apparmor: refactor code that alloc null profiles
authorJohn Johansen <john.johansen@canonical.com>
Mon, 3 Oct 2022 09:48:24 +0000 (02:48 -0700)
committerJohn Johansen <john.johansen@canonical.com>
Tue, 25 Oct 2022 05:35:36 +0000 (22:35 -0700)
Bother unconfined and learning profiles use the null profile as their
base. Refactor so they are share a common base routine. This doesn't
save much atm but will be important when the feature set of the
parent is inherited.

Signed-off-by: John Johansen <john.johansen@canonical.com>
security/apparmor/domain.c
security/apparmor/include/policy.h
security/apparmor/policy.c
security/apparmor/policy_ns.c

index d4b09f0..b447bc1 100644 (file)
@@ -681,8 +681,8 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
                /* no exec permission - learning mode */
                struct aa_profile *new_profile = NULL;
 
-               new_profile = aa_new_null_profile(profile, false, name,
-                                                 GFP_KERNEL);
+               new_profile = aa_new_learning_profile(profile, false, name,
+                                                     GFP_KERNEL);
                if (!new_profile) {
                        error = -ENOMEM;
                        info = "could not create null profile";
@@ -1009,8 +1009,8 @@ static struct aa_label *build_change_hat(struct aa_profile *profile,
        if (!hat) {
                error = -ENOENT;
                if (COMPLAIN_MODE(profile)) {
-                       hat = aa_new_null_profile(profile, true, name,
-                                                 GFP_KERNEL);
+                       hat = aa_new_learning_profile(profile, true, name,
+                                                     GFP_KERNEL);
                        if (!hat) {
                                info = "failed null profile create";
                                error = -ENOMEM;
@@ -1361,8 +1361,8 @@ int aa_change_profile(const char *fqname, int flags)
                    !COMPLAIN_MODE(labels_profile(label)))
                        goto audit;
                /* released below */
-               tprofile = aa_new_null_profile(labels_profile(label), false,
-                                              fqname, GFP_KERNEL);
+               tprofile = aa_new_learning_profile(labels_profile(label), false,
+                                                  fqname, GFP_KERNEL);
                if (!tprofile) {
                        info = "failed null profile create";
                        error = -ENOMEM;
index 5cadfb2..545f791 100644 (file)
@@ -234,8 +234,10 @@ void aa_free_proxy_kref(struct kref *kref);
 struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp);
 struct aa_profile *aa_alloc_profile(const char *name, struct aa_proxy *proxy,
                                    gfp_t gfp);
-struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
-                                      const char *base, gfp_t gfp);
+struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
+                                gfp_t gfp);
+struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat,
+                                          const char *base, gfp_t gfp);
 void aa_free_profile(struct aa_profile *profile);
 void aa_free_profile_kref(struct kref *kref);
 struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name);
index 6f4cc8b..c17cced 100644 (file)
@@ -524,8 +524,36 @@ struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
        return profile;
 }
 
+
+struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
+                                gfp_t gfp)
+{
+       struct aa_profile *profile;
+       struct aa_ruleset *rules;
+
+       profile = aa_alloc_profile(name, NULL, gfp);
+       if (!profile)
+               return NULL;
+
+       /* TODO: ideally we should inherit abi from parent */
+       profile->label.flags |= FLAG_NULL;
+       rules = list_first_entry(&profile->rules, typeof(*rules), list);
+       rules->file.dfa = aa_get_dfa(nulldfa);
+       rules->policy.dfa = aa_get_dfa(nulldfa);
+
+       if (parent) {
+               profile->path_flags = parent->path_flags;
+
+               /* released on free_profile */
+               rcu_assign_pointer(profile->parent, aa_get_profile(parent));
+               profile->ns = aa_get_ns(parent->ns);
+       }
+
+       return profile;
+}
+
 /**
- * aa_new_null_profile - create or find a null-X learning profile
+ * aa_new_learning_profile - create or find a null-X learning profile
  * @parent: profile that caused this profile to be created (NOT NULL)
  * @hat: true if the null- learning profile is a hat
  * @base: name to base the null profile off of
@@ -542,10 +570,9 @@ struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
  *
  * Returns: new refcounted profile else NULL on failure
  */
-struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
-                                      const char *base, gfp_t gfp)
+struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat,
+                                          const char *base, gfp_t gfp)
 {
-       struct aa_ruleset *rules;
        struct aa_profile *p, *profile;
        const char *bname;
        char *name = NULL;
@@ -575,22 +602,12 @@ name:
        if (profile)
                goto out;
 
-       profile = aa_alloc_profile(name, NULL, gfp);
+       profile = aa_alloc_null(parent, name, gfp);
        if (!profile)
                goto fail;
-
        profile->mode = APPARMOR_COMPLAIN;
-       profile->label.flags |= FLAG_NULL;
        if (hat)
                profile->label.flags |= FLAG_HAT;
-       profile->path_flags = parent->path_flags;
-
-       /* released on free_profile */
-       rcu_assign_pointer(profile->parent, aa_get_profile(parent));
-       profile->ns = aa_get_ns(parent->ns);
-       rules = list_first_entry(&profile->rules, typeof(*rules), list);
-       rules->file.dfa = aa_get_dfa(nulldfa);
-       rules->policy.dfa = aa_get_dfa(nulldfa);
 
        mutex_lock_nested(&profile->ns->lock, profile->ns->level);
        p = __find_child(&parent->base.profiles, bname);
index 121aa79..5c38563 100644 (file)
@@ -83,18 +83,14 @@ const char *aa_ns_name(struct aa_ns *curr, struct aa_ns *view, bool subns)
 static struct aa_profile *alloc_unconfined(const char *name)
 {
        struct aa_profile *profile;
-       struct aa_ruleset *rules;
 
-       profile = aa_alloc_profile(name, NULL, GFP_KERNEL);
+       profile = aa_alloc_null(NULL, name, GFP_KERNEL);
        if (!profile)
                return NULL;
 
        profile->label.flags |= FLAG_IX_ON_NAME_ERROR |
                FLAG_IMMUTIBLE | FLAG_NS_COUNT | FLAG_UNCONFINED;
        profile->mode = APPARMOR_UNCONFINED;
-       rules = list_first_entry(&profile->rules, typeof(*rules), list);
-       rules->file.dfa = aa_get_dfa(nulldfa);
-       rules->policy.dfa = aa_get_dfa(nulldfa);
 
        return profile;
 }