return;
if (profile->file.dfa && *match_str == AA_CLASS_FILE) {
dfa = profile->file.dfa;
- state = aa_dfa_match_len(dfa, profile->file.start,
+ state = aa_dfa_match_len(dfa,
+ profile->file.start[AA_CLASS_FILE],
match_str + 1, match_len - 1);
if (state) {
struct path_cond cond = { };
{
struct aa_label *new = NULL;
const char *info = NULL, *name = NULL, *target = NULL;
- unsigned int state = profile->file.start;
+ unsigned int state = profile->file.start[AA_CLASS_FILE];
struct aa_perms perms = {};
bool nonewprivs = false;
int error = 0;
char *buffer, struct path_cond *cond,
bool *secure_exec)
{
- unsigned int state = profile->file.start;
+ unsigned int state = profile->file.start[AA_CLASS_FILE];
struct aa_perms perms = {};
const char *xname = NULL, *info = "change_profile onexec";
int error = -EACCES;
if (!error)
error = change_profile_perms(profile, target, stack, request,
- profile->file.start, perms);
+ profile->file.start[AA_CLASS_FILE],
+ perms);
if (error)
error = aa_audit_file(profile, perms, op, request, name,
NULL, target, GLOBAL_ROOT_UID, info,
* Returns: a pointer to a file permission set
*/
struct aa_perms default_perms = {};
-struct aa_perms *aa_lookup_fperms(struct aa_file_rules *file_rules,
+struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules,
unsigned int state, struct path_cond *cond)
{
- if (!(file_rules->fperms_table))
+ if (!(file_rules->perms))
return &default_perms;
if (uid_eq(current_fsuid(), cond->uid))
- return &(file_rules->fperms_table[state * 2]);
+ return &(file_rules->perms[state * 2]);
- return &(file_rules->fperms_table[state * 2 + 1]);
+ return &(file_rules->perms[state * 2 + 1]);
}
/**
*
* Returns: the final state in @dfa when beginning @start and walking @name
*/
-unsigned int aa_str_perms(struct aa_file_rules *file_rules, unsigned int start,
+unsigned int aa_str_perms(struct aa_policydb *file_rules, unsigned int start,
const char *name, struct path_cond *cond,
struct aa_perms *perms)
{
if (profile_unconfined(profile))
return 0;
- aa_str_perms(&(profile->file), profile->file.start, name, cond, perms);
+ aa_str_perms(&(profile->file), profile->file.start[AA_CLASS_FILE],
+ name, cond, perms);
if (request & ~perms->allow)
e = -EACCES;
return aa_audit_file(profile, perms, op, request, name, NULL, NULL,
error = -EACCES;
/* aa_str_perms - handles the case of the dfa being NULL */
- state = aa_str_perms(&(profile->file), profile->file.start, lname,
+ state = aa_str_perms(&(profile->file),
+ profile->file.start[AA_CLASS_FILE], lname,
cond, &lperms);
if (!(lperms.allow & AA_MAY_LINK))
/* Do link perm subset test requiring allowed permission on link are
* a subset of the allowed permissions on target.
*/
- aa_str_perms(&(profile->file), profile->file.start, tname, cond,
- &perms);
+ aa_str_perms(&(profile->file), profile->file.start[AA_CLASS_FILE],
+ tname, cond, &perms);
/* AA_MAY_LINK is not considered in the subset test */
request = lperms.allow & ~AA_MAY_LINK;
#include "match.h"
#include "perms.h"
+struct aa_policydb;
struct aa_profile;
struct path;
const char *target, struct aa_label *tlabel, kuid_t ouid,
const char *info, int error);
-/**
- * struct aa_file_rules - components used for file rule permissions
- * @dfa: dfa to match path names and conditionals against
- * @perms: permission table indexed by the matched state accept entry of @dfa
- * @trans: transition table for indexed by named x transitions
- *
- * File permission are determined by matching a path against @dfa and
- * then using the value of the accept entry for the matching state as
- * an index into @perms. If a named exec transition is required it is
- * looked up in the transition table.
