Lines Matching +full:label +full:- +full:revision
1 // SPDX-License-Identifier: GPL-2.0-only
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
34 #include "include/label.h"
80 aa_put_loaddata(private->loaddata); in rawdata_f_data_free()
88 if (size > SIZE_MAX - sizeof(*ret)) in rawdata_f_data_alloc()
89 return ERR_PTR(-EINVAL); in rawdata_f_data_alloc()
93 return ERR_PTR(-ENOMEM); in rawdata_f_data_alloc()
99 * aa_mangle_name - mangle a profile name to std profile layout form
118 else if (isalnum(*name) || strchr("._-", *name)) in mangle_name()
127 strchr("/._-", *name)) in mangle_name()
134 return t - target; in mangle_name()
139 * aafs - core fns and data for the policy tree
149 seq_printf(seq, "%s:[%lu]", AAFS_NAME, d_inode(dentry)->i_ino); in aafs_show_path()
155 if (S_ISLNK(inode->i_mode)) in aafs_free_inode()
156 kfree(inode->i_link); in aafs_free_inode()
174 sb->s_op = &aafs_super_ops; in apparmorfs_fill_super()
190 fc->ops = &apparmorfs_context_ops; in apparmorfs_init_fs_context()
202 * __aafs_setup_d_inode - basic inode setup for apparmorfs
216 struct inode *inode = new_inode(dir->i_sb); in __aafs_setup_d_inode()
222 return -ENOMEM; in __aafs_setup_d_inode()
224 inode->i_ino = get_next_ino(); in __aafs_setup_d_inode()
225 inode->i_mode = mode; in __aafs_setup_d_inode()
226 inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode); in __aafs_setup_d_inode()
227 inode->i_private = data; in __aafs_setup_d_inode()
229 inode->i_op = iops ? iops : &simple_dir_inode_operations; in __aafs_setup_d_inode()
230 inode->i_fop = &simple_dir_operations; in __aafs_setup_d_inode()
234 inode->i_op = iops ? iops : &simple_symlink_inode_operations; in __aafs_setup_d_inode()
235 inode->i_link = link; in __aafs_setup_d_inode()
237 inode->i_fop = fops; in __aafs_setup_d_inode()
246 * aafs_create - create a dentry in the apparmorfs filesystem
290 error = -EEXIST; in aafs_create()
312 * aafs_create_file - create a file in the apparmorfs filesystem
330 * aafs_create_dir - create a directory in the apparmorfs filesystem
344 * aafs_remove - removes a file or directory from the apparmorfs filesystem
355 dir = d_inode(dentry->d_parent); in aafs_remove()
371 * aa_fs - policy load/replace/remove
375 * aa_simple_write_to_buffer - common routine for getting policy from user
395 return ERR_PTR(-ESPIPE); in aa_simple_write_to_buffer()
402 data->size = copy_size; in aa_simple_write_to_buffer()
403 if (copy_from_user(data->data, userbuf, copy_size)) { in aa_simple_write_to_buffer()
405 return ERR_PTR(-EFAULT); in aa_simple_write_to_buffer()
415 struct aa_label *label; in policy_update() local
418 label = begin_current_label_crit_section(); in policy_update()
420 /* high level check about policy management - fine grained in in policy_update()
423 error = aa_may_manage_policy(label, ns, mask); in policy_update()
430 error = aa_replace_profiles(ns, label, mask, data); in policy_update()
434 end_current_label_crit_section(label); in policy_update()
443 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); in profile_load()
460 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); in profile_replace()
478 struct aa_label *label; in profile_remove() local
480 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); in profile_remove()
482 label = begin_current_label_crit_section(); in profile_remove()
483 /* high level check about policy management - fine grained in in profile_remove()
486 error = aa_may_manage_policy(label, ns, AA_MAY_REMOVE_POLICY); in profile_remove()
498 data->data[size] = 0; in profile_remove()
499 error = aa_remove_profiles(ns, label, data->data, size); in profile_remove()
503 end_current_label_crit_section(label); in profile_remove()
518 /* revision file hook fn for policy loads */
521 struct aa_revision *rev = file->private_data; in ns_revision_release()
