apparmor: add interface files for profiles and namespaces

Add basic interface files to access namespace and profile information. The interface files are created when a profile is loaded and removed when the profile or namespace is removed. Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2013-07-11 00:13:43 -0400
committer: John Johansen <john.johansen@canonical.com> 2013-08-14 14:42:07 -0400
commit: 0d259f043f5f60f74c4fd020aac190cb6450e918 (patch)
tree: 92fed6a02a1dc6069d7d92e14f2418c85f936303 /security/apparmor/include
parent: 038165070aa55375d4bdd2f84b34a486feca63d6 (diff)
3 files changed, 57 insertions, 3 deletions
diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
index 7ea4769fab3f..2494e112f2bf 100644
--- a/security/apparmor/include/apparmorfs.h
+++ b/security/apparmor/include/apparmorfs.h
@@ -61,4 +61,42 @@ extern const struct file_operations aa_fs_seq_file_ops;
 extern void __init aa_destroy_aafs(void);
+struct aa_profile;
+struct aa_namespace;
+enum aafs_ns_type {
+        AAFS_NS_DIR,
+        AAFS_NS_PROFS,
+        AAFS_NS_NS,
+        AAFS_NS_COUNT,
+        AAFS_NS_MAX_COUNT,
+        AAFS_NS_SIZE,
+        AAFS_NS_MAX_SIZE,
+        AAFS_NS_OWNER,
+        AAFS_NS_SIZEOF,
+};
+enum aafs_prof_type {
+        AAFS_PROF_DIR,
+        AAFS_PROF_PROFS,
+        AAFS_PROF_NAME,
+        AAFS_PROF_MODE,
+        AAFS_PROF_SIZEOF,
+};
+#define ns_dir(X) ((X)->dents[AAFS_NS_DIR])
+#define ns_subns_dir(X) ((X)->dents[AAFS_NS_NS])
+#define ns_subprofs_dir(X) ((X)->dents[AAFS_NS_PROFS])
+#define prof_dir(X) ((X)->dents[AAFS_PROF_DIR])
+#define prof_child_dir(X) ((X)->dents[AAFS_PROF_PROFS])
+void __aa_fs_profile_rmdir(struct aa_profile *profile);
+void __aa_fs_profile_migrate_dents(struct aa_profile *old,
+                                   struct aa_profile *new);
+int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent);
+void __aa_fs_namespace_rmdir(struct aa_namespace *ns);
+int __aa_fs_namespace_mkdir(struct aa_namespace *ns, struct dentry *parent,
+                            const char *name);
 #endif /* __AA_APPARMORFS_H */
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 69d8cae634e7..30e8d7687259 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -27,7 +27,6 @@ struct aa_profile;
 extern const char *const audit_mode_names[];
 #define AUDIT_MAX_INDEX 5
 enum audit_mode {
        AUDIT_NORMAL,           /* follow normal auditing of accesses */
        AUDIT_QUIET_DENIED,     /* quiet all denied access messages */
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 65662e3c75cf..5c72231d1c42 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -29,8 +29,8 @@
 #include "file.h"
 #include "resource.h"
-extern const char *const profile_mode_names[];
+extern const char *const aa_profile_mode_names[];
-#define APPARMOR_NAMES_MAX_INDEX 3
+#define APPARMOR_MODE_NAMES_MAX_INDEX 4
 #define PROFILE_MODE(_profile, _mode)           \
        ((aa_g_profile_mode == (_mode)) ||      \
@@ -110,6 +110,8 @@ struct aa_ns_acct {
 * @unconfined: special unconfined profile for the namespace
 * @sub_ns: list of namespaces under the current namespace.
