4 files changed, 491 insertions, 0 deletions
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
new file mode 100644
index 000000000000..38ccaea08204
--- /dev/null
+++ b/security/apparmor/include/apparmor.h
@@ -0,0 +1,92 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor basic global and lib definitions
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#ifndef __APPARMOR_H
+#define __APPARMOR_H
+#include <linux/fs.h>
+#include "match.h"
+/* Control parameters settable through module/boot flags */
+extern enum audit_mode aa_g_audit;
+extern int aa_g_audit_header;
+extern int aa_g_debug;
+extern int aa_g_lock_policy;
+extern int aa_g_logsyscall;
+extern int aa_g_paranoid_load;
+extern unsigned int aa_g_path_max;
+/*
+ * DEBUG remains global (no per profile flag) since it is mostly used in sysctl
+ * which is not related to profile accesses.
+ */
+#define AA_DEBUG(fmt, args...)                                          \
+        do {                                                            \
+                if (aa_g_debug && printk_ratelimit())                   \
+                        printk(KERN_DEBUG "AppArmor: " fmt, ##args);    \
+        } while (0)
+#define AA_ERROR(fmt, args...)                                          \
+        do {                                                            \
+                if (printk_ratelimit())                                 \
+                        printk(KERN_ERR "AppArmor: " fmt, ##args);      \
+        } while (0)
+/* Flag indicating whether initialization completed */
+extern int apparmor_initialized __initdata;
+/* fn's in lib */
+char *aa_split_fqname(char *args, char **ns_name);
+void aa_info_message(const char *str);
+void *kvmalloc(size_t size);
+void kvfree(void *buffer);
+/**
+ * aa_strneq - compare null terminated @str to a non null terminated substring
+ * @str: a null terminated string
+ * @sub: a substring, not necessarily null terminated
+ * @len: length of @sub to compare
+ *
+ * The @str string must be full consumed for this to be considered a match
+ */
+static inline bool aa_strneq(const char *str, const char *sub, int len)
+{
+        return !strncmp(str, sub, len) && !str[len];
+}
+/**
+ * aa_dfa_null_transition - step to next state after null character
+ * @dfa: the dfa to match against
+ * @start: the state of the dfa to start matching in
+ *
+ * aa_dfa_null_transition transitions to the next state after a null
+ * character which is not used in standard matching and is only
+ * used to separate pairs.
+ */
+static inline unsigned int aa_dfa_null_transition(struct aa_dfa *dfa,
+                                                  unsigned int start)
+{
+        /* the null transition only needs the string's null terminator byte */
+        return aa_dfa_match_len(dfa, start, "", 1);
+}
+static inline bool mediated_filesystem(struct inode *inode)
+{
+        return !(inode->i_sb->s_flags & MS_NOUSER);
+}
+#endif /* __APPARMOR_H */
diff --git a/security/apparmor/include/path.h b/security/apparmor/include/path.h
new file mode 100644
index 000000000000..27b327a7fae5
--- /dev/null
+++ b/security/apparmor/include/path.h
@@ -0,0 +1,31 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor basic path manipulation function definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#ifndef __AA_PATH_H
+#define __AA_PATH_H
+enum path_flags {
+        PATH_IS_DIR = 0x1,              /* path is a directory */
+        PATH_CONNECT_PATH = 0x4,        /* connect disconnected paths to / */
+        PATH_CHROOT_REL = 0x8,          /* do path lookup relative to chroot */
+        PATH_CHROOT_NSCONNECT = 0x10,   /* connect paths that are at ns root */
+        PATH_DELEGATE_DELETED = 0x08000, /* delegate deleted files */
+        PATH_MEDIATE_DELETED = 0x10000, /* mediate deleted paths */
+};
+int aa_get_name(struct path *path, int flags, char **buffer, const char **name);
+#endif /* __AA_PATH_H */
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
new file mode 100644
index 000000000000..6e85cdb4303f
--- /dev/null
+++ b/security/apparmor/lib.c
@@ -0,0 +1,133 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains basic common functions used in AppArmor
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#include <linux/slab.h>
+#include <linux/string.h>
+#include <linux/vmalloc.h>
+#include "include/audit.h"
+/**
+ * aa_split_fqname - split a fqname into a profile and namespace name
+ * @fqname: a full qualified name in namespace profile format (NOT NULL)
+ * @ns_name: pointer to portion of the string containing the ns name (NOT NULL)
+ *
+ * Returns: profile name or NULL if one is not specified
+ *
+ * Split a namespace name from a profile name (see policy.c for naming
+ * description).  If a portion of the name is missing it returns NULL for
+ * that portion.
