diff options
| author | John Johansen <john.johansen@canonical.com> | 2013-07-11 00:07:43 -0400 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2013-08-14 14:42:06 -0400 |
| commit | 77b071b34045a0c65d0e1f85f3d47fd2b8b7a8a1 (patch) | |
| tree | b0b2c38b79969ac7b9439389888f6a1ac14a32a7 /security/apparmor/context.c | |
| parent | 01e2b670aa898a39259bc85c78e3d74820f4d3b6 (diff) | |
apparmor: change how profile replacement update is done
remove the use of replaced by chaining and move to profile invalidation
and lookup to handle task replacement.
Replacement chaining can result in large chains of profiles being pinned
in memory when one profile in the chain is use. With implicit labeling
this will be even more of a problem, so move to a direct lookup method.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/context.c')
| -rw-r--r-- | security/apparmor/context.c | 16 |
1 files changed, 5 insertions, 11 deletions
diff --git a/security/apparmor/context.c b/security/apparmor/context.c index d5af1d15f26d..3064c6ced87c 100644 --- a/security/apparmor/context.c +++ b/security/apparmor/context.c | |||
| @@ -112,9 +112,9 @@ int aa_replace_current_profile(struct aa_profile *profile) | |||
| 112 | aa_clear_task_cxt_trans(cxt); | 112 | aa_clear_task_cxt_trans(cxt); |
| 113 | 113 | ||
| 114 | /* be careful switching cxt->profile, when racing replacement it | 114 | /* be careful switching cxt->profile, when racing replacement it |
| 115 | * is possible that cxt->profile->replacedby is the reference keeping | 115 | * is possible that cxt->profile->replacedby->profile is the reference |
| 116 | * @profile valid, so make sure to get its reference before dropping | 116 | * keeping @profile valid, so make sure to get its reference before |
| 117 | * the reference on cxt->profile */ | 117 | * dropping the reference on cxt->profile */ |
| 118 | aa_get_profile(profile); | 118 | aa_get_profile(profile); |
| 119 | aa_put_profile(cxt->profile); | 119 | aa_put_profile(cxt->profile); |
| 120 | cxt->profile = profile; | 120 | cxt->profile = profile; |
| @@ -175,7 +175,7 @@ int aa_set_current_hat(struct aa_profile *profile, u64 token) | |||
| 175 | abort_creds(new); | 175 | abort_creds(new); |
| 176 | return -EACCES; | 176 | return -EACCES; |
| 177 | } | 177 | } |
| 178 | cxt->profile = aa_get_profile(aa_newest_version(profile)); | 178 | cxt->profile = aa_get_newest_profile(profile); |
| 179 | /* clear exec on switching context */ | 179 | /* clear exec on switching context */ |
| 180 | aa_put_profile(cxt->onexec); | 180 | aa_put_profile(cxt->onexec); |
| 181 | cxt->onexec = NULL; | 181 | cxt->onexec = NULL; |
| @@ -212,14 +212,8 @@ int aa_restore_previous_profile(u64 token) | |||
| 212 | } | 212 | } |
| 213 | 213 | ||
| 214 | aa_put_profile(cxt->profile); | 214 | aa_put_profile(cxt->profile); |
| 215 | cxt->profile = aa_newest_version(cxt->previous); | 215 | cxt->profile = aa_get_newest_profile(cxt->previous); |
| 216 | BUG_ON(!cxt->profile); | 216 | BUG_ON(!cxt->profile); |
| 217 | if (unlikely(cxt->profile != cxt->previous)) { | ||
| 218 | aa_get_profile(cxt->profile); | ||
| 219 | aa_put_profile(cxt->previous); | ||
| 220 | } | ||
| 221 | /* ref has been transfered so avoid putting ref in clear_task_cxt */ | ||
| 222 | cxt->previous = NULL; | ||
| 223 | /* clear exec && prev information when restoring to previous context */ | 217 | /* clear exec && prev information when restoring to previous context */ |
| 224 | aa_clear_task_cxt_trans(cxt); | 218 | aa_clear_task_cxt_trans(cxt); |
| 225 | 219 | ||