524 aa_put_ns(rev->ns); in ns_revision_release()
534 struct aa_revision *rev = file->private_data; in ns_revision_read()
539 mutex_lock_nested(&rev->ns->lock, rev->ns->level); in ns_revision_read()
540 last_read = rev->last_read; in ns_revision_read()
541 if (last_read == rev->ns->revision) { in ns_revision_read()
542 mutex_unlock(&rev->ns->lock); in ns_revision_read()
543 if (file->f_flags & O_NONBLOCK) in ns_revision_read()
544 return -EAGAIN; in ns_revision_read()
545 if (wait_event_interruptible(rev->ns->wait, in ns_revision_read()
547 READ_ONCE(rev->ns->revision))) in ns_revision_read()
548 return -ERESTARTSYS; in ns_revision_read()
549 mutex_lock_nested(&rev->ns->lock, rev->ns->level); in ns_revision_read()
552 avail = sprintf(buffer, "%ld\n", rev->ns->revision); in ns_revision_read()
554 rev->last_read = rev->ns->revision; in ns_revision_read()
557 mutex_unlock(&rev->ns->lock); in ns_revision_read()
567 return -ENOMEM; in ns_revision_open()
569 rev->ns = aa_get_ns(inode->i_private); in ns_revision_open()
570 if (!rev->ns) in ns_revision_open()
571 rev->ns = aa_get_current_ns(); in ns_revision_open()
572 file->private_data = rev; in ns_revision_open()
579 struct aa_revision *rev = file->private_data; in ns_revision_poll()
583 mutex_lock_nested(&rev->ns->lock, rev->ns->level); in ns_revision_poll()
584 poll_wait(file, &rev->ns->wait, pt); in ns_revision_poll()
585 if (rev->last_read < rev->ns->revision) in ns_revision_poll()
587 mutex_unlock(&rev->ns->lock); in ns_revision_poll()
595 WRITE_ONCE(ns->revision, READ_ONCE(ns->revision) + 1); in __aa_bump_ns_revision()
596 wake_up_interruptible(&ns->wait); in __aa_bump_ns_revision()
617 if (profile->file.dfa && *match_str == AA_CLASS_FILE) { in profile_query_cb()
618 dfa = profile->file.dfa; in profile_query_cb()
619 state = aa_dfa_match_len(dfa, profile->file.start, in profile_query_cb()
620 match_str + 1, match_len - 1); in profile_query_cb()
626 } else if (profile->policy.dfa) { in profile_query_cb()
629 dfa = profile->policy.dfa; in profile_query_cb()
630 state = aa_dfa_match_len(dfa, profile->policy.start[0], in profile_query_cb()
641 * query_data - queries a policy and writes its data to buf
650 * The query should look like "<LABEL>\0<KEY>\0", where <LABEL> is the name of
652 * retrieve. <LABEL> and <KEY> must not be NUL-terminated.
656 * Returns: number of characters written to buf or -errno on failure
664 struct aa_label *label, *curr; in query_data() local
671 return -EINVAL; /* need a query */ in query_data()
675 return -EINVAL; /* not enough space for a non-empty key */ in query_data()
676 if (key + strnlen(key, query + query_len - key) >= query + query_len) in query_data()
677 return -EINVAL; /* must end with NUL */ in query_data()
680 return -EINVAL; /* not enough space */ in query_data()
683 label = aa_label_parse(curr, query, GFP_KERNEL, false, false); in query_data()
685 if (IS_ERR(label)) in query_data()
686 return PTR_ERR(label); in query_data()
700 label_for_each_confined(i, label, profile) { in query_data()
701 if (!profile->data) in query_data()
704 data = rhashtable_lookup_fast(profile->data, &key, in query_data()
705 profile->data->p); in query_data()
708 if (out + sizeof(outle32) + data->size > buf + in query_data()
710 aa_put_label(label); in query_data()
711 return -EINVAL; /* not enough space */ in query_data()
713 outle32 = __cpu_to_le32(data->size); in query_data()
716 memcpy(out, data->data, data->size); in query_data()
717 out += data->size; in query_data()
721 aa_put_label(label); in query_data()
723 outle32 = __cpu_to_le32(out - buf - sizeof(bytes)); in query_data()
728 return out - buf; in query_data()
732 * query_label - queries a label and writes permissions to buf
743 * the name of the label, in the current namespace, that is to be queried and
744 * DFA_STRING is a binary string to match against the label(s)'s DFA.