- */
-struct aa_file_rules {
- unsigned int start;
- struct aa_dfa *dfa;
- /* struct perms perms; */
- struct aa_domain trans;
- /* TODO: add delegate table */
- struct aa_perms *fperms_table;
-};
-
-struct aa_perms *aa_lookup_fperms(struct aa_file_rules *file_rules,
- unsigned int state, struct path_cond *cond);
-unsigned int aa_str_perms(struct aa_file_rules *file_rules, unsigned int start,
+struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules,
+ unsigned int state, struct path_cond *cond);
+unsigned int aa_str_perms(struct aa_policydb *file_rules, unsigned int start,
const char *name, struct path_cond *cond,
struct aa_perms *perms);
void aa_inherit_files(const struct cred *cred, struct files_struct *files);
-static inline void aa_free_fperms_table(struct aa_perms *fperms_table)
-{
- if (fperms_table)
- kvfree(fperms_table);
-}
-
-static inline void aa_free_file_rules(struct aa_file_rules *rules)
-{
- aa_put_dfa(rules->dfa);
- aa_free_domain_entries(&rules->trans);
- aa_free_fperms_table(rules->fperms_table);
-}
/**
* aa_map_file_perms - map file flags to AppArmor permissions
* start: set of start states for the different classes of data
*/
struct aa_policydb {
- /* Generic policy DFA specific rule types will be subsections of it */
struct aa_dfa *dfa;
struct aa_perms *perms;
+ struct aa_domain trans;
unsigned int start[AA_CLASS_LAST + 1];
-
};
+static inline void aa_destroy_policydb(struct aa_policydb *policy)
+{
+ aa_put_dfa(policy->dfa);
+ if (policy->perms)
+ kvfree(policy->perms);
+ aa_free_domain_entries(&policy->trans);
+
+}
+
/* struct aa_data - generic data structure
* key: name for retrieving this data
* size: size of data in bytes
int size;
struct aa_policydb policy;
- struct aa_file_rules file;
+ struct aa_policydb file;
struct aa_caps caps;
int xattr_count;
aa_put_ns(profile->ns);
kfree_sensitive(profile->rename);
- aa_free_file_rules(&profile->file);
+ aa_destroy_policydb(&profile->file);
aa_free_cap_rules(&profile->caps);
aa_free_rlimit_rules(&profile->rlimits);
kfree_sensitive(profile->dirname);
aa_put_dfa(profile->xmatch);
kvfree(profile->xmatch_perms);
- aa_put_dfa(profile->policy.dfa);
- kvfree(profile->policy.perms);
+ aa_destroy_policydb(&profile->policy);
if (profile->data) {
rht = profile->data;
profile->data = NULL;
info = "failed to unpack profile file rules";
goto fail;
} else if (profile->file.dfa) {
- if (!unpack_u32(e, &profile->file.start, "dfa_start"))
+ if (!unpack_u32(e, &profile->file.start[AA_CLASS_FILE],
+ "dfa_start"))
/* default start state */
- profile->file.start = DFA_START;
+ profile->file.start[AA_CLASS_FILE] = DFA_START;
} else if (profile->policy.dfa &&
profile->policy.start[AA_CLASS_FILE]) {
profile->file.dfa = aa_get_dfa(profile->policy.dfa);
- profile->file.start = profile->policy.start[AA_CLASS_FILE];
+ profile->file.start[AA_CLASS_FILE] = profile->policy.start[AA_CLASS_FILE];
} else
profile->file.dfa = aa_get_dfa(nulldfa);
- profile->file.fperms_table = compute_fperms(profile->file.dfa);
- if (!profile->file.fperms_table) {
+ profile->file.perms = compute_fperms(profile->file.dfa);
+ if (!profile->file.perms) {
info = "failed to remap file permission table";
goto fail;
}
projects / thirdparty / kernel / linux.git / commitdiff
