aboutsummaryrefslogtreecommitdiffstats
path: root/security/apparmor/apparmorfs.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/apparmor/apparmorfs.c')
-rw-r--r--security/apparmor/apparmorfs.c45
1 files changed, 39 insertions, 6 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 853c2ec8e0c9..518d5928661b 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -32,6 +32,7 @@
32#include "include/audit.h" 32#include "include/audit.h"
33#include "include/context.h" 33#include "include/context.h"
34#include "include/crypto.h" 34#include "include/crypto.h"
35#include "include/ipc.h"
35#include "include/policy_ns.h" 36#include "include/policy_ns.h"
36#include "include/label.h" 37#include "include/label.h"
37#include "include/policy.h" 38#include "include/policy.h"
@@ -248,8 +249,10 @@ static struct dentry *aafs_create(const char *name, umode_t mode,
248 249
249 inode_lock(dir); 250 inode_lock(dir);
250 dentry = lookup_one_len(name, parent, strlen(name)); 251 dentry = lookup_one_len(name, parent, strlen(name));
251 if (IS_ERR(dentry)) 252 if (IS_ERR(dentry)) {
253 error = PTR_ERR(dentry);
252 goto fail_lock; 254 goto fail_lock;
255 }
253 256
254 if (d_really_is_positive(dentry)) { 257 if (d_really_is_positive(dentry)) {
255 error = -EEXIST; 258 error = -EEXIST;
@@ -1443,6 +1446,10 @@ void __aafs_profile_migrate_dents(struct aa_profile *old,
1443{ 1446{
1444 int i; 1447 int i;
1445 1448
1449 AA_BUG(!old);
1450 AA_BUG(!new);
1451 AA_BUG(!mutex_is_locked(&profiles_ns(old)->lock));
1452
1446 for (i = 0; i < AAFS_PROF_SIZEOF; i++) { 1453 for (i = 0; i < AAFS_PROF_SIZEOF; i++) {
1447 new->dents[i] = old->dents[i]; 1454 new->dents[i] = old->dents[i];
1448 if (new->dents[i]) 1455 if (new->dents[i])
@@ -1506,6 +1513,9 @@ int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
1506 struct dentry *dent = NULL, *dir; 1513 struct dentry *dent = NULL, *dir;
1507 int error; 1514 int error;
1508 1515
1516 AA_BUG(!profile);
1517 AA_BUG(!mutex_is_locked(&profiles_ns(profile)->lock));
1518
1509 if (!parent) { 1519 if (!parent) {
1510 struct aa_profile *p; 1520 struct aa_profile *p;
1511 p = aa_deref_parent(profile); 1521 p = aa_deref_parent(profile);
@@ -1731,6 +1741,7 @@ void __aafs_ns_rmdir(struct aa_ns *ns)
1731 1741
1732 if (!ns) 1742 if (!ns)
1733 return; 1743 return;
1744 AA_BUG(!mutex_is_locked(&ns->lock));
1734 1745
1735 list_for_each_entry(child, &ns->base.profiles, base.list) 1746 list_for_each_entry(child, &ns->base.profiles, base.list)
1736 __aafs_profile_rmdir(child); 1747 __aafs_profile_rmdir(child);
@@ -1903,6 +1914,10 @@ static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns)
1903{ 1914{
1904 struct aa_ns *parent, *next; 1915 struct aa_ns *parent, *next;
1905 1916
1917 AA_BUG(!root);
1918 AA_BUG(!ns);
1919 AA_BUG(ns != root && !mutex_is_locked(&ns->parent->lock));
1920
1906 /* is next namespace a child */ 1921 /* is next namespace a child */
1907 if (!list_empty(&ns->sub_ns)) { 1922 if (!list_empty(&ns->sub_ns)) {
1908 next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list); 1923 next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
@@ -1937,6 +1952,9 @@ static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns)
1937static struct aa_profile *__first_profile(struct aa_ns *root, 1952static struct aa_profile *__first_profile(struct aa_ns *root,
1938 struct aa_ns *ns) 1953 struct aa_ns *ns)
1939{ 1954{
1955 AA_BUG(!root);
1956 AA_BUG(ns && !mutex_is_locked(&ns->lock));
1957
1940 for (; ns; ns = __next_ns(root, ns)) { 1958 for (; ns; ns = __next_ns(root, ns)) {
1941 if (!list_empty(&ns->base.profiles)) 1959 if (!list_empty(&ns->base.profiles))
1942 return list_first_entry(&ns->base.profiles, 1960 return list_first_entry(&ns->base.profiles,
@@ -1959,6 +1977,8 @@ static struct aa_profile *__next_profile(struct aa_profile *p)
