From c97204baf840bf850e14ef4f5f43251239ca43b6 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 25 May 2017 06:23:42 -0700 Subject: [PATCH] apparmor: rename apparmor file fns and data to indicate use prefixes are used for fns/data that are not static to apparmorfs.c with the prefixes being aafs - special magic apparmorfs for policy namespace data aa_sfs - for fns/data that go into securityfs aa_fs - for fns/data that may be used in the either of aafs or securityfs Signed-off-by: John Johansen Reviewed-by: Seth Arnold Reviewed-by: Kees Cook --- security/apparmor/Makefile | 6 +- security/apparmor/apparmorfs.c | 213 ++++++++++++++++++++------------- security/apparmor/capability.c | 4 +- security/apparmor/include/apparmorfs.h | 58 ++++----- security/apparmor/include/capability.h | 2 +- security/apparmor/include/resource.h | 2 +- security/apparmor/policy.c | 6 +- security/apparmor/policy_ns.c | 4 +- security/apparmor/resource.c | 4 +- 9 files changed, 172 insertions(+), 127 deletions(-) diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile index 2ded2f1..b3e7c04 100644 --- a/security/apparmor/Makefile +++ b/security/apparmor/Makefile @@ -20,7 +20,7 @@ cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\ sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \ -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\ echo "};" >> $@ ;\ - printf '%s' '\#define AA_FS_CAPS_MASK "' >> $@ ;\ + printf '%s' '\#define AA_SFS_CAPS_MASK "' >> $@ ;\ sed $< -r -n -e '/CAP_FS_MASK/d' \ -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' | \ tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ @@ -46,7 +46,7 @@ cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\ # #define RLIMIT_FSIZE 1 /* Maximum filesize */ # #define RLIMIT_STACK 3 /* max stack size */ # to -# #define AA_FS_RLIMIT_MASK "fsize stack" +# #define AA_SFS_RLIMIT_MASK "fsize stack" quiet_cmd_make-rlim = GEN $@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \ > $@ ;\ @@ -56,7 +56,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \ echo "static const int rlim_map[RLIM_NLIMITS] = {" >> $@ ;\ sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\ echo "};" >> $@ ; \ - printf '%s' '\#define AA_FS_RLIMIT_MASK "' >> $@ ;\ + printf '%s' '\#define AA_SFS_RLIMIT_MASK "' >> $@ ;\ sed -r -n 's/^\# ?define[ \t]+RLIMIT_([A-Z0-9_]+).*/\L\1/p' $< | \ tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 7e4b7f2..35b822c 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -36,6 +36,35 @@ #include "include/resource.h" #include "include/policy_unpack.h" +/* + * The apparmor filesystem interface used for policy load and introspection + * The interface is split into two main components based on their function + * a securityfs component: + * used for static files that are always available, and which allows + * userspace to specificy the location of the security filesystem. + * + * fns and data are prefixed with + * aa_sfs_ + * + * an apparmorfs component: + * used loaded policy content and introspection. It is not part of a + * regular mounted filesystem and is available only through the magic + * policy symlink in the root of the securityfs apparmor/ directory. + * Tasks queries will be magically redirected to the correct portion + * of the policy tree based on their confinement. + * + * fns and data are prefixed with + * aafs_ + * + * The aa_fs_ prefix is used to indicate the fn is used by both the + * securityfs and apparmorfs filesystems. + */ + + +/* + * support