76 #include <linux/slab.h>
78 #include <linux/string.h>
108 static const char *hname_tail(
const char *hname)
111 hname =
strim((
char *)hname);
142 policy->
name = (
char *)hname_tail(policy->
hname);
143 INIT_LIST_HEAD(&policy->
list);
145 kref_init(&policy->
count);
154 static void policy_destroy(
struct aa_policy *policy)
157 if (!list_empty(&policy->
profiles)) {
159 "policy '%s' still contains profiles\n",
160 __func__, policy->
name);
163 if (!list_empty(&policy->
list)) {
164 AA_ERROR(
"%s: internal error, policy '%s' still on list\n",
165 __func__, policy->
name);
207 const char *
str,
int len)
212 if (aa_strneq(policy->
name, str, len))
223 static const char *hidden_ns_name =
"---";
236 for ( ; view; view = view->
parent) {
265 return hidden_ns_name;
275 static struct aa_namespace *alloc_namespace(
const char *prefix,
284 if (!policy_init(&ns->
base, prefix, name))
287 INIT_LIST_HEAD(&ns->
sub_ns);
293 goto fail_unconfined;
327 policy_destroy(&ns->
base);
328 aa_put_namespace(ns->
parent);
358 return (
struct aa_namespace *)__policy_find(head, name);
377 ns = aa_get_namespace(__aa_find_namespace(&root->
sub_ns, name));
389 static struct aa_namespace *aa_prepare_namespace(
const char *name)
393 root = aa_current_profile()->ns;
400 ns = aa_get_namespace(root);
406 ns = aa_get_namespace(__aa_find_namespace(&root->
sub_ns, name));
411 new_ns = alloc_namespace(root->
base.hname, name);
416 ns = __aa_find_namespace(&root->
sub_ns, name);
419 new_ns->
parent = aa_get_namespace(root);
423 ns = aa_get_namespace(new_ns);
426 free_namespace(new_ns);
428 aa_get_namespace(ns);
450 list_add(&profile->
base.list, list);
452 aa_get_profile(profile);
469 list_del_init(&profile->
base.list);
472 aa_put_profile(profile);
493 policy = &old->
parent->base;
495 policy = &old->
ns->base;
498 new->parent = aa_get_profile(old->
parent);
499 new->ns = aa_get_namespace(old->
ns);
501 __list_add_profile(&policy->
profiles,
new);
504 aa_put_profile(child->
parent);
505 child->
parent = aa_get_profile(
new);
507 list_move(&child->
base.list, &new->base.profiles);
512 __list_remove_profile(old);
515 static void __profile_list_release(
struct list_head *head);
523 static void __remove_profile(
struct aa_profile *profile)
526 __profile_list_release(&profile->
base.profiles);
528 profile->
replacedby = aa_get_profile(profile->
ns->unconfined);
529 __list_remove_profile(profile);
538 static void __profile_list_release(
struct list_head *head)
542 __remove_profile(profile);
558 __profile_list_release(&ns->base.profiles);
561 __ns_list_release(&ns->sub_ns);
577 list_del_init(&ns->
base.list);
588 destroy_namespace(ns);
591 aa_put_profile(unconfined);
593 aa_put_namespace(ns);
602 static void __ns_list_release(
struct list_head *head)
606 __remove_namespace(ns);
619 root_ns = alloc_namespace(
NULL,
"root");
634 destroy_namespace(ns);
635 aa_put_namespace(ns);
649 profile = kzalloc(
sizeof(*profile),
GFP_KERNEL);
653 if (!policy_init(&profile->
base,
NULL, hname)) {
686 sprintf(name,
"%s//null-%x", parent->
base.hname, sid);
700 profile->
parent = aa_get_profile(parent);
701 profile->
ns = aa_get_namespace(parent->
ns);
704 __list_add_profile(&parent->
base.profiles, profile);
725 static void free_profile(
struct aa_profile *profile)
729 AA_DEBUG(
"%s(%p)\n", __func__, profile);
734 if (!list_empty(&profile->
base.list)) {