+ *
+ * NOTE: may modify the @fqname string.  The pointers returned point
+ *       into the @fqname string.
+ */
+char *aa_split_fqname(char *fqname, char **ns_name)
+{
+        char *name = strim(fqname);
+        *ns_name = NULL;
+        if (name[0] == ':') {
+                char *split = strchr(&name[1], ':');
+                if (split) {
+                        /* overwrite ':' with \0 */
+                        *split = 0;
+                        name = skip_spaces(split + 1);
+                } else
+                        /* a ns name without a following profile is allowed */
+                        name = NULL;
+                *ns_name = &name[1];
+        }
+        if (name && *name == 0)
+                name = NULL;
+        return name;
+}
+/**
+ * aa_info_message - log a none profile related status message
+ * @str: message to log
+ */
+void aa_info_message(const char *str)
+{
+        if (audit_enabled) {
+                struct common_audit_data sa;
+                COMMON_AUDIT_DATA_INIT(&sa, NONE);
+                sa.aad.info = str;
+                aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL);
+        }
+        printk(KERN_INFO "AppArmor: %s\n", str);
+}
+/**
+ * kvmalloc - do allocation preferring kmalloc but falling back to vmalloc
+ * @size: size of allocation
+ *
+ * Return: allocated buffer or NULL if failed
+ *
+ * It is possible that policy being loaded from the user is larger than
+ * what can be allocated by kmalloc, in those cases fall back to vmalloc.
+ */
+void *kvmalloc(size_t size)
+{
+        void *buffer = NULL;
+        if (size == 0)
+                return NULL;
+        /* do not attempt kmalloc if we need more than 16 pages at once */
+        if (size <= (16*PAGE_SIZE))
+                buffer = kmalloc(size, GFP_NOIO | __GFP_NOWARN);
+        if (!buffer) {
+                /* see kvfree for why size must be at least work_struct size
+                 * when allocated via vmalloc
+                 */
+                if (size < sizeof(struct work_struct))
+                        size = sizeof(struct work_struct);
+                buffer = vmalloc(size);
+        }
+        return buffer;
+}
+/**
+ * do_vfree - workqueue routine for freeing vmalloced memory
+ * @work: data to be freed
+ *
+ * The work_struct is overlaid to the data being freed, as at the point
+ * the work is scheduled the data is no longer valid, be its freeing
+ * needs to be delayed until safe.