fns + */ + /** * aa_mangle_name - mangle a profile name to std profile layout form * @name: profile name to mangle (NOT NULL) @@ -606,28 +635,28 @@ static ssize_t aa_write_access(struct file *file, const char __user *ubuf, return count; } -static const struct file_operations aa_fs_access = { +static const struct file_operations aa_sfs_access = { .write = aa_write_access, .read = simple_transaction_read, .release = simple_transaction_release, .llseek = generic_file_llseek, }; -static int aa_fs_seq_show(struct seq_file *seq, void *v) +static int aa_sfs_seq_show(struct seq_file *seq, void *v) { - struct aa_fs_entry *fs_file = seq->private; + struct aa_sfs_entry *fs_file = seq->private; if (!fs_file) return 0; switch (fs_file->v_type) { - case AA_FS_TYPE_BOOLEAN: + case AA_SFS_TYPE_BOOLEAN: seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no"); break; - case AA_FS_TYPE_STRING: + case AA_SFS_TYPE_STRING: seq_printf(seq, "%s\n", fs_file->v.string); break; - case AA_FS_TYPE_U64: + case AA_SFS_TYPE_U64: seq_printf(seq, "%#08lx\n", fs_file->v.u64); break; default: @@ -638,14 +667,14 @@ static int aa_fs_seq_show(struct seq_file *seq, void *v) return 0; } -static int aa_fs_seq_open(struct inode *inode, struct file *file) +static int aa_sfs_seq_open(struct inode *inode, struct file *file) { - return single_open(file, aa_fs_seq_show, inode->i_private); + return single_open(file, aa_sfs_seq_show, inode->i_private); } -const struct file_operations aa_fs_seq_file_ops = { +const struct file_operations aa_sfs_seq_file_ops = { .owner = THIS_MODULE, - .open = aa_fs_seq_open, + .open = aa_sfs_seq_open, .read = seq_read, .llseek = seq_lseek, .release = single_release, @@ -996,7 +1025,12 @@ fail: } /** fns to setup dynamic per profile/namespace files **/ -void __aa_fs_profile_rmdir(struct aa_profile *profile) + +/** + * + * Requires: @profile->ns->lock held + */ +void __aafs_profile_rmdir(struct aa_profile *profile) { struct aa_profile *child; int i; @@ -1005,7 +1039,7 @@ void __aa_fs_profile_rmdir(struct aa_profile *profile) return; list_for_each_entry(child, &profile->base.profiles, base.list) - __aa_fs_profile_rmdir(child); + __aafs_profile_rmdir(child); for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) { struct aa_proxy *proxy; @@ -1019,8 +1053,12 @@ void __aa_fs_profile_rmdir(struct aa_profile *profile) } } -void __aa_fs_profile_migrate_dents(struct aa_profile *old, - struct aa_profile *new) +/** + * + * Requires: @old->ns->lock held + */ +void __aafs_profile_migrate_dents(struct aa_profile *old, + struct aa_profile *new) { int i; @@ -1081,7 +1119,7 @@ static int gen_symlink_name(char *buffer, size_t bsize, int depth, /* * Requires: @profile->ns->lock held */ -int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) +int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) { struct aa_profile *child; struct dentry *dent = NULL, *dir; @@ -1177,7 +1215,7 @@ int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) } list_for_each_entry(child, &profile->base.profiles, base.list) { - error = __aa_fs_profile_mkdir(child, prof_child_dir(profile)); + error = __aafs_profile_mkdir(child, prof_child_dir(profile)); if (error) goto fail2; } @@ -1188,7 +1226,7 @@ fail: error = PTR_ERR(dent); fail2: - __aa_fs_profile_rmdir(profile); + __aafs_profile_rmdir(profile); return error; } @@ -1203,7 +1241,11 @@ static void __aa_fs_list_remove_rawdata(struct aa_ns *ns) __aa_fs_remove_rawdata(ent); } -void __aa_fs_ns_rmdir(struct aa_ns *ns) +/** + * + * Requires: @ns->lock held + */ +void __aafs_ns_rmdir(struct aa_ns *ns) { struct aa_ns *sub; struct aa_profile *child; @@ -1213,11 +1255,11 @@ void __aa_fs_ns_rmdir(struct aa_ns *ns) return; list_for_each_entry(child, &ns->base.profiles, base.list) - __aa_fs_profile_rmdir(child); + __aafs_profile_rmdir(child); list_for_each_entry(sub, &ns->sub_ns, base.list) { mutex_lock(&sub->lock); - __aa_fs_ns_rmdir(sub); + __aafs_ns_rmdir(sub); mutex_unlock(&sub->lock); } @@ -1247,7 +1289,7 @@ void __aa_fs_ns_rmdir(struct aa_ns *ns) } /* assumes cleanup in caller */ -static int __aa_fs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) +static int __aafs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) { struct dentry *dent; @@ -1294,7 +1336,10 @@ static int __aa_fs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) return 0; } -int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name) +/* + * Requires: @ns->lock held + */ +int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name) { struct aa_ns *sub; struct aa_profile *child; @@ -1314,13 +1359,13 @@ int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name) goto fail; ns_dir(ns) = dir = dent; - error = __aa_fs_ns_mkdir_entries(ns, dir); + error = __aafs_ns_mkdir_entries(ns, dir); if (error) goto fail2; /* profiles */ list_for_each_entry(child, &ns->base.profiles, base.list) { - error = __aa_fs_profile_mkdir(child, ns_subprofs_dir(ns)); + error = __aafs_profile_mkdir(child, ns_subprofs_dir(ns)); if (error) goto fail2; } @@ -1328,7 +1373,7 @@ int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name) /* subnamespaces */ list_for_each_entry(sub, &ns->sub_ns, base.list) { mutex_lock(&sub->lock); - error = __aa_fs_ns_mkdir(sub, ns_subns_dir(ns), NULL); + error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL); mutex_unlock(&sub->lock); if (error) goto fail2; @@ -1340,7 +1385,7 @@ fail: error = PTR_ERR(dent); fail2: - __aa_fs_ns_rmdir(ns); + __aafs_ns_rmdir(ns); return error; } @@ -1550,7 +1595,7 @@ static int seq_show_profile(struct seq_file *f, void *p) return 0; } -static const struct seq_operations aa_fs_profiles_op = { +static const struct seq_operations aa_sfs_profiles_op = { .start = p_start, .next = p_next, .stop = p_stop, @@ -1562,7 +1607,7 @@ static int profiles_open(struct inode *inode, struct file *file) if (!policy_view_capable(NULL)) return -EACCES; - return seq_open(file, &aa_fs_profiles_op); + return seq_open(file, &aa_sfs_profiles_op); } static int profiles_release(struct inode *inode, struct file *file) @@ -1570,7 +1615,7 @@ static int profiles_release(struct inode *inode, struct file *file) return seq_release(inode, file); } -static const struct file_operations aa_fs_profiles_fops = { +static const struct file_operations aa_sfs_profiles_fops = { .open = profiles_open, .read = seq_read, .llseek = seq_lseek, @@ -1579,63 +1624,63 @@ static const struct file_operations aa_fs_profiles_fops = { /** Base file system setup **/ -static struct aa_fs_entry aa_fs_entry_file[] = { - AA_FS_FILE_STRING("mask", "create read write exec append mmap_exec " \ - "link lock"), +static struct aa_sfs_entry aa_sfs_entry_file[] = { + AA_SFS_FILE_STRING("mask", + "create read write exec append mmap_exec link lock"), { } }; -static struct aa_fs_entry aa_fs_entry_domain[] = { - AA_FS_FILE_BOOLEAN("change_hat", 1), - AA_FS_FILE_BOOLEAN("change_hatv", 1), - AA_FS_FILE_BOOLEAN("change_onexec", 1), - AA_FS_FILE_BOOLEAN("change_profile", 