile = profile;
aa_get_label(label);
aa_put_label(ctx->label);
ctx->label = label;
commit_creds(new);
return 0;
......@@ -130,11 +130,11 @@ int aa_replace_current_profile(struct aa_profile *profile)
/**
* aa_set_current_onexec - set the tasks change_profile to happen onexec
* @profile: system profile to set at exec (MAYBE NULL to clear value)
*
* @label: system label to set at exec (MAYBE NULL to clear value)
* @stack: whether stacking should be done
* Returns: 0 or error on failure
*/
int aa_set_current_onexec(struct aa_profile *profile)
int aa_set_current_onexec(struct aa_label *label, bool stack)
{
struct aa_task_ctx *ctx;
struct cred *new = prepare_creds();
......@@ -142,9 +142,10 @@ int aa_set_current_onexec(struct aa_profile *profile)
return -ENOMEM;
ctx = cred_ctx(new);
aa_get_profile(profile);
aa_put_profile(ctx->onexec);
ctx->onexec = profile;
aa_get_label(label);
aa_clear_task_ctx_trans(ctx);
ctx->onexec = label;
ctx->token = stack;
commit_creds(new);
return 0;
......@@ -152,7 +153,7 @@ int aa_set_current_onexec(struct aa_profile *profile)
/**
* aa_set_current_hat - set the current tasks hat
* @profile: profile to set as the current hat (NOT NULL)
* @label: label to set as the current hat (NOT NULL)
* @token: token value that must be specified to change from the hat
*
* Do switch of tasks hat. If the task is currently in a hat
......@@ -160,29 +161,29 @@ int aa_set_current_onexec(struct aa_profile *profile)
*
* Returns: 0 or error on failure
*/
int aa_set_current_hat(struct aa_profile *profile, u64 token)
int aa_set_current_hat(struct aa_label *label, u64 token)
{
struct aa_task_ctx *ctx;
struct cred *new = prepare_creds();
if (!new)
return -ENOMEM;
AA_BUG(!profile);
AA_BUG(!label);
ctx = cred_ctx(new);
if (!ctx->previous) {
/* transfer refcount */
ctx->previous = ctx->profile;
ctx->previous = ctx->label;
ctx->token = token;
} else if (ctx->token == token) {
aa_put_profile(ctx->profile);
aa_put_label(ctx->label);
} else {
/* previous_profile && ctx->token != token */
abort_creds(new);
return -EACCES;
}
ctx->profile = aa_get_newest_profile(profile);
ctx->label = aa_get_newest_label(label);
/* clear exec on switching context */
aa_put_profile(ctx->onexec);
aa_put_label(ctx->onexec);
ctx->onexec = NULL;
commit_creds(new);
......@@ -190,15 +191,15 @@ int aa_set_current_hat(struct aa_profile *profile, u64 token)
}
/**
* aa_restore_previous_profile - exit from hat context restoring the profile
* aa_restore_previous_label - exit from hat context restoring previous label
* @token: the token that must be matched to exit hat context
*
* Attempt to return out of a hat to the previous profile. The token
* Attempt to return out of a hat to the previous label. The token
* must match the stored token value.
*
* Returns: 0 or error of failure
*/
int aa_restore_previous_profile(u64 token)
int aa_restore_previous_label(u64 token)
{
struct aa_task_ctx *ctx;
struct cred *new = prepare_creds();
......@@ -210,15 +211,15 @@ int aa_restore_previous_profile(u64 token)
abort_creds(new);
return -EACCES;
}
/* ignore restores when there is no saved profile */
/* ignore restores when there is no saved label */
if (!ctx->previous) {
abort_creds(new);
return 0;
}
aa_put_profile(ctx->profile);
ctx->profile = aa_get_newest_profile(ctx->previous);
AA_BUG(!ctx->profile);
aa_put_label(ctx->label);
ctx->label = aa_get_newest_label(ctx->previous);
AA_BUG(!ctx->label);
/* clear exec && prev information when restoring to previous context */
aa_clear_task_ctx_trans(ctx);
......