+ */
+static void do_vfree(struct work_struct *work)
+{
+        vfree(work);
+}
+/**
+ * kvfree - free an allocation do by kvmalloc
+ * @buffer: buffer to free (MAYBE_NULL)
+ *
+ * Free a buffer allocated by kvmalloc
+ */
+void kvfree(void *buffer)
+{
+        if (is_vmalloc_addr(buffer)) {
+                /* Data is no longer valid so just use the allocated space
+                 * as the work_struct
+                 */
+                struct work_struct *work = (struct work_struct *) buffer;
+                INIT_WORK(work, do_vfree);
+                schedule_work(work);
+        } else
+                kfree(buffer);
+}
diff --git a/security/apparmor/path.c b/security/apparmor/path.c
new file mode 100644
index 000000000000..96bab9469d48
--- /dev/null
+++ b/security/apparmor/path.c
@@ -0,0 +1,235 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor function for pathnames
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#include <linux/magic.h>
+#include <linux/mnt_namespace.h>
+#include <linux/mount.h>
+#include <linux/namei.h>
+#include <linux/nsproxy.h>
+#include <linux/path.h>
+#include <linux/sched.h>
+#include <linux/slab.h>
+#include <linux/fs_struct.h>
+#include "include/apparmor.h"
+#include "include/path.h"
+#include "include/policy.h"
+/* modified from dcache.c */
+static int prepend(char **buffer, int buflen, const char *str, int namelen)
+{
+        buflen -= namelen;
+        if (buflen < 0)
+                return -ENAMETOOLONG;
+        *buffer -= namelen;
+        memcpy(*buffer, str, namelen);
+        return 0;
+}
+#define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
+/**
+ * d_namespace_path - lookup a name associated with a given path
+ * @path: path to lookup  (NOT NULL)
+ * @buf:  buffer to store path to  (NOT NULL)
+ * @buflen: length of @buf
+ * @name: Returns - pointer for start of path name with in @buf (NOT NULL)
+ * @flags: flags controlling path lookup
+ *
+ * Handle path name lookup.
+ *
+ * Returns: %0 else error code if path lookup fails
+ *          When no error the path name is returned in @name which points to
+ *          to a position in @buf
+ */
+static int d_namespace_path(struct path *path, char *buf, int buflen,
+                            char **name, int flags)
+{
+        struct path root, tmp;
+        char *res;
+        int deleted, connected;
+        int error = 0;
+        /* Get the root we want to resolve too */
+        if (flags & PATH_CHROOT_REL) {
+                /* resolve paths relative to chroot */
+                read_lock(&current->fs->lock);
+                root = current->fs->root;
+                /* released below */
+                path_get(&root);
+                read_unlock(&current->fs->lock);
+        } else {
+                /* resolve paths relative to namespace */
+                root.mnt = current->nsproxy->mnt_ns->root;
+                root.dentry = root.mnt->mnt_root;
+                /* released below */
+                path_get(&root);
+        }
+        spin_lock(&dcache_lock);
+        /* There is a race window between path lookup here and the
+         * need to strip the " (deleted) string that __d_path applies
+         * Detect the race and relookup the path
+         *
+         * The stripping of (deleted) is a hack that could be removed
+         * with an updated __d_path
+         */
+        do {
+                tmp = root;
+                deleted = d_unlinked(path->dentry);
+                res = __d_path(path, &tmp, buf, buflen);
+        } while (deleted != d_unlinked(path->dentry));
+        spin_unlock(&dcache_lock);
+        *name = res;
+        /* handle error conditions - and still allow a partial path to
+         * be returned.
+         */
+        if (IS_ERR(res)) {
+                error = PTR_ERR(res);
+                *name = buf;
+                goto out;
+        }
+        if (deleted) {
+                /* On some filesystems, newly allocated dentries appear to the
+                 * security_path hooks as a deleted dentry except without an
+                 * inode allocated.
+                 *
+                 * Remove the appended deleted text and return as string for
+                 * normal mediation, or auditing.  The (deleted) string is
+                 * guaranteed to be added in this case, so just strip it.
+                 */
+                buf[buflen - 11] = 0;   /* - (len(" (deleted)") +\0) */
+                if (path->dentry->d_inode && !(flags & PATH_MEDIATE_DELETED)) {
+                        error = -ENOENT;
+                        goto out;
+                }
+        }
+        /* Determine if the path is connected to the expected root */
+        connected = tmp.dentry == root.dentry && tmp.mnt == root.mnt;
+        /* If the path is not connected,
+         * check if it is a sysctl and handle specially else remove any
+         * leading / that __d_path may have returned.
+         * Unless
+         *     specifically directed to connect the path,
+         * OR
+         *     if in a chroot and doing chroot relative paths and the path
+         *     resolves to the namespace root (would be connected outside
+         *     of chroot) and specifically directed to connect paths to
+         *     namespace root.
