1 files changed, 118 insertions, 2 deletions
diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
index 550a700563b4..436b3a722357 100644
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -60,6 +60,7 @@
 extern int apparmor_initialized;
 /* fn's in lib */
+const char *skipn_spaces(const char *str, size_t n);
 char *aa_split_fqname(char *args, char **ns_name);
 const char *aa_splitn_fqname(const char *fqname, size_t n, const char **ns_name,
                             size_t *ns_len);
@@ -99,6 +100,36 @@ static inline bool path_mediated_fs(struct dentry *dentry)
        return !(dentry->d_sb->s_flags & MS_NOUSER);
 }
+struct counted_str {
+        struct kref count;
+        char name[];
+};
+#define str_to_counted(str) \
+        ((struct counted_str *)(str - offsetof(struct counted_str, name)))
+#define __counted       /* atm just a notation */
+void aa_str_kref(struct kref *kref);
+char *aa_str_alloc(int size, gfp_t gfp);
+static inline __counted char *aa_get_str(__counted char *str)
+{
+        if (str)
+                kref_get(&(str_to_counted(str)->count));
+        return str;
+}
+static inline void aa_put_str(__counted char *str)
+{
+        if (str)
+                kref_put(&str_to_counted(str)->count, aa_str_kref);
+}
 /* struct aa_policy - common part of both namespaces and profiles
 * @name: name of the object
 * @hname - The hierarchical name
@@ -107,7 +138,7 @@ static inline bool path_mediated_fs(struct dentry *dentry)
 */
 struct aa_policy {
        const char *name;
-        const char *hname;
+        __counted char *hname;
        struct list_head list;
        struct list_head profiles;
 };
@@ -180,4 +211,89 @@ bool aa_policy_init(struct aa_policy *policy, const char *prefix,
                    const char *name, gfp_t gfp);
 void aa_policy_destroy(struct aa_policy *policy);
-#endif /* AA_LIB_H */
+/*
+ * fn_label_build - abstract out the build of a label transition
+ * @L: label the transition is being computed for
+ * @P: profile parameter derived from L by this macro, can be passed to FN
+ * @GFP: memory allocation type to use
+ * @FN: fn to call for each profile transition. @P is set to the profile
+ *
+ * Returns: new label on success
+ *          ERR_PTR if build @FN fails
+ *          NULL if label_build fails due to low memory conditions
+ *
+ * @FN must return a label or ERR_PTR on failure. NULL is not allowed
+ */
+#define fn_label_build(L, P, GFP, FN)                                   \
+({                                                                      \
+        __label__ __cleanup, __done;                                    \
+        struct aa_label *__new_;                                        \
+                                                                        \
+        if ((L)->size > 1) {                                            \
+                /* TODO: add cache of transitions already done */       \
+                struct label_it __i;                                    \
+                int __j, __k, __count;                                  \
+                DEFINE_VEC(label, __lvec);                              \
+                DEFINE_VEC(profile, __pvec);                            \
+                if (vec_setup(label, __lvec, (L)->size, (GFP))) {       \
+                        __new_ = NULL;                                  \
+                        goto __done;                                    \
+                }                                                       \
+                __j = 0;                                                \
+                label_for_each(__i, (L), (P)) {                         \
+                        __new_ = (FN);                                  \
+                        AA_BUG(!__new_);                                \
+                        if (IS_ERR(__new_))                             \
+                                goto __cleanup;                         \
+                        __lvec[__j++] = __new_;                         \
+                }                                                       \