749 * Returns: number of characters written to buf or -errno on failure
755 struct aa_label *label, *curr; in query_label() local
762 return -EINVAL; in query_label()
767 return -EINVAL; in query_label()
776 match_len = query_len - label_name_len - 1; in query_label()
779 label = aa_label_parse(curr, label_name, GFP_KERNEL, false, false); in query_label()
781 if (IS_ERR(label)) in query_label()
782 return PTR_ERR(label); in query_label()
786 label_for_each_in_ns(i, labels_ns(label), label, profile) { in query_label()
790 label_for_each(i, label, profile) { in query_label()
794 aa_put_label(label); in query_label()
804 * possibly a read(s) which collects the result - which is stored in a
805 * file-local buffer. Once a new write is performed, a new set of results
806 * are stored in the file-local buffer.
814 #define MULTI_TRANSACTION_LIMIT (PAGE_SIZE - sizeof(struct multi_transaction))
830 kref_get(&(t->count)); in get_multi_transaction()
838 kref_put(&(t->count), multi_transaction_kref); in put_multi_transaction()
849 new->size = n; in multi_transaction_set()
851 old = (struct multi_transaction *) file->private_data; in multi_transaction_set()
852 file->private_data = new; in multi_transaction_set()
863 if (size > MULTI_TRANSACTION_LIMIT - 1) in multi_transaction_new()
864 return ERR_PTR(-EFBIG); in multi_transaction_new()
868 return ERR_PTR(-ENOMEM); in multi_transaction_new()
869 kref_init(&t->count); in multi_transaction_new()
870 if (copy_from_user(t->data, buf, size)) { in multi_transaction_new()
872 return ERR_PTR(-EFAULT); in multi_transaction_new()
885 t = get_multi_transaction(file->private_data); in multi_transaction_read()
890 ret = simple_read_from_buffer(buf, size, pos, t->data, t->size); in multi_transaction_read()
898 put_multi_transaction(file->private_data); in multi_transaction_release()
903 #define QUERY_CMD_LABEL "label\0"
913 * aa_write_access - generic permissions and data query
920 * sequence. The only queries currently supported are label-based queries for
923 * For permissions queries, ubuf must begin with "label\0", followed by the
927 * For data queries, ubuf must have the form "data\0<LABEL>\0<KEY>\0", where
928 * <LABEL> is the name of the security confinement context and <KEY> is the
931 * Returns: number of bytes written or -errno on failure
940 return -ESPIPE; in aa_write_access()
947 !memcmp(t->data, QUERY_CMD_PROFILE, QUERY_CMD_PROFILE_LEN)) { in aa_write_access()
948 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, in aa_write_access()
949 t->data + QUERY_CMD_PROFILE_LEN, in aa_write_access()
950 count - QUERY_CMD_PROFILE_LEN, true); in aa_write_access()
952 !memcmp(t->data, QUERY_CMD_LABEL, QUERY_CMD_LABEL_LEN)) { in aa_write_access()
953 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, in aa_write_access()
954 t->data + QUERY_CMD_LABEL_LEN, in aa_write_access()
955 count - QUERY_CMD_LABEL_LEN, true); in aa_write_access()
957 !memcmp(t->data, QUERY_CMD_LABELALL, in aa_write_access()
959 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, in aa_write_access()
960 t->data + QUERY_CMD_LABELALL_LEN, in aa_write_access()
961 count - QUERY_CMD_LABELALL_LEN, false); in aa_write_access()
963 !memcmp(t->data, QUERY_CMD_DATA, QUERY_CMD_DATA_LEN)) { in aa_write_access()
964 len = query_data(t->data, MULTI_TRANSACTION_LIMIT, in aa_write_access()