......@@ -61,24 +61,25 @@ void aa_free_domain_entries(struct aa_domain *domain)
static int may_change_ptraced_domain(struct aa_profile *to_profile)
{
struct task_struct *tracer;
struct aa_profile *tracerp = NULL;
struct aa_label *tracerl = NULL;
int error = 0;
rcu_read_lock();
tracer = ptrace_parent(current);
if (tracer)
/* released below */
tracerp = aa_get_task_profile(tracer);
tracerl = aa_get_task_label(tracer);
/* not ptraced */
if (!tracer || unconfined(tracerp))
if (!tracer || unconfined(tracerl))
goto out;
error = aa_may_ptrace(tracerp, to_profile, PTRACE_MODE_ATTACH);
error = aa_may_ptrace(labels_profile(tracerl), to_profile,
PTRACE_MODE_ATTACH);
out:
rcu_read_unlock();
aa_put_profile(tracerp);
aa_put_label(tracerl);
return error;
}
......@@ -102,7 +103,7 @@ static struct aa_perms change_profile_perms(struct aa_profile *profile,
struct path_cond cond = { };
unsigned int state;
if (unconfined(profile)) {
if (profile_unconfined(profile)) {
perms.allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC;
perms.audit = perms.quiet = perms.kill = 0;
return perms;
......@@ -144,7 +145,7 @@ static struct aa_profile *__attach_match(const char *name,
struct aa_profile *profile, *candidate = NULL;
list_for_each_entry_rcu(profile, head, base.list) {
if (profile->flags & PFLAG_NULL)
if (profile->label.flags & FLAG_NULL)
continue;
if (profile->xmatch && profile->xmatch_len > len) {
unsigned int state = aa_dfa_match(profile->xmatch,
......@@ -338,6 +339,7 @@ static struct aa_profile *x_to_profile(struct aa_profile *profile,
int apparmor_bprm_set_creds(struct linux_binprm *bprm)
{
struct aa_task_ctx *ctx;
struct aa_label *label;
struct aa_profile *profile, *new_profile = NULL;
struct aa_ns *ns;
char *buffer = NULL;
......@@ -356,7 +358,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
ctx = cred_ctx(bprm->cred);
AA_BUG(!ctx);
profile = aa_get_newest_profile(ctx->profile);
label = aa_get_newest_label(ctx->label);
profile = labels_profile(label);
/* buffer freed below, name is pointer into buffer */
get_buffers(buffer);
......@@ -370,8 +373,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
&name, &info, profile->disconnected);
if (error) {
if (unconfined(profile) ||
(profile->flags & PFLAG_IX_ON_NAME_ERROR))
if (profile_unconfined(profile) ||
(profile->label.flags & FLAG_IX_ON_NAME_ERROR))
error = 0;
name = bprm->filename;
goto audit;
......@@ -380,11 +383,11 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
/* Test for onexec first as onexec directives override other
* x transitions.
*/
if (unconfined(profile)) {
if (profile_unconfined(profile)) {
/* unconfined task */
if (ctx->onexec)
/* change_profile on exec already been granted */
new_profile = aa_get_profile(ctx->onexec);
new_profile = labels_profile(aa_get_label(ctx->onexec));
else
new_profile = find_attach(ns, &ns->base.profiles, name);
if (!new_profile)
......@@ -402,7 +405,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
if (ctx->onexec) {
struct aa_perms cp;
info = "change_profile onexec";
new_profile = aa_get_newest_profile(ctx->onexec);
new_profile = labels_profile(aa_get_newest_label(ctx->onexec));
if (!(perms.allow & AA_MAY_ONEXEC))
goto audit;
......@@ -411,9 +414,9 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
* exec\0change_profile
*/
state = aa_dfa_null_transition(profile->file.dfa, state);
cp = change_profile_perms(profile, ctx->onexec->ns,
ctx->onexec->base.name,
AA_MAY_ONEXEC, state);
cp = change_profile_perms(profile, labels_ns(ctx->onexec),
labels_profile(ctx->onexec)->base.name,
AA_MAY_ONEXEC, state);
if (!(cp.allow & AA_MAY_ONEXEC))
goto audit;
......@@ -501,9 +504,9 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
bprm->per_clear |= PER_CLEAR_ON_SETID;
x_clear:
aa_put_profile(ctx->profile);
aa_put_label(ctx->label);
/* transfer new profile reference will be released when ctx is freed */
ctx->profile = new_profile;