+         */
+        if (!connected) {
+                /* is the disconnect path a sysctl? */
+                if (tmp.dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
+                    strncmp(*name, "/sys/", 5) == 0) {
+                        /* TODO: convert over to using a per namespace
+                         * control instead of hard coded /proc
+                         */
+                        error = prepend(name, *name - buf, "/proc", 5);
+                } else if (!(flags & PATH_CONNECT_PATH) &&
+                           !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
+                             (tmp.mnt == current->nsproxy->mnt_ns->root &&
+                              tmp.dentry == tmp.mnt->mnt_root))) {
+                        /* disconnected path, don't return pathname starting
+                         * with '/'
+                         */
+                        error = -ESTALE;
+                        if (*res == '/')
+                                *name = res + 1;
+                }
+        }
+out:
+        path_put(&root);
+        return error;
+}
+/**
+ * get_name_to_buffer - get the pathname to a buffer ensure dir / is appended
+ * @path: path to get name for  (NOT NULL)
+ * @flags: flags controlling path lookup
+ * @buffer: buffer to put name in  (NOT NULL)
+ * @size: size of buffer
+ * @name: Returns - contains position of path name in @buffer (NOT NULL)
+ *
+ * Returns: %0 else error on failure
+ */
+static int get_name_to_buffer(struct path *path, int flags, char *buffer,
+                              int size, char **name)
+{
+        int adjust = (flags & PATH_IS_DIR) ? 1 : 0;
+        int error = d_namespace_path(path, buffer, size - adjust, name, flags);
+        if (!error && (flags & PATH_IS_DIR) && (*name)[1] != '\0')
+                /*
+                 * Append "/" to the pathname.  The root directory is a special
+                 * case; it already ends in slash.
+                 */
+                strcpy(&buffer[size - 2], "/");
+        return error;
+}
+/**
+ * aa_get_name - compute the pathname of a file
+ * @path: path the file  (NOT NULL)
+ * @flags: flags controlling path name generation
+ * @buffer: buffer that aa_get_name() allocated  (NOT NULL)
+ * @name: Returns - the generated path name if !error (NOT NULL)
+ *
+ * @name is a pointer to the beginning of the pathname (which usually differs
+ * from the beginning of the buffer), or NULL.  If there is an error @name
+ * may contain a partial or invalid name that can be used for audit purposes,
+ * but it can not be used for mediation.
+ *
+ * We need PATH_IS_DIR to indicate whether the file is a directory or not
+ * because the file may not yet exist, and so we cannot check the inode's
+ * file type.
+ *
+ * Returns: %0 else error code if could retrieve name
+ */
+int aa_get_name(struct path *path, int flags, char **buffer, const char **name)
+{
+        char *buf, *str = NULL;
+        int size = 256;
+        int error;
+        *name = NULL;
+        *buffer = NULL;
+        for (;;) {
+                /* freed by caller */
+                buf = kmalloc(size, GFP_KERNEL);
+                if (!buf)
+                        return -ENOMEM;
+                error = get_name_to_buffer(path, flags, buf, size, &str);
+                if (error != -ENAMETOOLONG)
+                        break;
+                kfree(buf);
+                size <<= 1;
+                if (size > aa_g_path_max)
+                        return -ENAMETOOLONG;
+        }
+        *buffer = buf;
+        *name = str;
+        return error;
+}

diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h new file mode 100644 index 000000000000..38ccaea08204 --- /dev/null +++ b/security/apparmor/include/apparmor.h
@@ -0,0 +1,92 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor basic global and lib definitions
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#ifndef __APPARMOR_H
	16	#define __APPARMOR_H
	17
	18	#include <linux/fs.h>
	19
	20	#include "match.h"
	21
	22	/* Control parameters settable through module/boot flags */
	23	extern enum audit_mode aa_g_audit;
	24	extern int aa_g_audit_header;
	25	extern int aa_g_debug;
	26	extern int aa_g_lock_policy;
	27	extern int aa_g_logsyscall;
	28	extern int aa_g_paranoid_load;
	29	extern unsigned int aa_g_path_max;
	30
	31	/*
	32	* DEBUG remains global (no per profile flag) since it is mostly used in sysctl
	33	* which is not related to profile accesses.