1), - AA_FS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1), - AA_FS_FILE_STRING("version", "1.2"), +static struct aa_sfs_entry aa_sfs_entry_domain[] = { + AA_SFS_FILE_BOOLEAN("change_hat", 1), + AA_SFS_FILE_BOOLEAN("change_hatv", 1), + AA_SFS_FILE_BOOLEAN("change_onexec", 1), + AA_SFS_FILE_BOOLEAN("change_profile", 1), + AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1), + AA_SFS_FILE_STRING("version", "1.2"), { } }; -static struct aa_fs_entry aa_fs_entry_versions[] = { - AA_FS_FILE_BOOLEAN("v5", 1), +static struct aa_sfs_entry aa_sfs_entry_versions[] = { + AA_SFS_FILE_BOOLEAN("v5", 1), { } }; -static struct aa_fs_entry aa_fs_entry_policy[] = { - AA_FS_DIR("versions", aa_fs_entry_versions), - AA_FS_FILE_BOOLEAN("set_load", 1), +static struct aa_sfs_entry aa_sfs_entry_policy[] = { + AA_SFS_DIR("versions", aa_sfs_entry_versions), + AA_SFS_FILE_BOOLEAN("set_load", 1), { } }; -static struct aa_fs_entry aa_fs_entry_features[] = { - AA_FS_DIR("policy", aa_fs_entry_policy), - AA_FS_DIR("domain", aa_fs_entry_domain), - AA_FS_DIR("file", aa_fs_entry_file), - AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), - AA_FS_DIR("rlimit", aa_fs_entry_rlimit), - AA_FS_DIR("caps", aa_fs_entry_caps), +static struct aa_sfs_entry aa_sfs_entry_features[] = { + AA_SFS_DIR("policy", aa_sfs_entry_policy), + AA_SFS_DIR("domain", aa_sfs_entry_domain), + AA_SFS_DIR("file", aa_sfs_entry_file), + AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), + AA_SFS_DIR("rlimit", aa_sfs_entry_rlimit), + AA_SFS_DIR("caps", aa_sfs_entry_caps), { } }; -static struct aa_fs_entry aa_fs_entry_apparmor[] = { - AA_FS_FILE_FOPS(".access", 0640, &aa_fs_access), - AA_FS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops), - AA_FS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops), - AA_FS_FILE_FOPS("profiles", 0440, &aa_fs_profiles_fops), - AA_FS_DIR("features", aa_fs_entry_features), +static struct aa_sfs_entry aa_sfs_entry_apparmor[] = { + AA_SFS_FILE_FOPS(".access", 0640, &aa_sfs_access), + AA_SFS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops), + AA_SFS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops), + AA_SFS_FILE_FOPS("profiles", 0440, &aa_sfs_profiles_fops), + AA_SFS_DIR("features", aa_sfs_entry_features), { } }; -static struct aa_fs_entry aa_fs_entry = - AA_FS_DIR("apparmor", aa_fs_entry_apparmor); +static struct aa_sfs_entry aa_sfs_entry = + AA_SFS_DIR("apparmor", aa_sfs_entry_apparmor); /** * entry_create_file - create a file entry in the apparmor securityfs - * @fs_file: aa_fs_entry to build an entry for (NOT NULL) + * @fs_file: aa_sfs_entry to build an entry for (NOT NULL) * @parent: the parent dentry in the securityfs * * Use entry_remove_file to remove entries created with this fn. */ -static int __init entry_create_file(struct aa_fs_entry *fs_file, +static int __init entry_create_file(struct aa_sfs_entry *fs_file, struct dentry *parent) { int error = 0; @@ -1651,18 +1696,18 @@ static int __init entry_create_file(struct aa_fs_entry *fs_file, return error; } -static void __init entry_remove_dir(struct aa_fs_entry *fs_dir); +static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir); /** * entry_create_dir - recursively create a directory entry in the securityfs - * @fs_dir: aa_fs_entry (and all child entries) to build (NOT NULL) + * @fs_dir: aa_sfs_entry (and all child entries) to build (NOT NULL) * @parent: the parent dentry in the securityfs * * Use entry_remove_dir to remove entries created with this fn. */ -static