ctx->label = &new_profile->label;
new_profile = NULL;
/* clear out all temporary/transitional state from the context */
......@@ -516,7 +519,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
cleanup:
aa_put_profile(new_profile);
aa_put_profile(profile);
aa_put_label(label);
put_buffers(buffer);
return error;
......@@ -576,7 +579,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
{
const struct cred *cred;
struct aa_task_ctx *ctx;
struct aa_profile *profile, *previous_profile, *hat = NULL;
struct aa_label *label, *previous_label;
struct aa_profile *profile, *hat = NULL;
char *name = NULL;
int i;
struct aa_perms perms = {};
......@@ -594,10 +598,11 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
/* released below */
cred = get_current_cred();
ctx = cred_ctx(cred);
profile = aa_get_newest_cred_profile(cred);
previous_profile = aa_get_newest_profile(ctx->previous);
label = aa_get_newest_cred_label(cred);
previous_label = aa_get_newest_label(ctx->previous);
profile = labels_profile(label);
if (unconfined(profile)) {
if (unconfined(label)) {
info = "unconfined";
error = -EPERM;
goto audit;
......@@ -664,7 +669,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
}
if (!(flags & AA_CHANGE_TEST)) {
error = aa_set_current_hat(hat, token);
error = aa_set_current_hat(&hat->label, token);
if (error == -EACCES)
/* kill task in case of brute force attacks */
perms.kill = AA_MAY_CHANGEHAT;
......@@ -672,12 +677,12 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
/* reset error for learning of new hats */
error = -ENOENT;
}
} else if (previous_profile) {
} else if (previous_label) {
/* Return to saved profile. Kill task if restore fails
* to avoid brute force attacks
*/
target = previous_profile->base.hname;
error = aa_restore_previous_profile(token);
target = previous_label->hname;
error = aa_restore_previous_label(token);
perms.kill = AA_MAY_CHANGEHAT;
} else
/* ignore restores when there is no saved profile */
......@@ -692,8 +697,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
out:
aa_put_profile(hat);
kfree(name);
aa_put_profile(profile);
aa_put_profile(previous_profile);
aa_put_label(label);
aa_put_label(previous_label);
put_cred(cred);
return error;
......@@ -716,6 +721,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
int aa_change_profile(const char *fqname, int flags)
{
const struct cred *cred;
struct aa_label *label;
struct aa_profile *profile, *target = NULL;
struct aa_perms perms = {};
const char *info = NULL, *op;
......@@ -736,7 +742,8 @@ int aa_change_profile(const char *fqname, int flags)
}
cred = get_current_cred();
profile = aa_get_newest_cred_profile(cred);
label = aa_get_newest_cred_label(cred);
profile = labels_profile(label);
/*
* Fail explicitly requested domain transitions if no_new_privs
......@@ -745,12 +752,12 @@ int aa_change_profile(const char *fqname, int flags)
* no_new_privs is set because this aways results in a reduction
* of permissions.
*/
if (task_no_new_privs(current) && !unconfined(profile)) {
if (task_no_new_privs(current) && !profile_unconfined(profile)) {
put_cred(cred);
return -EPERM;
}
target = aa_fqlookupn_profile(profile, fqname, strlen(fqname));
target = aa_fqlookupn_profile(label, fqname, strlen(fqname));
if (!target) {
info = "profile not found";
error = -ENOENT;
......@@ -785,9 +792,9 @@ int aa_change_profile(const char *fqname, int flags)
goto audit;
if (flags & AA_CHANGE_ONEXEC)
error = aa_set_current_onexec(target);
error = aa_set_current_onexec(&target->label, 0);
else
error = aa_replace_current_profile(target);
error = aa_replace_current_label(&target->label);
audit:
if (!(flags & AA_CHANGE_TEST))
......@@ -795,7 +802,7 @@ int aa_change_profile(const char *fqname, int flags)
fqname, GLOBAL_ROOT_UID, info, error);
aa_put_profile(target);
aa_put_profile(profile);
aa_put_label(label);
put_cred(cred);
return error;
......
