apparmor: extend permissions to support a label and tag string

add indexes for label and tag entries. Rename the domain table to the
str_table as its a shared string table with label and tags.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 5883f0fc02d3d6fa2da616820ac6395f75d0299d..4cb046cf3a14f6968a14b03844bb8eb73b78da1f 100644 (file)
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -29,24 +29,6 @@
 #include "include/policy.h"
 #include "include/policy_ns.h"
 
-/**
- * aa_free_domain_entries - free entries in a domain table
- * @domain: the domain table to free  (MAYBE NULL)
- */
-void aa_free_domain_entries(struct aa_domain *domain)
-{
-       int i;
-       if (domain) {
-               if (!domain->table)
-                       return;
-
-               for (i = 0; i < domain->size; i++)
-                       kfree_sensitive(domain->table[i]);
-               kfree_sensitive(domain->table);
-               domain->table = NULL;
-       }
-}
-
 /**
  * may_change_ptraced_domain - check if can change profile on ptraced task
  * @to_label: profile to change to  (NOT NULL)

diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h
index d14928fe1c6f1679a74fdc2bf804ed611e7bfdea..77f9a0ed0f04821648f7431f063dc7573920b98e 100644 (file)
--- a/security/apparmor/include/domain.h
+++ b/security/apparmor/include/domain.h
@@ -16,11 +16,6 @@
 #ifndef __AA_DOMAIN_H
 #define __AA_DOMAIN_H
 
-struct aa_domain {
-       int size;
-       char **table;
-};
-
 #define AA_CHANGE_NOFLAGS 0
 #define AA_CHANGE_TEST 1
 #define AA_CHANGE_CHILD 2
@@ -32,7 +27,6 @@ struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex,
 
 int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm);
 
-void aa_free_domain_entries(struct aa_domain *domain);
 int aa_change_hat(const char *hats[], int count, u64 token, int flags);
 int aa_change_profile(const char *fqname, int flags);
 

diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
index f176f3ced2a3614a66fe9c975a728e1ce5e519db..f1a29ab7ea1b4337c3baab988e1ffb75c56b6d28 100644 (file)
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -99,6 +99,12 @@ static inline bool path_mediated_fs(struct dentry *dentry)
        return !(dentry->d_sb->s_flags & SB_NOUSER);
 }
 
+struct aa_str_table {
+       int size;
+       char **table;
+};
+
+void aa_free_str_table(struct aa_str_table *table);
 
 struct counted_str {
        struct kref count;

diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h
index 8739cef735493d5afb9cd8748f9b6e7ec892e504..d66059fcebb45946255e4782420a0d8552cb60a3 100644 (file)
--- a/security/apparmor/include/perms.h
+++ b/security/apparmor/include/perms.h
@@ -79,6 +79,8 @@ struct aa_perms {
        u32 hide;       /* set only when  ~allow | deny */
 
        u32 xindex;
+       u32 tag;        /* tag string index, if present */
+       u32 label;      /* label string index, if present */
 };
 
 #define ALL_PERMS_MASK 0xffffffff

diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 3a7d165e8fcc11f5acf64c8946925a3563e311de..a28a662a06221591232f62ad5532f5208dce9840 100644 (file)
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -72,12 +72,14 @@ enum profile_mode {
 
 /* struct aa_policydb - match engine for a policy
  * dfa: dfa pattern match
+ * perms: table of permissions
+ * strs: table of strings, index by x
  * start: set of start states for the different classes of data
  */
 struct aa_policydb {
        struct aa_dfa *dfa;
        struct aa_perms *perms;
-       struct aa_domain trans;
+       struct aa_str_table trans;
        aa_state_t start[AA_CLASS_LAST + 1];
 };
 
@@ -86,7 +88,7 @@ static inline void aa_destroy_policydb(struct aa_policydb *policy)
        aa_put_dfa(policy->dfa);
        if (policy->perms)
                kvfree(policy->perms);
-       aa_free_domain_entries(&policy->trans);
+       aa_free_str_table(&policy->trans);
 
 }
 

diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index 60deb4dc30c7f2e1a1b617b061521986a3005f12..69aeb2dbd6d6bb1fd6e7a8d3bc4ca1ea80989911 100644 (file)
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -25,6 +25,25 @@ struct aa_perms allperms = { .allow = ALL_PERMS_MASK,
                             .quiet = ALL_PERMS_MASK,
                             .hide = ALL_PERMS_MASK };
 
+/**
+ * aa_free_str_table - free entries str table
+ * @str: the string table to free  (MAYBE NULL)
+ */
+void aa_free_str_table(struct aa_str_table *t)
+{
+       int i;
+
+       if (t) {
+               if (!t->table)
+                       return;
+
+               for (i = 0; i < t->size; i++)
+                       kfree_sensitive(t->table[i]);
+               kfree_sensitive(t->table);
+               t->table = NULL;
+       }
+}
+
 /**
  * aa_split_fqname - split a fqname into a profile and namespace name
  * @fqname: a full qualified name in namespace profile format (NOT NULL)

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 63196df2841b57b7dd9b12bcf1b005a7d85d95ee..df39ee8f4e03db2b2d4c8514c26e8d6edd019fe8 100644 (file)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -534,7 +534,7 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
        return true;
 
 fail:
-       aa_free_domain_entries(&profile->file.trans);
+       aa_free_str_table(&profile->file.trans);
        e->pos = saved_pos;
        return false;
 }