int __init entry_create_dir(struct aa_fs_entry *fs_dir, - struct dentry *parent) +static int __init entry_create_dir(struct aa_sfs_entry *fs_dir, + struct dentry *parent) { - struct aa_fs_entry *fs_file; + struct aa_sfs_entry *fs_file; struct dentry *dir; int error; @@ -1672,7 +1717,7 @@ static int __init entry_create_dir(struct aa_fs_entry *fs_dir, fs_dir->dentry = dir; for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { - if (fs_file->v_type == AA_FS_TYPE_DIR) + if (fs_file->v_type == AA_SFS_TYPE_DIR) error = entry_create_dir(fs_file, fs_dir->dentry); else error = entry_create_file(fs_file, fs_dir->dentry); @@ -1689,10 +1734,10 @@ failed: } /** - * aafs_remove_file - drop a single file entry in the apparmor securityfs - * @fs_file: aa_fs_entry to detach from the securityfs (NOT NULL) + * entry_remove_file - drop a single file entry in the apparmor securityfs + * @fs_file: aa_sfs_entry to detach from the securityfs (NOT NULL) */ -static void __init aafs_remove_file(struct aa_fs_entry *fs_file) +static void __init entry_remove_file(struct aa_sfs_entry *fs_file) { if (!fs_file->dentry) return; @@ -1703,20 +1748,20 @@ static void __init aafs_remove_file(struct aa_fs_entry *fs_file) /** * entry_remove_dir - recursively drop a directory entry from the securityfs - * @fs_dir: aa_fs_entry (and all child entries) to detach (NOT NULL) + * @fs_dir: aa_sfs_entry (and all child entries) to detach (NOT NULL) */ -static void __init entry_remove_dir(struct aa_fs_entry *fs_dir) +static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir) { - struct aa_fs_entry *fs_file; + struct aa_sfs_entry *fs_file; for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { - if (fs_file->v_type == AA_FS_TYPE_DIR) + if (fs_file->v_type == AA_SFS_TYPE_DIR) entry_remove_dir(fs_file); else - aafs_remove_file(fs_file); + entry_remove_file(fs_file); } - aafs_remove_file(fs_dir); + entry_remove_file(fs_dir); } /** @@ -1726,7 +1771,7 @@ static void __init entry_remove_dir(struct aa_fs_entry *fs_dir) */ void __init aa_destroy_aafs(void) { - entry_remove_dir(&aa_fs_entry); + entry_remove_dir(&aa_sfs_entry); } @@ -1843,7 +1888,7 @@ static int __init aa_create_aafs(void) if (!apparmor_initialized) return 0; - if (aa_fs_entry.dentry) { + if (aa_sfs_entry.dentry) { AA_ERROR("%s: AppArmor securityfs already exists\n", __func__); return -EEXIST; } @@ -1855,11 +1900,11 @@ static int __init aa_create_aafs(void) aafs_mnt->mnt_sb->s_flags &= ~MS_NOUSER; /* Populate fs tree. */ - error = entry_create_dir(&aa_fs_entry, NULL); + error = entry_create_dir(&aa_sfs_entry, NULL); if (error) goto error; - dent = securityfs_create_file(".load", 0666, aa_fs_entry.dentry, + dent = securityfs_create_file(".load", 0666, aa_sfs_entry.dentry, NULL, &aa_fs_profile_load); if (IS_ERR(dent)) { error = PTR_ERR(dent); @@ -1867,7 +1912,7 @@ static int __init aa_create_aafs(void) } ns_subload(root_ns) = dent; - dent = securityfs_create_file(".replace", 0666, aa_fs_entry.dentry, + dent = securityfs_create_file(".replace", 0666, aa_sfs_entry.dentry, NULL, &aa_fs_profile_replace); if (IS_ERR(dent)) { error = PTR_ERR(dent); @@ -1875,7 +1920,7 @@ static int __init aa_create_aafs(void) } ns_subreplace(root_ns) = dent; - dent = securityfs_create_file(".remove", 0666, aa_fs_entry.dentry, + dent = securityfs_create_file(".remove", 0666, aa_sfs_entry.dentry, NULL, &aa_fs_profile_remove); if (IS_ERR(dent)) { error = PTR_ERR(dent); @@ -1884,13 +1929,13 @@ static int __init