965 t->data + QUERY_CMD_DATA_LEN, in aa_write_access()
966 count - QUERY_CMD_DATA_LEN); in aa_write_access()
968 len = -EINVAL; in aa_write_access()
989 struct aa_sfs_entry *fs_file = seq->private; in aa_sfs_seq_show()
994 switch (fs_file->v_type) { in aa_sfs_seq_show()
996 seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no"); in aa_sfs_seq_show()
999 seq_printf(seq, "%s\n", fs_file->v.string); in aa_sfs_seq_show()
1002 seq_printf(seq, "%#08lx\n", fs_file->v.u64); in aa_sfs_seq_show()
1014 return single_open(file, aa_sfs_seq_show, inode->i_private); in aa_sfs_seq_open()
1047 struct aa_proxy *proxy = aa_get_proxy(inode->i_private); in seq_profile_open()
1051 file->private_data = NULL; in seq_profile_open()
1060 struct seq_file *seq = (struct seq_file *) file->private_data; in seq_profile_release()
1062 aa_put_proxy(seq->private); in seq_profile_release()
1068 struct aa_proxy *proxy = seq->private; in seq_profile_name_show()
1069 struct aa_label *label = aa_get_label_rcu(&proxy->label); in seq_profile_name_show() local
1070 struct aa_profile *profile = labels_profile(label); in seq_profile_name_show()
1071 seq_printf(seq, "%s\n", profile->base.name); in seq_profile_name_show()
1072 aa_put_label(label); in seq_profile_name_show()
1079 struct aa_proxy *proxy = seq->private; in seq_profile_mode_show()
1080 struct aa_label *label = aa_get_label_rcu(&proxy->label); in seq_profile_mode_show() local
1081 struct aa_profile *profile = labels_profile(label); in seq_profile_mode_show()
1082 seq_printf(seq, "%s\n", aa_profile_mode_names[profile->mode]); in seq_profile_mode_show()
1083 aa_put_label(label); in seq_profile_mode_show()
1090 struct aa_proxy *proxy = seq->private; in seq_profile_attach_show()
1091 struct aa_label *label = aa_get_label_rcu(&proxy->label); in seq_profile_attach_show() local
1092 struct aa_profile *profile = labels_profile(label); in seq_profile_attach_show()
1093 if (profile->attach) in seq_profile_attach_show()
1094 seq_printf(seq, "%s\n", profile->attach); in seq_profile_attach_show()
1095 else if (profile->xmatch) in seq_profile_attach_show()
1098 seq_printf(seq, "%s\n", profile->base.name); in seq_profile_attach_show()
1099 aa_put_label(label); in seq_profile_attach_show()
1106 struct aa_proxy *proxy = seq->private; in seq_profile_hash_show()
1107 struct aa_label *label = aa_get_label_rcu(&proxy->label); in seq_profile_hash_show() local
1108 struct aa_profile *profile = labels_profile(label); in seq_profile_hash_show()
1111 if (profile->hash) { in seq_profile_hash_show()
1113 seq_printf(seq, "%.2x", profile->hash[i]); in seq_profile_hash_show()
1116 aa_put_label(label); in seq_profile_hash_show()
1135 return single_open(file, seq_ns_ ##NAME ##_show, inode->i_private); \
1148 struct aa_label *label; in seq_ns_stacked_show() local
1150 label = begin_current_label_crit_section(); in seq_ns_stacked_show()
1151 seq_printf(seq, "%s\n", label->size > 1 ? "yes" : "no"); in seq_ns_stacked_show()
1152 end_current_label_crit_section(label); in seq_ns_stacked_show()
1159 struct aa_label *label; in seq_ns_nsstacked_show() local
1164 label = begin_current_label_crit_section(); in seq_ns_nsstacked_show()
1166 if (label->size > 1) { in seq_ns_nsstacked_show()
1167 label_for_each(it, label, profile) in seq_ns_nsstacked_show()