......@@ -451,7 +451,7 @@ int aa_file_perm(const char *op, struct aa_profile *profile, struct file *file,
request, &cond);
}
static void revalidate_tty(struct aa_profile *profile)
static void revalidate_tty(struct aa_label *label)
{
struct tty_struct *tty;
int drop_tty = 0;
......@@ -469,7 +469,7 @@ static void revalidate_tty(struct aa_profile *profile)
struct tty_file_private, list);
file = file_priv->file;
if (aa_file_perm(OP_INHERIT, profile, file,
if (aa_file_perm(OP_INHERIT, labels_profile(label), file,
MAY_READ | MAY_WRITE))
drop_tty = 1;
}
......@@ -482,9 +482,9 @@ static void revalidate_tty(struct aa_profile *profile)
static int match_file(const void *p, struct file *file, unsigned int fd)
{
struct aa_profile *profile = (struct aa_profile *)p;
struct aa_label *label = (struct aa_label *)p;
if (aa_file_perm(OP_INHERIT, profile, file,
if (aa_file_perm(OP_INHERIT, labels_profile(label), file,
aa_map_file_to_perms(file)))
return fd + 1;
return 0;
......@@ -494,14 +494,14 @@ static int match_file(const void *p, struct file *file, unsigned int fd)
/* based on selinux's flush_unauthorized_files */
void aa_inherit_files(const struct cred *cred, struct files_struct *files)
{
struct aa_profile *profile = aa_get_newest_cred_profile(cred);
struct aa_label *label = aa_get_newest_cred_label(cred);
struct file *devnull = NULL;
unsigned int n;
revalidate_tty(profile);
revalidate_tty(label);
/* Revalidate access to inherited open files. */
n = iterate_fd(files, 0, match_file, profile);
n = iterate_fd(files, 0, match_file, label);
if (!n) /* none found? */
goto out;
......@@ -511,9 +511,9 @@ void aa_inherit_files(const struct cred *cred, struct files_struct *files)
/* replace all the matching ones with this */
do {
replace_fd(n - 1, devnull, 0);
} while ((n = iterate_fd(files, n, match_file, profile)) != 0);
} while ((n = iterate_fd(files, n, match_file, label)) != 0);
if (devnull)
fput(devnull);
out:
aa_put_profile(profile);
aa_put_label(label);
}
......@@ -4,7 +4,7 @@
* This file contains AppArmor basic global
*
* Copyright (C) 1998-2008 Novell/SUSE
* Copyright 2009-2010 Canonical Ltd.
* Copyright 2009-2017 Canonical Ltd.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
......@@ -27,8 +27,9 @@
#define AA_CLASS_NET 4
#define AA_CLASS_RLIMITS 5
#define AA_CLASS_DOMAIN 6
#define AA_CLASS_LABEL 16
#define AA_CLASS_LAST AA_CLASS_DOMAIN
#define AA_CLASS_LAST AA_CLASS_LABEL
/* Control parameters settable through module/boot flags */
extern enum audit_mode aa_g_audit;
......
......@@ -22,8 +22,7 @@
#include <linux/slab.h>
#include "file.h"
struct aa_profile;
#include "label.h"
extern const char *const audit_mode_names[];
#define AUDIT_MAX_INDEX 5
......@@ -103,9 +102,9 @@ enum audit_type {
struct apparmor_audit_data {
int error;
const char *op;
int type;
void *profile;
const char *op;
struct aa_label *label;
const char *name;
const char *info;
u32 request;
......@@ -113,7 +112,7 @@ struct apparmor_audit_data {
union {
/* these entries require a custom callback fn */
struct {
struct aa_profile *peer;
struct aa_label *peer;
struct {
const char *target;
kuid_t ouid;
......
This diff is collapsed.
