summaryrefslogtreecommitdiffstats
path: root/security/apparmor/policy.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-18 17:39:57 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-18 17:39:57 +0000
commitdc50eab76b709d68175a358d6e23a5a3890764d3 (patch)
treec754d0390db060af0213ff994f0ac310e4cfd6e9 /security/apparmor/policy.c
parentAdding debian version 6.6.15-2. (diff)
downloadlinux-dc50eab76b709d68175a358d6e23a5a3890764d3.tar.xz
linux-dc50eab76b709d68175a358d6e23a5a3890764d3.zip
Merging upstream version 6.7.7.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/apparmor/policy.c')
-rw-r--r--security/apparmor/policy.c62
1 files changed, 43 insertions, 19 deletions
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 8a07793ce1..957654d253 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -88,6 +88,7 @@
#include "include/resource.h"
int unprivileged_userns_apparmor_policy = 1;
+int aa_unprivileged_unconfined_restricted;
const char *const aa_profile_mode_names[] = {
"enforce",
@@ -98,6 +99,42 @@ const char *const aa_profile_mode_names[] = {
};
+static void aa_free_pdb(struct aa_policydb *pdb)
+{
+ if (pdb) {
+ aa_put_dfa(pdb->dfa);
+ if (pdb->perms)
+ kvfree(pdb->perms);
+ aa_free_str_table(&pdb->trans);
+ kfree(pdb);
+ }
+}
+
+/**
+ * aa_pdb_free_kref - free aa_policydb by kref (called by aa_put_pdb)
+ * @kref: kref callback for freeing of a dfa (NOT NULL)
+ */
+void aa_pdb_free_kref(struct kref *kref)
+{
+ struct aa_policydb *pdb = container_of(kref, struct aa_policydb, count);
+
+ aa_free_pdb(pdb);
+}
+
+
+struct aa_policydb *aa_alloc_pdb(gfp_t gfp)
+{
+ struct aa_policydb *pdb = kzalloc(sizeof(struct aa_policydb), gfp);
+
+ if (!pdb)
+ return NULL;
+
+ kref_init(&pdb->count);
+
+ return pdb;
+}
+
+
/**
* __add_profile - add a profiles to list and label tree
* @list: list to add it to (NOT NULL)
@@ -200,15 +237,15 @@ static void free_attachment(struct aa_attachment *attach)
for (i = 0; i < attach->xattr_count; i++)
kfree_sensitive(attach->xattrs[i]);
kfree_sensitive(attach->xattrs);
- aa_destroy_policydb(&attach->xmatch);
+ aa_put_pdb(attach->xmatch);
}
static void free_ruleset(struct aa_ruleset *rules)
{
int i;
- aa_destroy_policydb(&rules->file);
- aa_destroy_policydb(&rules->policy);
+ aa_put_pdb(rules->file);
+ aa_put_pdb(rules->policy);
aa_free_cap_rules(&rules->caps);
aa_free_rlimit_rules(&rules->rlimits);
@@ -590,16 +627,8 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
/* TODO: ideally we should inherit abi from parent */
profile->label.flags |= FLAG_NULL;
rules = list_first_entry(&profile->rules, typeof(*rules), list);
- rules->file.dfa = aa_get_dfa(nulldfa);
- rules->file.perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL);
- if (!rules->file.perms)
- goto fail;
- rules->file.size = 2;
- rules->policy.dfa = aa_get_dfa(nulldfa);
- rules->policy.perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL);
- if (!rules->policy.perms)
- goto fail;
- rules->policy.size = 2;
+ rules->file = aa_get_pdb(nullpdb);
+ rules->policy = aa_get_pdb(nullpdb);
if (parent) {
profile->path_flags = parent->path_flags;
@@ -610,11 +639,6 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
}
return profile;
-
-fail:
- aa_free_profile(profile);
-
- return NULL;
}
/**
@@ -847,7 +871,7 @@ bool aa_current_policy_admin_capable(struct aa_ns *ns)
/**
* aa_may_manage_policy - can the current task manage policy
- * @subj_cred; subjects cred
+ * @subj_cred: subjects cred
* @label: label to check if it can manage policy
* @ns: namespace being managed by @label (may be NULL if @label's ns)
* @mask: contains the policy manipulation operation being done