	34	*/
	35
	36	#define AA_DEBUG(fmt, args...) \
	37	do { \
	38	if (aa_g_debug && printk_ratelimit()) \
	39	printk(KERN_DEBUG "AppArmor: " fmt, ##args); \
	40	} while (0)
	41
	42	#define AA_ERROR(fmt, args...) \
	43	do { \
	44	if (printk_ratelimit()) \
	45	printk(KERN_ERR "AppArmor: " fmt, ##args); \
	46	} while (0)
	47
	48	/* Flag indicating whether initialization completed */
	49	extern int apparmor_initialized __initdata;
	50
	51	/* fn's in lib */
	52	char aa_split_fqname(char args, char **ns_name);
	53	void aa_info_message(const char *str);
	54	void *kvmalloc(size_t size);
	55	void kvfree(void *buffer);
	56
	57
	58	/**
	59	* aa_strneq - compare null terminated @str to a non null terminated substring
	60	* @str: a null terminated string
	61	* @sub: a substring, not necessarily null terminated
	62	* @len: length of @sub to compare
	63	*
	64	* The @str string must be full consumed for this to be considered a match
	65	*/
	66	static inline bool aa_strneq(const char str, const char sub, int len)
	67	{
	68	return !strncmp(str, sub, len) && !str[len];
	69	}
	70
	71	/**
	72	* aa_dfa_null_transition - step to next state after null character
	73	* @dfa: the dfa to match against
	74	* @start: the state of the dfa to start matching in
	75	*
	76	* aa_dfa_null_transition transitions to the next state after a null
	77	* character which is not used in standard matching and is only
	78	* used to separate pairs.
	79	*/
	80	static inline unsigned int aa_dfa_null_transition(struct aa_dfa *dfa,
	81	unsigned int start)
	82	{
	83	/* the null transition only needs the string's null terminator byte */
	84	return aa_dfa_match_len(dfa, start, "", 1);
	85	}
	86
	87	static inline bool mediated_filesystem(struct inode *inode)
	88	{
	89	return !(inode->i_sb->s_flags & MS_NOUSER);
	90	}
	91
	92	#endif /* __APPARMOR_H */


diff --git a/security/apparmor/include/path.h b/security/apparmor/include/path.h new file mode 100644 index 000000000000..27b327a7fae5 --- /dev/null +++ b/security/apparmor/include/path.h
@@ -0,0 +1,31 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor basic path manipulation function definitions.
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#ifndef __AA_PATH_H
	16	#define __AA_PATH_H
	17
	18
	19	enum path_flags {
	20	PATH_IS_DIR = 0x1, /* path is a directory */
	21	PATH_CONNECT_PATH = 0x4, /* connect disconnected paths to / */
	22	PATH_CHROOT_REL = 0x8, /* do path lookup relative to chroot */
	23	PATH_CHROOT_NSCONNECT = 0x10, /* connect paths that are at ns root */
	24
	25	PATH_DELEGATE_DELETED = 0x08000, /* delegate deleted files */
	26	PATH_MEDIATE_DELETED = 0x10000, /* mediate deleted paths */
	27	};
	28
	29	int aa_get_name(struct path path, int flags, char buffer, const char *name);
	30
	31	#endif /* __AA_PATH_H */


diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c new file mode 100644 index 000000000000..6e85cdb4303f --- /dev/null +++ b/security/apparmor/lib.c
@@ -0,0 +1,133 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains basic common functions used in AppArmor
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#include <linux/slab.h>
	16	#include <linux/string.h>
	17	#include <linux/vmalloc.h>
	18
	19	#include "include/audit.h"
	20
	21
	22	/**
	23	* aa_split_fqname - split a fqname into a profile and namespace name
	24	* @fqname: a full qualified name in namespace profile format (NOT NULL)
	25	* @ns_name: pointer to portion of the string containing the ns name (NOT NULL)
	26	*
	27	* Returns: profile name or NULL if one is not specified
	28	*
	29	* Split a namespace name from a profile name (see policy.c for naming
	30	* description). If a portion of the name is missing it returns NULL for
	31	* that portion.