736 "profile '%s' still on ns list\n",
737 __func__, profile->
base.name);
742 policy_destroy(&profile->
base);
743 aa_put_profile(profile->
parent);
745 aa_put_namespace(profile->
ns);
748 aa_free_file_rules(&profile->
file);
749 aa_free_cap_rules(&profile->
caps);
750 aa_free_rlimit_rules(&profile->
rlimits);
753 aa_put_dfa(profile->
xmatch);
754 aa_put_dfa(profile->
policy.dfa);
806 return (
struct aa_profile *)__policy_find(head, name);
820 const char *name,
int len)
822 return (
struct aa_profile *)__policy_strn_find(head, name, len);
837 profile = aa_get_profile(__find_child(&parent->
base.profiles, name));
867 profile = __strn_find_child(&policy->
profiles, hname,
871 policy = &profile->
base;
873 split =
strstr(hname,
"//");
877 return &profile->
base;
898 profile = __strn_find_child(&base->
profiles, hname,
903 base = &profile->
base;
905 split =
strstr(hname,
"//");
908 profile = __find_child(&base->
profiles, hname);
925 profile = aa_get_profile(__lookup_profile(&ns->
base, hname));
929 if (!profile &&
strcmp(hname,
"unconfined") == 0)
944 static int replacement_allowed(
struct aa_profile *profile,
int noreplace,
949 *info =
"cannot replace immutible profile";
951 }
else if (noreplace) {
952 *info =
"profile already exists";
970 if (policy != &ns->
base)
973 __list_add_profile(&policy->
profiles, profile);
976 profile->
ns = aa_get_namespace(ns);
989 static int audit_policy(
int op,
gfp_t gfp,
const char *name,
const char *info,
1045 const char *ns_name, *name =
NULL, *info =
NULL;
1050 new_profile =
aa_unpack(udata, size, &ns_name);
1051 if (IS_ERR(new_profile)) {
1052 error = PTR_ERR(new_profile);
1058 ns = aa_prepare_namespace(ns_name);
1060 info =
"failed to prepare namespace";
1066 name = new_profile->base.hname;
1070 policy = __lookup_parent(ns, new_profile->
base.hname);
1073 info =
"parent does not exist";
1078 old_profile = __find_child(&policy->
profiles, new_profile->base.name);
1080 aa_get_profile(old_profile);
1082 if (new_profile->rename) {
1083 rename_profile = __lookup_profile(&ns->
base,
1084 new_profile->rename);
1086 aa_get_profile(rename_profile);
1088 if (!rename_profile) {
1089 info =
"profile to rename does not exist";
1090 name = new_profile->rename;
1096 error = replacement_allowed(old_profile, noreplace, &info);
1100 error = replacement_allowed(rename_profile, noreplace, &info);
1105 if (!old_profile && !rename_profile)
1108 error = audit_policy(op,
GFP_ATOMIC, name, info, error);
1112 __replace_profile(rename_profile, new_profile);
1119 __replace_profile(old_profile, new_profile);
1121 if (!(old_profile || rename_profile))
1122 __add_new_profile(ns, policy, new_profile);
1127 aa_put_namespace(ns);
1128 aa_put_profile(rename_profile);
1129 aa_put_profile(old_profile);
1130 aa_put_profile(new_profile);
1136 error = audit_policy(op,
GFP_KERNEL, name, info, error);
1156 const char *name = fqname, *info =
NULL;
1160 info =
"no profile specified";
1165 root = aa_current_profile()->ns;
1167 if (fqname[0] ==
':') {
1174 info =
"namespace does not exist";
1181 ns = aa_get_namespace(root);
1186 __remove_namespace(ns);
1191 profile = aa_get_profile(__lookup_profile(&ns->
base, name));
1194 info =
"profile does not exist";
1197 name = profile->
base.hname;
1198 __remove_profile(profile);
1204 aa_put_namespace(ns);
1205 aa_put_profile(profile);
1210 aa_put_namespace(ns);