......@@ -15,6 +15,7 @@
#define __AA_PERM_H
#include <linux/fs.h>
#include "label.h"
#define AA_MAY_EXEC MAY_EXEC
#define AA_MAY_WRITE MAY_WRITE
......@@ -101,5 +102,14 @@ void aa_apply_modes_to_perms(struct aa_profile *profile,
struct aa_perms *perms);
void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
struct aa_perms *perms);
void aa_perms_accum(struct aa_perms *accum, struct aa_perms *addend);
void aa_perms_accum_raw(struct aa_perms *accum, struct aa_perms *addend);
void aa_profile_match_label(struct aa_profile *profile, struct aa_label *label,
int type, u32 request, struct aa_perms *perms);
int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
u32 request, int type, u32 *deny,
struct common_audit_data *sa);
int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
u32 request, struct common_audit_data *sa,
void (*cb)(struct audit_buffer *, void *));
#endif /* __AA_PERM_H */
......@@ -29,6 +29,7 @@
#include "domain.h"
#include "file.h"
#include "lib.h"
#include "label.h"
#include "perms.h"
#include "resource.h"
......@@ -48,9 +49,9 @@ extern const char *const aa_profile_mode_names[];
#define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL)
#define PROFILE_IS_HAT(_profile) ((_profile)->flags & PFLAG_HAT)
#define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
#define profile_is_stale(_profile) ((_profile)->flags & PFLAG_STALE)
#define profile_is_stale(_profile) (label_is_stale(&(_profile)->label))
#define on_list_rcu(X) (!list_empty(X) && (X)->prev != LIST_POISON2)
......@@ -67,22 +68,6 @@ enum profile_mode {
APPARMOR_UNCONFINED, /* profile set to unconfined */
};
enum profile_flags {
PFLAG_HAT = 1, /* profile is a hat */
PFLAG_NULL = 4, /* profile is null learning profile */
PFLAG_IX_ON_NAME_ERROR = 8, /* fallback to ix on name lookup fail */
PFLAG_IMMUTABLE = 0x10, /* don't allow changes/replacement */
PFLAG_USER_DEFINED = 0x20, /* user based profile - lower privs */
PFLAG_NO_LIST_REF = 0x40, /* list doesn't keep profile ref */
PFLAG_OLD_NULL_TRANS = 0x100, /* use // as the null transition */
PFLAG_STALE = 0x200, /* profile replaced/removed */
PFLAG_NS_COUNT = 0x400, /* carries NS ref count */
/* These flags must correspond with PATH_flags */
PFLAG_MEDIATE_DELETED = 0x10000, /* mediate instead delegate deleted */
};
struct aa_profile;
/* struct aa_policydb - match engine for a policy
* dfa: dfa pattern match
......@@ -95,11 +80,6 @@ struct aa_policydb {
};
struct aa_proxy {
struct kref count;
struct aa_profile __rcu *profile;
};
/* struct aa_data - generic data structure
* key: name for retrieving this data
* size: size of data in bytes
......@@ -116,18 +96,15 @@ struct aa_data {
/* struct aa_profile - basic confinement data
* @base - base components of the profile (name, refcount, lists, lock ...)
* @count: reference count of the obj
* @rcu: rcu head used when removing from @list
* @label - label this profile is an extension of
* @parent: parent of profile
* @ns: namespace the profile is in
* @proxy: is set to the profile that replaced this profile
* @rename: optional profile name that this profile renamed
* @attach: human readable attachment string
* @xmatch: optional extended matching for unconfined executables names
* @xmatch_len: xmatch prefix len, used to determine xmatch priority
* @audit: the auditing mode of the profile
* @mode: the enforcement mode of the profile
* @flags: flags controlling profile behavior
* @path_flags: flags controlling path generation behavior
* @disconnected: what to prepend if attach_disconnected is specified
* @size: the memory consumed by this profiles rules
......@@ -145,8 +122,6 @@ struct aa_data {
* used to determine profile attachment against unconfined tasks. All other
* attachments are determined by profile X transition rules.
*
* The @proxy struct is write protected by the profile lock.
*
* Profiles have a hierarchy where hats and children profiles keep
* a reference to their parent.
*
......@@ -156,12 +131,9 @@ struct aa_data {
*/
struct aa_profile {
struct aa_policy base;
struct kref count;
struct rcu_head rcu;
struct aa_profile __rcu *parent;
struct aa_ns *ns;
struct aa_proxy *proxy;
const char *rename;