+                for (__j = __count = 0; __j < (L)->size; __j++)         \
+                        __count += __lvec[__j]->size;                   \
+                if (!vec_setup(profile, __pvec, __count, (GFP))) {      \
+                        for (__j = __k = 0; __j < (L)->size; __j++) {   \
+                                label_for_each(__i, __lvec[__j], (P))   \
+                                        __pvec[__k++] = aa_get_profile(P); \
+                        }                                               \
+                        __count -= aa_vec_unique(__pvec, __count, 0);   \
+                        if (__count > 1) {                              \
+                                __new_ = aa_vec_find_or_create_label(__pvec,\
+                                                     __count, (GFP));   \
+                                /* only fails if out of Mem */          \
+                                if (!__new_)                            \
+                                        __new_ = NULL;                  \
+                        } else                                          \
+                                __new_ = aa_get_label(&__pvec[0]->label); \
+                        vec_cleanup(profile, __pvec, __count);          \
+                } else                                                  \
+                        __new_ = NULL;                                  \
+__cleanup:                                                              \
+                vec_cleanup(label, __lvec, (L)->size);                  \
+        } else {                                                        \
+                (P) = labels_profile(L);                                \
+                __new_ = (FN);                                          \
+        }                                                               \
+__done:                                                                 \
+        if (!__new_)                                                    \
+                AA_DEBUG("label build failed\n");                       \
+        (__new_);                                                       \
+})
+#define __fn_build_in_ns(NS, P, NS_FN, OTHER_FN)                        \
+({                                                                      \
+        struct aa_label *__new;                                         \
+        if ((P)->ns != (NS))                                            \
+                __new = (OTHER_FN);                                     \
+        else                                                            \
+                __new = (NS_FN);                                        \
+        (__new);                                                        \
+})
+#define fn_label_build_in_ns(L, P, GFP, NS_FN, OTHER_FN)                \
+({                                                                      \
+        fn_label_build((L), (P), (GFP),                                 \
+                __fn_build_in_ns(labels_ns(L), (P), (NS_FN), (OTHER_FN))); \
+})
+#endif /* __AA_LIB_H */

diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h index 550a700563b4..436b3a722357 100644 --- a/security/apparmor/include/lib.h +++ b/security/apparmor/include/lib.h
@@ -60,6 +60,7 @@
60	extern int apparmor_initialized;	60	extern int apparmor_initialized;
61		61
62	/* fn's in lib */	62	/* fn's in lib */
		63	const char skipn_spaces(const char str, size_t n);
63	char aa_split_fqname(char args, char **ns_name);	64	char aa_split_fqname(char args, char **ns_name);
64	const char aa_splitn_fqname(const char fqname, size_t n, const char **ns_name,	65	const char aa_splitn_fqname(const char fqname, size_t n, const char **ns_name,
65	size_t *ns_len);	66	size_t *ns_len);
@@ -99,6 +100,36 @@ static inline bool path_mediated_fs(struct dentry *dentry)
99	return !(dentry->d_sb->s_flags & MS_NOUSER);	100	return !(dentry->d_sb->s_flags & MS_NOUSER);
100	}	101	}
101		102
		103
		104	struct counted_str {
		105	struct kref count;
		106	char name[];
		107	};
		108
		109	#define str_to_counted(str) \