	32	*
	33	* NOTE: may modify the @fqname string. The pointers returned point
	34	* into the @fqname string.
	35	*/
	36	char aa_split_fqname(char fqname, char **ns_name)
	37	{
	38	char *name = strim(fqname);
	39
	40	*ns_name = NULL;
	41	if (name[0] == ':') {
	42	char *split = strchr(&name[1], ':');
	43	if (split) {
	44	/* overwrite ':' with \0 */
	45	*split = 0;
	46	name = skip_spaces(split + 1);
	47	} else
	48	/* a ns name without a following profile is allowed */
	49	name = NULL;
	50	*ns_name = &name[1];
	51	}
	52	if (name && *name == 0)
	53	name = NULL;
	54
	55	return name;
	56	}
	57
	58	/**
	59	* aa_info_message - log a none profile related status message
	60	* @str: message to log
	61	*/
	62	void aa_info_message(const char *str)
	63	{
	64	if (audit_enabled) {
	65	struct common_audit_data sa;
	66	COMMON_AUDIT_DATA_INIT(&sa, NONE);
	67	sa.aad.info = str;
	68	aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL);
	69	}
	70	printk(KERN_INFO "AppArmor: %s\n", str);
	71	}
	72
	73	/**
	74	* kvmalloc - do allocation preferring kmalloc but falling back to vmalloc
	75	* @size: size of allocation
	76	*
	77	* Return: allocated buffer or NULL if failed
	78	*
	79	* It is possible that policy being loaded from the user is larger than
	80	* what can be allocated by kmalloc, in those cases fall back to vmalloc.
	81	*/
	82	void *kvmalloc(size_t size)
	83	{
	84	void *buffer = NULL;
	85
	86	if (size == 0)
	87	return NULL;
	88
	89	/* do not attempt kmalloc if we need more than 16 pages at once */
	90	if (size <= (16*PAGE_SIZE))
	91	buffer = kmalloc(size, GFP_NOIO \| __GFP_NOWARN);
	92	if (!buffer) {
	93	/* see kvfree for why size must be at least work_struct size
	94	* when allocated via vmalloc
	95	*/
	96	if (size < sizeof(struct work_struct))
	97	size = sizeof(struct work_struct);
	98	buffer = vmalloc(size);
	99	}
	100	return buffer;
	101	}
	102
	103	/**
	104	* do_vfree - workqueue routine for freeing vmalloced memory
	105	* @work: data to be freed
	106	*
	107	* The work_struct is overlaid to the data being freed, as at the point
	108	* the work is scheduled the data is no longer valid, be its freeing
	109	* needs to be delayed until safe.
