summaryrefslogtreecommitdiffstats
path: root/security/apparmor
diff options
context:
space:
mode:
Diffstat (limited to 'security/apparmor')
-rw-r--r--security/apparmor/apparmorfs.c4
-rw-r--r--security/apparmor/crypto.c32
-rw-r--r--security/apparmor/include/lib.h13
-rw-r--r--security/apparmor/lib.c34
-rw-r--r--security/apparmor/lsm.c53
-rw-r--r--security/apparmor/match.c2
-rw-r--r--security/apparmor/policy.c6
-rw-r--r--security/apparmor/policy_unpack.c2
8 files changed, 49 insertions, 97 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 41073f7..4f6ac9d 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -98,7 +98,7 @@ static struct aa_loaddata *aa_simple_write_to_buffer(const char __user *userbuf,
return ERR_PTR(-ESPIPE);
/* freed by caller to simple_write_to_buffer */
- data = kvmalloc(sizeof(*data) + alloc_size);
+ data = kvmalloc(sizeof(*data) + alloc_size, GFP_KERNEL);
if (data == NULL)
return ERR_PTR(-ENOMEM);
kref_init(&data->count);
@@ -1357,7 +1357,7 @@ static int aa_mk_null_file(struct dentry *parent)
inode->i_ino = get_next_ino();
inode->i_mode = S_IFCHR | S_IRUGO | S_IWUGO;
- inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME;
+ inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO,
MKDEV(MEM_MAJOR, 3));
d_instantiate(dentry, inode);
diff --git a/security/apparmor/crypto.c b/security/apparmor/crypto.c
index de8dc78..136f2a0 100644
--- a/security/apparmor/crypto.c
+++ b/security/apparmor/crypto.c
@@ -31,10 +31,7 @@ unsigned int aa_hash_size(void)
char *aa_calc_hash(void *data, size_t len)
{
- struct {
- struct shash_desc shash;
- char ctx[crypto_shash_descsize(apparmor_tfm)];
- } desc;
+ SHASH_DESC_ON_STACK(desc, apparmor_tfm);
char *hash = NULL;
int error = -ENOMEM;
@@ -45,16 +42,16 @@ char *aa_calc_hash(void *data, size_t len)
if (!hash)
goto fail;
- desc.shash.tfm = apparmor_tfm;
- desc.shash.flags = 0;
+ desc->tfm = apparmor_tfm;
+ desc->flags = 0;
- error = crypto_shash_init(&desc.shash);
+ error = crypto_shash_init(desc);
if (error)
goto fail;
- error = crypto_shash_update(&desc.shash, (u8 *) data, len);
+ error = crypto_shash_update(desc, (u8 *) data, len);
if (error)
goto fail;
- error = crypto_shash_final(&desc.shash, hash);
+ error = crypto_shash_final(desc, hash);
if (error)
goto fail;
@@ -69,10 +66,7 @@ fail:
int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
size_t len)
{
- struct {
- struct shash_desc shash;
- char ctx[crypto_shash_descsize(apparmor_tfm)];
- } desc;
+ SHASH_DESC_ON_STACK(desc, apparmor_tfm);
int error = -ENOMEM;
__le32 le32_version = cpu_to_le32(version);
@@ -86,19 +80,19 @@ int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
if (!profile->hash)
goto fail;
- desc.shash.tfm = apparmor_tfm;
- desc.shash.flags = 0;
+ desc->tfm = apparmor_tfm;
+ desc->flags = 0;
- error = crypto_shash_init(&desc.shash);
+ error = crypto_shash_init(desc);
if (error)
goto fail;
- error = crypto_shash_update(&desc.shash, (u8 *) &le32_version, 4);
+ error = crypto_shash_update(desc, (u8 *) &le32_version, 4);
if (error)
goto fail;
- error = crypto_shash_update(&desc.shash, (u8 *) start, len);
+ error = crypto_shash_update(desc, (u8 *) start, len);
if (error)
goto fail;
- error = crypto_shash_final(&desc.shash, profile->hash);
+ error = crypto_shash_final(desc, profile->hash);
if (error)
goto fail;
diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
index 65ff492..550a700 100644
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -57,24 +57,13 @@
pr_err_ratelimited("AppArmor: " fmt, ##args)
/* Flag indicating whether initialization completed */
-extern int apparmor_initialized __initdata;
+extern int apparmor_initialized;
/* fn's in lib */
char *aa_split_fqname(char *args, char **ns_name);
const char *aa_splitn_fqname(const char *fqname, size_t n, const char **ns_name,
size_t *ns_len);
void aa_info_message(const char *str);
-void *__aa_kvmalloc(size_t size, gfp_t flags);
-
-static inline void *kvmalloc(size_t size)
-{
- return __aa_kvmalloc(size, 0);
-}
-
-static inline void *kvzalloc(size_t size)
-{
- return __aa_kvmalloc(size, __GFP_ZERO);
-}
/**
* aa_strneq - compare null terminated @str to a non null terminated substring
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index 66475bd..7cd788a 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -129,36 +129,6 @@ void aa_info_message(const char *str)
}
/**
- * __aa_kvmalloc - do allocation preferring kmalloc but falling back to vmalloc
- * @size: how many bytes of memory are required
- * @flags: the type of memory to allocate (see kmalloc).
- *
- * Return: allocated buffer or NULL if failed
- *
- * It is possible that policy being loaded from the user is larger than
- * what can be allocated by kmalloc, in those cases fall back to vmalloc.