		110	((struct counted_str *)(str - offsetof(struct counted_str, name)))
		111
		112	#define __counted /* atm just a notation */
		113
		114	void aa_str_kref(struct kref *kref);
		115	char *aa_str_alloc(int size, gfp_t gfp);
		116
		117
		118	static inline __counted char aa_get_str(__counted char str)
		119	{
		120	if (str)
		121	kref_get(&(str_to_counted(str)->count));
		122
		123	return str;
		124	}
		125
		126	static inline void aa_put_str(__counted char *str)
		127	{
		128	if (str)
		129	kref_put(&str_to_counted(str)->count, aa_str_kref);
		130	}
		131
		132
102	/* struct aa_policy - common part of both namespaces and profiles	133	/* struct aa_policy - common part of both namespaces and profiles
103	* @name: name of the object	134	* @name: name of the object
104	* @hname - The hierarchical name	135	* @hname - The hierarchical name
@@ -107,7 +138,7 @@ static inline bool path_mediated_fs(struct dentry *dentry)
107	*/	138	*/
108	struct aa_policy {	139	struct aa_policy {
109	const char *name;	140	const char *name;
110	const char *hname;	141	__counted char *hname;
111	struct list_head list;	142	struct list_head list;
112	struct list_head profiles;	143	struct list_head profiles;
113	};	144	};
@@ -180,4 +211,89 @@ bool aa_policy_init(struct aa_policy policy, const char prefix,
180	const char *name, gfp_t gfp);	211	const char *name, gfp_t gfp);
181	void aa_policy_destroy(struct aa_policy *policy);	212	void aa_policy_destroy(struct aa_policy *policy);
182		213
183	#endif /* AA_LIB_H */	214
		215	/*
		216	* fn_label_build - abstract out the build of a label transition
		217	* @L: label the transition is being computed for
		218	* @P: profile parameter derived from L by this macro, can be passed to FN
		219	* @GFP: memory allocation type to use
		220	* @FN: fn to call for each profile transition. @P is set to the profile
		221	*
		222	* Returns: new label on success
		223	* ERR_PTR if build @FN fails
		224	* NULL if label_build fails due to low memory conditions
		225	*
		226	* @FN must return a label or ERR_PTR on failure. NULL is not allowed
		227	*/
		228	#define fn_label_build(L, P, GFP, FN) \
		229	({ \
		230	__label__ __cleanup, __done; \
		231	struct aa_label *__new_; \
		232	\
		233	if ((L)->size > 1) { \
		234	/* TODO: add cache of transitions already done */ \
		235	struct label_it __i; \
		236	int __j, __k, __count; \
		237	DEFINE_VEC(label, __lvec); \
		238	DEFINE_VEC(profile, __pvec); \
		239	if (vec_setup(label, __lvec, (L)->size, (GFP))) { \
		240	__new_ = NULL; \
		241	goto __done; \
		242	} \
		243	__j = 0; \
		244	label_for_each(__i, (L), (P)) { \
		245	__new_ = (FN); \
		246	AA_BUG(!__new_); \
		247	if (IS_ERR(__new_)) \
		248	goto __cleanup; \
		249	__lvec[__j++] = __new_; \
		250	} \
		251	for (__j = __count = 0; __j < (L)->size; __j++) \
		252	__count += __lvec[__j]->size; \
		253	if (!vec_setup(profile, __pvec, __count, (GFP))) { \
		254	for (__j = __k = 0; __j < (L)->size; __j++) { \
		255	label_for_each(__i, __lvec[__j], (P)) \
		256	__pvec[__k++] = aa_get_profile(P); \
		257	} \
		258	__count -= aa_vec_unique(__pvec, __count, 0); \
		259	if (__count > 1) { \
		260	__new_ = aa_vec_find_or_create_label(__pvec,\
		261	__count, (GFP)); \
		262	/* only fails if out of Mem */ \
		263	if (!__new_) \
		264	__new_ = NULL; \
		265	} else \
		266	__new_ = aa_get_label(&__pvec[0]->label); \
		267	vec_cleanup(profile, __pvec, __count); \
		268	} else \
		269	__new_ = NULL; \
		270	__cleanup: \
		271	vec_cleanup(label, __lvec, (L)->size); \
		272	} else { \
		273	(P) = labels_profile(L); \
		274	__new_ = (FN); \
		275	} \
		276	__done: \
		277	if (!__new_) \
		278	AA_DEBUG("label build failed\n"); \
		279	(__new_); \
		280	})
		281
		282
		283	#define __fn_build_in_ns(NS, P, NS_FN, OTHER_FN) \
		284	({ \
		285	struct aa_label *__new; \
		286	if ((P)->ns != (NS)) \
		287	__new = (OTHER_FN); \
		288	else \
		289	__new = (NS_FN); \
		290	(__new); \
		291	})
		292
		293	#define fn_label_build_in_ns(L, P, GFP, NS_FN, OTHER_FN) \
		294	({ \
		295	fn_label_build((L), (P), (GFP), \
		296	__fn_build_in_ns(labels_ns(L), (P), (NS_FN), (OTHER_FN))); \
		297	})
		298
		299	#endif /* __AA_LIB_H */