	110	*/
	111	static void do_vfree(struct work_struct *work)
	112	{
	113	vfree(work);
	114	}
	115
	116	/**
	117	* kvfree - free an allocation do by kvmalloc
	118	* @buffer: buffer to free (MAYBE_NULL)
	119	*
	120	* Free a buffer allocated by kvmalloc
	121	*/
	122	void kvfree(void *buffer)
	123	{
	124	if (is_vmalloc_addr(buffer)) {
	125	/* Data is no longer valid so just use the allocated space
	126	* as the work_struct
	127	*/
	128	struct work_struct work = (struct work_struct ) buffer;
	129	INIT_WORK(work, do_vfree);
	130	schedule_work(work);
	131	} else
	132	kfree(buffer);
	133	}


diff --git a/security/apparmor/path.c b/security/apparmor/path.c new file mode 100644 index 000000000000..96bab9469d48 --- /dev/null +++ b/security/apparmor/path.c
@@ -0,0 +1,235 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor function for pathnames
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#include <linux/magic.h>
	16	#include <linux/mnt_namespace.h>
	17	#include <linux/mount.h>
	18	#include <linux/namei.h>
	19	#include <linux/nsproxy.h>
	20	#include <linux/path.h>
	21	#include <linux/sched.h>
	22	#include <linux/slab.h>
	23	#include <linux/fs_struct.h>
	24
	25	#include "include/apparmor.h"
	26	#include "include/path.h"
	27	#include "include/policy.h"
	28
	29
	30	/* modified from dcache.c */
	31	static int prepend(char *buffer, int buflen, const char str, int namelen)
	32	{
	33	buflen -= namelen;
	34	if (buflen < 0)
	35	return -ENAMETOOLONG;
	36	*buffer -= namelen;
	37	memcpy(*buffer, str, namelen);
	38	return 0;
	39	}
	40
	41	#define CHROOT_NSCONNECT (PATH_CHROOT_REL \| PATH_CHROOT_NSCONNECT)
	42
	43	/**
	44	* d_namespace_path - lookup a name associated with a given path
	45	* @path: path to lookup (NOT NULL)
	46	* @buf: buffer to store path to (NOT NULL)
	47	* @buflen: length of @buf
	48	* @name: Returns - pointer for start of path name with in @buf (NOT NULL)
	49	* @flags: flags controlling path lookup
	50	*
	51	* Handle path name lookup.
	52	*
	53	* Returns: %0 else error code if path lookup fails
	54	* When no error the path name is returned in @name which points to
	55	* to a position in @buf
	56	*/
	57	static int d_namespace_path(struct path path, char buf, int buflen,
	58	char **name, int flags)
	59	{
	60	struct path root, tmp;
	61	char *res;
	62	int deleted, connected;
	63	int error = 0;
	64
	65	/* Get the root we want to resolve too */
	66	if (flags & PATH_CHROOT_REL) {
	67	/* resolve paths relative to chroot */
	68	read_lock(&current->fs->lock);
	69	root = current->fs->root;
	70	/* released below */
	71	path_get(&root);
	72	read_unlock(&current->fs->lock);
	73	} else {
	74	/* resolve paths relative to namespace */
	75	root.mnt = current->nsproxy->mnt_ns->root;
	76	root.dentry = root.mnt->mnt_root;
	77	/* released below */
	78	path_get(&root);
	79	}
	80
	81	spin_lock(&dcache_lock);
	82	/* There is a race window between path lookup here and the
	83	* need to strip the " (deleted) string that __d_path applies
	84	* Detect the race and relookup the path
	85	*
	86	* The stripping of (deleted) is a hack that could be removed
	87	* with an updated __d_path
	88	*/
	89	do {
	90	tmp = root;
	91	deleted = d_unlinked(path->dentry);
	92	res = __d_path(path, &tmp, buf, buflen);
	93
	94	} while (deleted != d_unlinked(path->dentry));
	95	spin_unlock(&dcache_lock);
	96
	97	*name = res;
	98	/* handle error conditions - and still allow a partial path to
	99	* be returned.
	100	*/
	101	if (IS_ERR(res)) {
	102	error = PTR_ERR(res);
	103	*name = buf;
	104	goto out;
	105	}
	106	if (deleted) {
	107	/* On some filesystems, newly allocated dentries appear to the
	108	* security_path hooks as a deleted dentry except without an
	109	* inode allocated.
	110	*
	111	* Remove the appended deleted text and return as string for
	112	* normal mediation, or auditing. The (deleted) string is
	113	* guaranteed to be added in this case, so just strip it.
	114	*/
	115	buf[buflen - 11] = 0; /* - (len(" (deleted)") +\0) */
	116
	117	if (path->dentry->d_inode && !(flags & PATH_MEDIATE_DELETED)) {
	118	error = -ENOENT;
	119	goto out;
	120	}
	121	}
	122
	123	/* Determine if the path is connected to the expected root */
	124	connected = tmp.dentry == root.dentry && tmp.mnt == root.mnt;
	125
	126	/* If the path is not connected,
	127	* check if it is a sysctl and handle specially else remove any
	128	* leading / that __d_path may have returned.