 * @uniq_null: uniq value used for null learning profiles
+ * @uniq_id: a unique id count for the profiles in the namespace
+ * @dents: dentries for the namespaces file entries in apparmorfs
 *
 * An aa_namespace defines the set profiles that are searched to determine
 * which profile to attach to a task.  Profiles can not be shared between
@@ -133,6 +135,9 @@ struct aa_namespace {
        struct aa_profile *unconfined;
        struct list_head sub_ns;
        atomic_t uniq_null;
+        long uniq_id;
+        struct dentry *dents[AAFS_NS_SIZEOF];
 };
 /* struct aa_policydb - match engine for a policy
@@ -172,6 +177,9 @@ struct aa_replacedby {
 * @caps: capabilities for the profile
 * @rlimits: rlimits for the profile
 *
+ * @dents: dentries for the profiles file entries in apparmorfs
+ * @dirname: name of the profile dir in apparmorfs
+ *
 * The AppArmor profile contains the basic confinement data.  Each profile
 * has a name, and exists in a namespace.  The @name and @exec_match are
 * used to determine profile attachment against unconfined tasks.  All other
@@ -208,6 +216,9 @@ struct aa_profile {
        struct aa_file_rules file;
        struct aa_caps caps;
        struct aa_rlimit rlimits;
+        char *dirname;
+        struct dentry *dents[AAFS_PROF_SIZEOF];
 };
 extern struct aa_namespace *root_ns;
@@ -243,6 +254,12 @@ ssize_t aa_remove_profiles(char *name, size_t size);
 #define unconfined(X) ((X)->mode == APPARMOR_UNCONFINED)
+static inline struct aa_profile *aa_deref_parent(struct aa_profile *p)
+{
+        return rcu_dereference_protected(p->parent,
+                                         mutex_is_locked(&p->ns->lock));
+}
 /**
 * aa_get_profile - increment refcount on profile @p
 * @p: profile  (MAYBE NULL)
author	John Johansen <john.johansen@canonical.com>	2013-07-11 00:13:43 -0400
committer	John Johansen <john.johansen@canonical.com>	2013-08-14 14:42:07 -0400
commit	0d259f043f5f60f74c4fd020aac190cb6450e918 (patch)
tree	92fed6a02a1dc6069d7d92e14f2418c85f936303 /security/apparmor/include
parent	038165070aa55375d4bdd2f84b34a486feca63d6 (diff)

diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h index 7ea4769fab3f..2494e112f2bf 100644 --- a/security/apparmor/include/apparmorfs.h +++ b/security/apparmor/include/apparmorfs.h
@@ -61,4 +61,42 @@ extern const struct file_operations aa_fs_seq_file_ops;
61		61
62	extern void __init aa_destroy_aafs(void);	62	extern void __init aa_destroy_aafs(void);
63		63
		64	struct aa_profile;
		65	struct aa_namespace;
		66
		67	enum aafs_ns_type {
		68	AAFS_NS_DIR,
		69	AAFS_NS_PROFS,
		70	AAFS_NS_NS,
		71	AAFS_NS_COUNT,
		72	AAFS_NS_MAX_COUNT,
		73	AAFS_NS_SIZE,
		74	AAFS_NS_MAX_SIZE,
		75	AAFS_NS_OWNER,
		76	AAFS_NS_SIZEOF,
		77	};
		78
		79	enum aafs_prof_type {
		80	AAFS_PROF_DIR,
		81	AAFS_PROF_PROFS,
		82	AAFS_PROF_NAME,
		83	AAFS_PROF_MODE,
		84	AAFS_PROF_SIZEOF,
		85	};
		86
		87	#define ns_dir(X) ((X)->dents[AAFS_NS_DIR])
		88	#define ns_subns_dir(X) ((X)->dents[AAFS_NS_NS])
		89	#define ns_subprofs_dir(X) ((X)->dents[AAFS_NS_PROFS])
		90
		91	#define prof_dir(X) ((X)->dents[AAFS_PROF_DIR])
		92	#define prof_child_dir(X) ((X)->dents[AAFS_PROF_PROFS])
		93
		94	void __aa_fs_profile_rmdir(struct aa_profile *profile);
		95	void __aa_fs_profile_migrate_dents(struct aa_profile *old,
		96	struct aa_profile *new);
		97	int __aa_fs_profile_mkdir(struct aa_profile profile, struct dentry parent);
		98	void __aa_fs_namespace_rmdir(struct aa_namespace *ns);
		99	int __aa_fs_namespace_mkdir(struct aa_namespace ns, struct dentry parent,
		100	const char *name);
		101
64	#endif /* __AA_APPARMORFS_H */	102	#endif /* __AA_APPARMORFS_H */


diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index 69d8cae634e7..30e8d7687259 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h
@@ -27,7 +27,6 @@ struct aa_profile;
27		27
28	extern const char *const audit_mode_names[];	28	extern const char *const audit_mode_names[];
29	#define AUDIT_MAX_INDEX 5	29	#define AUDIT_MAX_INDEX 5
30
31	enum audit_mode {	30	enum audit_mode {
32	AUDIT_NORMAL, /* follow normal auditing of accesses */	31	AUDIT_NORMAL, /* follow normal auditing of accesses */
33	AUDIT_QUIET_DENIED, /* quiet all denied access messages */	32	AUDIT_QUIET_DENIED, /* quiet all denied access messages */


diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index 65662e3c75cf..5c72231d1c42 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h
@@ -29,8 +29,8 @@
29	#include "file.h"	29	#include "file.h"
30	#include "resource.h"	30	#include "resource.h"
31		31
32	extern const char *const profile_mode_names[];	32	extern const char *const aa_profile_mode_names[];
33	#define APPARMOR_NAMES_MAX_INDEX 3	33	#define APPARMOR_MODE_NAMES_MAX_INDEX 4
34		34
35	#define PROFILE_MODE(_profile, _mode) \	35	#define PROFILE_MODE(_profile, _mode) \
36	((aa_g_profile_mode == (_mode)) \|\| \	36	((aa_g_profile_mode == (_mode)) \|\| \
@@ -110,6 +110,8 @@ struct aa_ns_acct {
110	* @unconfined: special unconfined profile for the namespace	110	* @unconfined: special unconfined profile for the namespace
111	* @sub_ns: list of namespaces under the current namespace.	111	* @sub_ns: list of namespaces under the current namespace.
