Merge tag 'apparmor-pr-2018-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull AppArmor updates from John Johansen: "Features - add support for mapping secids and using secctxes - add the ability to get a task's secid - add support for audit rule filtering Cleanups: - multiple typo fixes - Convert to use match_string() helper - update git and wiki locations in AppArmor docs - improve get_buffers macro by using get_cpu_ptr - Use an IDR to allocate apparmor secids Bug fixes: - fix '*seclen' is never less than zero - fix mediation of prlimit - fix memory leak when deduping profile load - fix ptrace read check - fix memory leak of rule on error exit path" * tag 'apparmor-pr-2018-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (21 commits) apparmor: fix ptrace read check apparmor: fix memory leak when deduping profile load apparmor: fix mediation of prlimit apparmor: fixup secid map conversion to using IDR apparmor: Use an IDR to allocate apparmor secids apparmor: Fix memory leak of rule on error exit path apparmor: modify audit rule support to support profile stacks apparmor: Add support for audit rule filtering apparmor: update git and wiki locations in AppArmor docs apparmor: Convert to use match_string() helper apparmor: improve get_buffers macro by using get_cpu_ptr apparmor: fix '*seclen' is never less than zero apparmor: fix typo "preconfinement" apparmor: fix typo "independent" apparmor: fix typo "traverse" apparmor: fix typo "type" apparmor: fix typo "replace" apparmor: fix typo "comparison" apparmor: fix typo "loosen" apparmor: add the ability to get a task's secid ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2018-06-14 03:11:28 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2018-06-14 03:11:28 -0400
commit: 463f202172c31b9c36278001cabfbad4e12da42e (patch)
tree: 2e19e74001db3f5bc5012b90781435add1de4311 /security/apparmor/include
parent: 050e9baa9dc9fbd9ce2b27f0056990fc9e0a08a0 (diff)
parent: 338d0be437ef10e247a35aed83dbab182cf406a2 (diff)
4 files changed, 37 insertions, 21 deletions
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 9c9be9c98c15..b8c8b1066b0a 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -189,4 +189,10 @@ static inline int complain_error(int error)
        return error;
 }
+void aa_audit_rule_free(void *vrule);
+int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
+int aa_audit_rule_known(struct audit_krule *rule);
+int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+                        struct audit_context *actx);
 #endif /* __AA_AUDIT_H */
diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
index d871e7ff0952..7ce5fe73ae7f 100644
--- a/security/apparmor/include/label.h
+++ b/security/apparmor/include/label.h
@@ -281,7 +281,7 @@ void __aa_labelset_update_subtree(struct aa_ns *ns);
 void aa_label_free(struct aa_label *label);
 void aa_label_kref(struct kref *kref);
-bool aa_label_init(struct aa_label *label, int size);
+bool aa_label_init(struct aa_label *label, int size, gfp_t gfp);
 struct aa_label *aa_label_alloc(int size, struct aa_proxy *proxy, gfp_t gfp);
 bool aa_label_is_subset(struct aa_label *set, struct aa_label *sub);
diff --git a/security/apparmor/include/path.h b/security/apparmor/include/path.h
index e042b994f2b8..b6380c5f0097 100644
--- a/security/apparmor/include/path.h
+++ b/security/apparmor/include/path.h
@@ -43,10 +43,11 @@ struct aa_buffers {
 DECLARE_PER_CPU(struct aa_buffers, aa_buffers);
-#define ASSIGN(FN, X, N) ((X) = FN(N))
+#define ASSIGN(FN, A, X, N) ((X) = FN(A, N))
-#define EVAL1(FN, X) ASSIGN(FN, X, 0) /*X = FN(0)*/
+#define EVAL1(FN, A, X) ASSIGN(FN, A, X, 0) /*X = FN(0)*/
-#define EVAL2(FN, X, Y...) do { ASSIGN(FN, X, 1);  EVAL1(FN, Y); } while (0)
+#define EVAL2(FN, A, X, Y...)   \
-#define EVAL(FN, X...) CONCATENATE(EVAL, COUNT_ARGS(X))(FN, X)
+        do { ASSIGN(FN, A, X, 1);  EVAL1(FN, A, Y); } while (0)
+#define EVAL(FN, A, X...) CONCATENATE(EVAL, COUNT_ARGS(X))(FN, A, X)
 #define for_each_cpu_buffer(I) for ((I) = 0; (I) < MAX_PATH_BUFFERS; (I)++)
@@ -56,26 +57,24 @@ DECLARE_PER_CPU(struct aa_buffers, aa_buffers);
 #define AA_BUG_PREEMPT_ENABLED(X) /* nop */
 #endif
-#define __get_buffer(N) ({                                      \
+#define __get_buffer(C, N) ({                                           \
-        struct aa_buffers *__cpu_var; \
        AA_BUG_PREEMPT_ENABLED("__get_buffer without preempt disabled");  \
-        __cpu_var = this_cpu_ptr(&aa_buffers);                  \
+        (C)->buf[(N)]; })
-        __cpu_var->buf[(N)]; })
-#define __get_buffers(X...)    EVAL(__get_buffer, X)
+#define __get_buffers(C, X...)    EVAL(__get_buffer, C, X)
 #define __put_buffers(X, Y...) ((void)&(X))
-#define get_buffers(X...)       \
+#define get_buffers(X...)                                               \
-do {                            \
+do {                                                                    \
-        preempt_disable();      \
+        struct aa_buffers *__cpu_var = get_cpu_ptr(&aa_buffers);        \
-        __get_buffers(X);       \
+        __get_buffers(__cpu_var, X);                                    \
 } while (0)
-#define put_buffers(X, Y...)    \
+#define put_buffers(X, Y...)            \
-do {                            \
+do {                                    \
-        __put_buffers(X, Y);    \
+        __put_buffers(X, Y);            \
-        preempt_enable();       \
+        put_cpu_ptr(&aa_buffers);       \
 } while (0)
 #endif /* __AA_PATH_H */
diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
index 95ed86a0f1e2..dee6fa3b6081 100644
--- a/security/apparmor/include/secid.h
+++ b/security/apparmor/include/secid.h
@@ -3,7 +3,7 @@
 *
 * This file contains AppArmor security identifier (secid) definitions
 *
- * Copyright 2009-2010 Canonical Ltd.
+ * Copyright 2009-2018 Canonical Ltd.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
@@ -14,13 +14,24 @@
 #ifndef __AA_SECID_H
 #define __AA_SECID_H
+#include <linux/slab.h>
 #include <linux/types.h>
+struct aa_label;
 /* secid value that will not be allocated */
 #define AA_SECID_INVALID 0
-#define AA_SECID_ALLOC AA_SECID_INVALID
-u32 aa_alloc_secid(void);
+struct aa_label *aa_secid_to_label(u32 secid);
+int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
+void apparmor_release_secctx(char *secdata, u32 seclen);
+int aa_alloc_secid(struct aa_label *label, gfp_t gfp);
 void aa_free_secid(u32 secid);
+void aa_secid_update(u32 secid, struct aa_label *label);
+void aa_secids_init(void);
 #endif /* __AA_SECID_H */
author	Linus Torvalds <torvalds@linux-foundation.org>	2018-06-14 03:11:28 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2018-06-14 03:11:28 -0400
commit	463f202172c31b9c36278001cabfbad4e12da42e (patch)
tree	2e19e74001db3f5bc5012b90781435add1de4311 /security/apparmor/include
parent	050e9baa9dc9fbd9ce2b27f0056990fc9e0a08a0 (diff)
parent	338d0be437ef10e247a35aed83dbab182cf406a2 (diff)