1959 struct aa_profile *parent; 1977 struct aa_profile *parent;
1960 struct aa_ns *ns = p->ns; 1978 struct aa_ns *ns = p->ns;
1961 1979
1980 AA_BUG(!mutex_is_locked(&profiles_ns(p)->lock));
1981
1962 /* is next profile a child */ 1982 /* is next profile a child */
1963 if (!list_empty(&p->base.profiles)) 1983 if (!list_empty(&p->base.profiles))
1964 return list_first_entry(&p->base.profiles, typeof(*p), 1984 return list_first_entry(&p->base.profiles, typeof(*p),
@@ -2127,6 +2147,11 @@ static struct aa_sfs_entry aa_sfs_entry_ptrace[] = {
2127 { } 2147 { }
2128}; 2148};
2129 2149
2150static struct aa_sfs_entry aa_sfs_entry_signal[] = {
2151 AA_SFS_FILE_STRING("mask", AA_SFS_SIG_MASK),
2152 { }
2153};
2154
2130static struct aa_sfs_entry aa_sfs_entry_domain[] = { 2155static struct aa_sfs_entry aa_sfs_entry_domain[] = {
2131 AA_SFS_FILE_BOOLEAN("change_hat", 1), 2156 AA_SFS_FILE_BOOLEAN("change_hat", 1),
2132 AA_SFS_FILE_BOOLEAN("change_hatv", 1), 2157 AA_SFS_FILE_BOOLEAN("change_hatv", 1),
@@ -2151,9 +2176,14 @@ static struct aa_sfs_entry aa_sfs_entry_policy[] = {
2151 { } 2176 { }
2152}; 2177};
2153 2178
2179static struct aa_sfs_entry aa_sfs_entry_mount[] = {
2180 AA_SFS_FILE_STRING("mask", "mount umount pivot_root"),
2181 { }
2182};
2183
2154static struct aa_sfs_entry aa_sfs_entry_ns[] = { 2184static struct aa_sfs_entry aa_sfs_entry_ns[] = {
2155 AA_SFS_FILE_BOOLEAN("profile", 1), 2185 AA_SFS_FILE_BOOLEAN("profile", 1),
2156 AA_SFS_FILE_BOOLEAN("pivot_root", 1), 2186 AA_SFS_FILE_BOOLEAN("pivot_root", 0),
2157 { } 2187 { }
2158}; 2188};
2159 2189
@@ -2172,22 +2202,25 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = {
2172 AA_SFS_DIR("policy", aa_sfs_entry_policy), 2202 AA_SFS_DIR("policy", aa_sfs_entry_policy),
2173 AA_SFS_DIR("domain", aa_sfs_entry_domain), 2203 AA_SFS_DIR("domain", aa_sfs_entry_domain),
2174 AA_SFS_DIR("file", aa_sfs_entry_file), 2204 AA_SFS_DIR("file", aa_sfs_entry_file),
2205 AA_SFS_DIR("network", aa_sfs_entry_network),
2206 AA_SFS_DIR("mount", aa_sfs_entry_mount),
2175 AA_SFS_DIR("namespaces", aa_sfs_entry_ns), 2207 AA_SFS_DIR("namespaces", aa_sfs_entry_ns),
2176 AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), 2208 AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
2177 AA_SFS_DIR("rlimit", aa_sfs_entry_rlimit), 2209 AA_SFS_DIR("rlimit", aa_sfs_entry_rlimit),
2178 AA_SFS_DIR("caps", aa_sfs_entry_caps), 2210 AA_SFS_DIR("caps", aa_sfs_entry_caps),
2179 AA_SFS_DIR("ptrace", aa_sfs_entry_ptrace), 2211 AA_SFS_DIR("ptrace", aa_sfs_entry_ptrace),
2212 AA_SFS_DIR("signal", aa_sfs_entry_signal),
2180 AA_SFS_DIR("query", aa_sfs_entry_query), 2213 AA_SFS_DIR("query", aa_sfs_entry_query),
2181 { } 2214 { }
2182}; 2215};
2183 2216
2184static struct aa_sfs_entry aa_sfs_entry_apparmor[] = { 2217static struct aa_sfs_entry aa_sfs_entry_apparmor[] = {
2185 AA_SFS_FILE_FOPS(".access", 0640, &aa_sfs_access), 2218 AA_SFS_FILE_FOPS(".access", 0666, &aa_sfs_access),
2186 AA_SFS_FILE_FOPS(".stacked", 0444, &seq_ns_stacked_fops), 2219 AA_SFS_FILE_FOPS(".stacked", 0444, &seq_ns_stacked_fops),
2187 AA_SFS_FILE_FOPS(".ns_stacked", 0444, &seq_ns_nsstacked_fops), 2220 AA_SFS_FILE_FOPS(".ns_stacked", 0444, &seq_ns_nsstacked_fops),
2188 AA_SFS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops), 2221 AA_SFS_FILE_FOPS(".ns_level", 0444, &seq_ns_level_fops),
2189 AA_SFS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops), 2222 AA_SFS_FILE_FOPS(".ns_name", 0444, &seq_ns_name_fops),
2190 AA_SFS_FILE_FOPS("profiles", 0440, &aa_sfs_profiles_fops), 2223 AA_SFS_FILE_FOPS("profiles", 0444, &aa_sfs_profiles_fops),
2191 AA_SFS_DIR("features", aa_sfs_entry_features), 2224 AA_SFS_DIR("features", aa_sfs_entry_features),
2192 { } 2225 { }
2193}; 2226};
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-27 00:58:00 -0400