	129	* Unless
	130	* specifically directed to connect the path,
	131	* OR
	132	* if in a chroot and doing chroot relative paths and the path
	133	* resolves to the namespace root (would be connected outside
	134	* of chroot) and specifically directed to connect paths to
	135	* namespace root.
	136	*/
	137	if (!connected) {
	138	/* is the disconnect path a sysctl? */
	139	if (tmp.dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
	140	strncmp(*name, "/sys/", 5) == 0) {
	141	/* TODO: convert over to using a per namespace
	142	* control instead of hard coded /proc
	143	*/
	144	error = prepend(name, *name - buf, "/proc", 5);
	145	} else if (!(flags & PATH_CONNECT_PATH) &&
	146	!(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
	147	(tmp.mnt == current->nsproxy->mnt_ns->root &&
	148	tmp.dentry == tmp.mnt->mnt_root))) {
	149	/* disconnected path, don't return pathname starting
	150	* with '/'
	151	*/
	152	error = -ESTALE;
	153	if (*res == '/')
	154	*name = res + 1;
	155	}
	156	}
	157
	158	out:
	159	path_put(&root);
	160
	161	return error;
	162	}
	163
	164	/**
	165	* get_name_to_buffer - get the pathname to a buffer ensure dir / is appended
	166	* @path: path to get name for (NOT NULL)
	167	* @flags: flags controlling path lookup
	168	* @buffer: buffer to put name in (NOT NULL)
	169	* @size: size of buffer
	170	* @name: Returns - contains position of path name in @buffer (NOT NULL)
	171	*
	172	* Returns: %0 else error on failure
	173	*/
	174	static int get_name_to_buffer(struct path path, int flags, char buffer,
	175	int size, char **name)
	176	{
	177	int adjust = (flags & PATH_IS_DIR) ? 1 : 0;
	178	int error = d_namespace_path(path, buffer, size - adjust, name, flags);
	179
	180	if (!error && (flags & PATH_IS_DIR) && (*name)[1] != '\0')
	181	/*
	182	* Append "/" to the pathname. The root directory is a special
	183	* case; it already ends in slash.
	184	*/
	185	strcpy(&buffer[size - 2], "/");
	186
	187	return error;
	188	}
	189
	190	/**
	191	* aa_get_name - compute the pathname of a file
	192	* @path: path the file (NOT NULL)
	193	* @flags: flags controlling path name generation
	194	* @buffer: buffer that aa_get_name() allocated (NOT NULL)
	195	* @name: Returns - the generated path name if !error (NOT NULL)
	196	*
	197	* @name is a pointer to the beginning of the pathname (which usually differs
	198	* from the beginning of the buffer), or NULL. If there is an error @name
	199	* may contain a partial or invalid name that can be used for audit purposes,
	200	* but it can not be used for mediation.
	201	*
	202	* We need PATH_IS_DIR to indicate whether the file is a directory or not
	203	* because the file may not yet exist, and so we cannot check the inode's
	204	* file type.
	205	*
	206	* Returns: %0 else error code if could retrieve name
	207	*/
	208	int aa_get_name(struct path path, int flags, char buffer, const char *name)
	209	{
	210	char buf, str = NULL;
	211	int size = 256;
	212	int error;
	213
	214	*name = NULL;
	215	*buffer = NULL;
	216	for (;;) {
	217	/* freed by caller */
	218	buf = kmalloc(size, GFP_KERNEL);
	219	if (!buf)
	220	return -ENOMEM;
	221
	222	error = get_name_to_buffer(path, flags, buf, size, &str);
	223	if (error != -ENAMETOOLONG)
	224	break;
	225
	226	kfree(buf);
	227	size <<= 1;
	228	if (size > aa_g_path_max)
	229	return -ENAMETOOLONG;
	230	}
	231	*buffer = buf;
	232	*name = str;
	233
	234	return error;
	235	}