- */
-void *__aa_kvmalloc(size_t size, gfp_t flags)
-{
- void *buffer = NULL;
-
- if (size == 0)
- return NULL;
-
- /* do not attempt kmalloc if we need more than 16 pages at once */
- if (size <= (16*PAGE_SIZE))
- buffer = kmalloc(size, flags | GFP_KERNEL | __GFP_NORETRY |
- __GFP_NOWARN);
- if (!buffer) {
- if (flags & __GFP_ZERO)
- buffer = vzalloc(size);
- else
- buffer = vmalloc(size);
- }
- return buffer;
-}
-
-/**
* aa_policy_init - initialize a policy structure
* @policy: policy to initialize (NOT NULL)
* @prefix: prefix name if any is required. (MAYBE NULL)
@@ -180,13 +150,13 @@ bool aa_policy_init(struct aa_policy *policy, const char *prefix,
} else
policy->hname = kstrdup(name, gfp);
if (!policy->hname)
- return 0;
+ return false;
/* base.name is a substring of fqname */
policy->name = basename(policy->hname);
INIT_LIST_HEAD(&policy->list);
INIT_LIST_HEAD(&policy->profiles);
- return 1;
+ return true;
}
/**
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 709eacd..8f3c0f7 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -39,7 +39,7 @@
#include "include/procattr.h"
/* Flag indicating whether initialization completed */
-int apparmor_initialized __initdata;
+int apparmor_initialized;
DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
@@ -587,7 +587,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
return error;
}
-static struct security_hook_list apparmor_hooks[] = {
+static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
LSM_HOOK_INIT(capget, apparmor_capget),
@@ -681,7 +681,7 @@ module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
#endif
/* Debug mode */
-bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_DEBUG_MESSAGES);
+bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
/* Audit mode */
@@ -710,7 +710,7 @@ module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
/* Maximum pathname length before accesses will start getting rejected */
unsigned int aa_g_path_max = 2 * PATH_MAX;
-module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR);
+module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
/* Determines how paranoid loading of policy is and how much verification
* on the loaded policy is done.
@@ -738,78 +738,77 @@ __setup("apparmor=", apparmor_enabled_setup);
/* set global flag turning off the ability to load policy */
static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
{
- if (!policy_admin_capable(NULL))
+ if (!apparmor_enabled)
+ return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
return -EPERM;
return param_set_bool(val, kp);
}
static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return param_get_bool(buffer, kp);
}
static int param_set_aabool(const char *val, const struct kernel_param *kp)
{
- if (!policy_admin_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
+ return -EPERM;
return param_set_bool(val, kp);
}
static int param_get_aabool(char *buffer, const struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return param_get_bool(buffer, kp);
}
static int param_set_aauint(const char *val, const struct kernel_param *kp)
{
- if (!policy_admin_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
+ return -EPERM;
return param_set_uint(val, kp);
}
static int param_get_aauint(char *buffer, const struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return param_get_uint(buffer, kp);
}
static int param_get_audit(char *buffer, struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
-
if (!apparmor_enabled)
return -EINVAL;
-
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
}
static int param_set_audit(const char *val, struct kernel_param *kp)
{
int i;
- if (!policy_admin_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
-
if (!val)
return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
+ return -EPERM;
for (i = 0; i < AUDIT_MAX_INDEX; i++) {
if (strcmp(val, audit_mode_names[i]) == 0) {
@@ -823,11 +822,10 @@ static int param_set_audit(const char *val, struct kernel_param *kp)
static int param_get_mode(char *buffer, struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
-
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
}
@@ -835,14 +833,13 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)
static int param_set_mode(const char *val, struct kernel_param *kp)
{
int i;
- if (!policy_admin_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
-
if (!val)
return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
+ return -EPERM;
for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
if (strcmp(val, aa_profile_mode_names[i]) == 0) {
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index eb0efef..960c913 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -88,7 +88,7 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
if (bsize < tsize)
goto out;
- table = kvzalloc(tsize);
+ table = kvzalloc(tsize, GFP_KERNEL);
if (table) {
table->td_id = th.td_id;
table->td_flags = th.td_flags;
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index def1fbd..cf9d670 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -876,9 +876,11 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
if (ns_name) {
ns = aa_prepare_ns(view, ns_name);
if (IS_ERR(ns)) {
+ op = OP_PROF_LOAD;
info = "failed to prepare namespace";
error = PTR_ERR(ns);
ns = NULL;
+ ent = NULL;
goto fail;
}
} else
@@ -1013,7 +1015,7 @@ fail_lock:
/* audit cause of failure */
op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
fail:
- audit_policy(profile, op, ns_name, ent->new->base.hname,
+ audit_policy(profile, op, ns_name, ent ? ent->new->base.hname : NULL,
info, error);
/* audit status that rest of profiles in the atomic set failed too */
info = "valid profile in failed atomic policy load";
@@ -1023,7 +1025,7 @@ fail:
/* skip entry that caused failure */
continue;
}
- op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
+ op = (!tmp->old) ? OP_PROF_LOAD : OP_PROF_REPL;
audit_policy(profile, op, ns_name,
tmp->new->base.hname, info, error);
}
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 2e37c9c..f3422a9 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -487,7 +487,7 @@ fail:
static void *kvmemdup(const void *src, size_t len)
{
- void *p = kvmalloc(len);
+ void *p = kvmalloc(len, GFP_KERNEL);
if (p)
memcpy(p, src, len);
OpenPOWER on IntegriCloud