112	* @uniq_null: uniq value used for null learning profiles	112	* @uniq_null: uniq value used for null learning profiles
		113	* @uniq_id: a unique id count for the profiles in the namespace
		114	* @dents: dentries for the namespaces file entries in apparmorfs
113	*	115	*
114	* An aa_namespace defines the set profiles that are searched to determine	116	* An aa_namespace defines the set profiles that are searched to determine
115	* which profile to attach to a task. Profiles can not be shared between	117	* which profile to attach to a task. Profiles can not be shared between
@@ -133,6 +135,9 @@ struct aa_namespace {
133	struct aa_profile *unconfined;	135	struct aa_profile *unconfined;
134	struct list_head sub_ns;	136	struct list_head sub_ns;
135	atomic_t uniq_null;	137	atomic_t uniq_null;
		138	long uniq_id;
		139
		140	struct dentry *dents[AAFS_NS_SIZEOF];
136	};	141	};
137		142
138	/* struct aa_policydb - match engine for a policy	143	/* struct aa_policydb - match engine for a policy
@@ -172,6 +177,9 @@ struct aa_replacedby {
172	* @caps: capabilities for the profile	177	* @caps: capabilities for the profile
173	* @rlimits: rlimits for the profile	178	* @rlimits: rlimits for the profile
174	*	179	*
		180	* @dents: dentries for the profiles file entries in apparmorfs
		181	* @dirname: name of the profile dir in apparmorfs
		182	*
175	* The AppArmor profile contains the basic confinement data. Each profile	183	* The AppArmor profile contains the basic confinement data. Each profile
176	* has a name, and exists in a namespace. The @name and @exec_match are	184	* has a name, and exists in a namespace. The @name and @exec_match are
177	* used to determine profile attachment against unconfined tasks. All other	185	* used to determine profile attachment against unconfined tasks. All other
@@ -208,6 +216,9 @@ struct aa_profile {
208	struct aa_file_rules file;	216	struct aa_file_rules file;
209	struct aa_caps caps;	217	struct aa_caps caps;
210	struct aa_rlimit rlimits;	218	struct aa_rlimit rlimits;
		219
		220	char *dirname;
		221	struct dentry *dents[AAFS_PROF_SIZEOF];
211	};	222	};
212		223
213	extern struct aa_namespace *root_ns;	224	extern struct aa_namespace *root_ns;
@@ -243,6 +254,12 @@ ssize_t aa_remove_profiles(char *name, size_t size);
243	#define unconfined(X) ((X)->mode == APPARMOR_UNCONFINED)	254	#define unconfined(X) ((X)->mode == APPARMOR_UNCONFINED)
244		255
245		256
		257	static inline struct aa_profile aa_deref_parent(struct aa_profile p)
		258	{
		259	return rcu_dereference_protected(p->parent,
		260	mutex_is_locked(&p->ns->lock));
		261	}
		262
246	/**	263	/**
247	* aa_get_profile - increment refcount on profile @p	264	* aa_get_profile - increment refcount on profile @p
248	* @p: profile (MAYBE NULL)	265	* @p: profile (MAYBE NULL)