aa_create_aafs(void) ns_subremove(root_ns) = dent; mutex_lock(&root_ns->lock); - error = __aa_fs_ns_mkdir(root_ns, aa_fs_entry.dentry, "policy"); + error = __aafs_ns_mkdir(root_ns, aa_sfs_entry.dentry, "policy"); mutex_unlock(&root_ns->lock); if (error) goto error; - error = aa_mk_null_file(aa_fs_entry.dentry); + error = aa_mk_null_file(aa_sfs_entry.dentry); if (error) goto error; diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c index ed0a3e6..3bc1984 100644 --- a/security/apparmor/capability.c +++ b/security/apparmor/capability.c @@ -28,8 +28,8 @@ */ #include "capability_names.h" -struct aa_fs_entry aa_fs_entry_caps[] = { - AA_FS_FILE_STRING("mask", AA_FS_CAPS_MASK), +struct aa_sfs_entry aa_sfs_entry_caps[] = { + AA_SFS_FILE_STRING("mask", AA_SFS_CAPS_MASK), { } }; diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h index 0b6d32b..bcad877 100644 --- a/security/apparmor/include/apparmorfs.h +++ b/security/apparmor/include/apparmorfs.h @@ -17,49 +17,49 @@ extern struct path aa_null; -enum aa_fs_type { - AA_FS_TYPE_BOOLEAN, - AA_FS_TYPE_STRING, - AA_FS_TYPE_U64, - AA_FS_TYPE_FOPS, - AA_FS_TYPE_DIR, +enum aa_sfs_type { + AA_SFS_TYPE_BOOLEAN, + AA_SFS_TYPE_STRING, + AA_SFS_TYPE_U64, + AA_SFS_TYPE_FOPS, + AA_SFS_TYPE_DIR, }; -struct aa_fs_entry; +struct aa_sfs_entry; -struct aa_fs_entry { +struct aa_sfs_entry { const char *name; struct dentry *dentry; umode_t mode; - enum aa_fs_type v_type; + enum aa_sfs_type v_type; union { bool boolean; char *string; unsigned long u64; - struct aa_fs_entry *files; + struct aa_sfs_entry *files; } v; const struct file_operations *file_ops; }; -extern const struct file_operations aa_fs_seq_file_ops; +extern const struct file_operations aa_sfs_seq_file_ops; -#define AA_FS_FILE_BOOLEAN(_name, _value) \ +#define AA_SFS_FILE_BOOLEAN(_name, _value) \ { .name = (_name), .mode = 0444, \ - .v_type = AA_FS_TYPE_BOOLEAN, .v.boolean = (_value), \ - .file_ops = &aa_fs_seq_file_ops } -#define AA_FS_FILE_STRING(_name, _value) \ + .v_type = AA_SFS_TYPE_BOOLEAN, .v.boolean = (_value), \ + .file_ops = &aa_sfs_seq_file_ops } +#define AA_SFS_FILE_STRING(_name, _value) \ { .name = (_name), .mode = 0444, \ - .v_type = AA_FS_TYPE_STRING, .v.string = (_value), \ - .file_ops = &aa_fs_seq_file_ops } -#define AA_FS_FILE_U64(_name, _value) \ + .v_type = AA_SFS_TYPE_STRING, .v.string = (_value), \ + .file_ops = &aa_sfs_seq_file_ops } +#define AA_SFS_FILE_U64(_name, _value) \ { .name = (_name), .mode = 0444, \ - .v_type = AA_FS_TYPE_U64, .v.u64 = (_value), \ - .file_ops = &aa_fs_seq_file_ops } -#define AA_FS_FILE_FOPS(_name, _mode, _fops) \ - { .name = (_name), .v_type = AA_FS_TYPE_FOPS, \ + .v_type = AA_SFS_TYPE_U64, .v.u64 = (_value), \ + .file_ops = &aa_sfs_seq_file_ops } +#define AA_SFS_FILE_FOPS(_name, _mode, _fops) \ + { .name = (_name), .v_type = AA_SFS_TYPE_FOPS, \ .mode = (_mode), .file_ops = (_fops) } -#define AA_FS_DIR(_name, _value) \ - { .name = (_name), .v_type = AA_FS_TYPE_DIR, .v.files = (_value) } +#define AA_SFS_DIR(_name, _value) \ + { .name = (_name), .v_type = AA_SFS_TYPE_DIR, .v.files = (_value) } extern void __init aa_destroy_aafs(void); @@ -107,12 +107,12 @@ enum aafs_prof_type { #define prof_child_dir(X) ((X)->dents[AAFS_PROF_PROFS]) void __aa_bump_ns_revision(struct aa_ns *ns); -void __aa_fs_profile_rmdir(struct aa_profile *profile); -void __aa_fs_profile_migrate_dents(struct aa_profile *old, +void __aafs_profile_rmdir(struct aa_profile *profile); +void __aafs_profile_migrate_dents(struct aa_profile *old, struct aa_profile *new); -int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent); -void __aa_fs_ns_rmdir(struct aa_ns *ns); -int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, +int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent); +void __aafs_ns_rmdir(struct aa_ns *ns); +int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name); struct aa_loaddata; diff --git a/security/apparmor/include/capability.h b/security/apparmor/include/capability.h index fc3fa38..1218e95 100644 --- a/security/apparmor/include/capability.h +++ b/security/apparmor/include/capability.h @@ -36,7 +36,7 @@ struct aa_caps { kernel_cap_t extended; }; -extern struct aa_fs_entry aa_fs_entry_caps[]; +extern struct aa_sfs_entry aa_sfs_entry_caps[]; int aa_capable(struct aa_profile *profile, int cap, int audit); diff --git a/security/apparmor/include/resource.h b/security/apparmor/include/resource.h index d3f4cf0..f6289f3 100644 --- a/security/apparmor/include/resource.h +++ b/security/apparmor/include/resource.h @@ -34,7 +34,7 @@ struct aa_rlimit { struct rlimit limits[RLIM_NLIMITS]; }; -extern struct aa_fs_entry aa_fs_entry_rlimit[]; +extern struct aa_sfs_entry aa_sfs_entry_rlimit[]; int aa_map_resource(int resource); int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *, diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index 5968914..a5e8559 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -160,7 +160,7 @@ static void __remove_profile(struct aa_profile *profile) __aa_profile_list_release(&profile->base.profiles); /* released by free_profile */ __aa_update_proxy(profile, profile->ns->unconfined); - __aa_fs_profile_rmdir(profile); + __aafs_profile_rmdir(profile); __list_remove_profile(profile); } @@ -784,7 +784,7 @@ static void __replace_profile(struct aa_profile *old, struct aa_profile *new, /* aafs interface uses proxy */ rcu_assign_pointer(new->proxy->profile, aa_get_profile(new)); - __aa_fs_profile_migrate_dents(old, new); + __aafs_profile_migrate_dents(old, new); if (list_empty(&new->base.list)) { /* new is not on a list already */ @@ -971,7 +971,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile, parent = prof_child_dir(p); } else parent = ns_subprofs_dir(ent->new->ns); - error = __aa_fs_profile_mkdir(ent->new, parent); + error = __aafs_profile_mkdir(ent->new, parent); } if (error) { diff --git a/security/apparmor/policy_ns.c b/security/apparmor/policy_ns.c index c94ec6e..0a8bc4e 100644 --- a/security/apparmor/policy_ns.c +++ b/security/apparmor/policy_ns.c @@ -196,7 +196,7 @@ static struct aa_ns *__aa_create_ns(struct aa_ns *parent, const char *name, if (!ns) return NULL; mutex_lock(&ns->lock); - error = __aa_fs_ns_mkdir(ns, ns_subns_dir(parent), name); + error = __aafs_ns_mkdir(ns, ns_subns_dir(parent), name); if (error) { AA_ERROR("Failed to create interface for ns %s\n", ns->base.name); @@ -284,7 +284,7 @@ static void destroy_ns(struct aa_ns *ns) if (ns->parent) __aa_update_proxy(ns->unconfined, ns->parent->unconfined); - __aa_fs_ns_rmdir(ns); + __aafs_ns_rmdir(ns); mutex_unlock(&ns->lock); } diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c index 86a941a..ae66151 100644 --- a/security/apparmor/resource.c +++ b/security/apparmor/resource.c @@ -24,8 +24,8 @@ */ #include "rlim_names.h" -struct aa_fs_entry aa_fs_entry_rlimit[] = { - AA_FS_FILE_STRING("mask", AA_FS_RLIMIT_MASK), +struct aa_sfs_entry aa_sfs_entry_rlimit[] = { + AA_SFS_FILE_STRING("mask", AA_SFS_RLIMIT_MASK), { } }; -- 2.7.4