1168 if (profile->ns != labels_ns(label)) { in seq_ns_nsstacked_show()
1175 end_current_label_crit_section(label); in seq_ns_nsstacked_show()
1182 struct aa_label *label; in seq_ns_level_show() local
1184 label = begin_current_label_crit_section(); in seq_ns_level_show()
1185 seq_printf(seq, "%d\n", labels_ns(label)->level); in seq_ns_level_show()
1186 end_current_label_crit_section(label); in seq_ns_level_show()
1193 struct aa_label *label = begin_current_label_crit_section(); in seq_ns_name_show() local
1194 seq_printf(seq, "%s\n", labels_ns(label)->base.name); in seq_ns_name_show()
1195 end_current_label_crit_section(label); in seq_ns_name_show()
1225 struct aa_loaddata *data = __aa_get_loaddata(inode->i_private); in seq_rawdata_open()
1230 return -ENOENT; in seq_rawdata_open()
1234 AA_BUG(file->private_data && in seq_rawdata_open()
1235 ((struct seq_file *)file->private_data)->private); in seq_rawdata_open()
1244 struct seq_file *seq = (struct seq_file *) file->private_data; in seq_rawdata_release()
1247 aa_put_loaddata(seq->private); in seq_rawdata_release()
1254 struct aa_loaddata *data = seq->private; in seq_rawdata_abi_show()
1256 seq_printf(seq, "v%d\n", data->abi); in seq_rawdata_abi_show()
1263 struct aa_loaddata *data = seq->private; in seq_rawdata_revision_show()
1265 seq_printf(seq, "%ld\n", data->revision); in seq_rawdata_revision_show()
1272 struct aa_loaddata *data = seq->private; in seq_rawdata_hash_show()
1275 if (data->hash) { in seq_rawdata_hash_show()
1277 seq_printf(seq, "%.2x", data->hash[i]); in seq_rawdata_hash_show()
1286 struct aa_loaddata *data = seq->private; in seq_rawdata_compressed_size_show()
1288 seq_printf(seq, "%zu\n", data->compressed_size); in seq_rawdata_compressed_size_show()
1294 SEQ_RAWDATA_FOPS(revision);
1305 return -EINVAL; in deflate_decompress()
1314 return -ENOMEM; in deflate_decompress()
1321 error = -ENOMEM; in deflate_decompress()
1330 error = -EINVAL; in deflate_decompress()
1343 struct rawdata_f_data *private = file->private_data; in rawdata_read()
1347 private->loaddata->size); in rawdata_read()
1352 rawdata_f_data_free(file->private_data); in rawdata_release()
1364 return -EACCES; in rawdata_open()
1366 loaddata = __aa_get_loaddata(inode->i_private); in rawdata_open()
1369 return -ENOENT; in rawdata_open()
1371 private = rawdata_f_data_alloc(loaddata->size); in rawdata_open()
1377 private->loaddata = loaddata; in rawdata_open()
1379 error = deflate_decompress(loaddata->data, loaddata->compressed_size, in rawdata_open()
1381 loaddata->size); in rawdata_open()
1385 file->private_data = private; in rawdata_open()
1409 if (!IS_ERR_OR_NULL(rawdata->dents[i])) { in remove_rawdata_dents()
1411 aafs_remove(rawdata->dents[i]); in remove_rawdata_dents()
1412 rawdata->dents[i] = NULL; in remove_rawdata_dents()
1419 AA_BUG(rawdata->ns && !mutex_is_locked(&rawdata->ns->lock)); in __aa_fs_remove_rawdata()
1421 if (rawdata->ns) { in __aa_fs_remove_rawdata()
1423 list_del_init(&rawdata->list); in __aa_fs_remove_rawdata()
1424 aa_put_ns(rawdata->ns); in __aa_fs_remove_rawdata()
1425 rawdata->ns = NULL; in __aa_fs_remove_rawdata()
1435 AA_BUG(!mutex_is_locked(&ns->lock)); in __aa_fs_create_rawdata()
1439 * just use ns revision dir was originally created at. This is in __aa_fs_create_rawdata()
1440 * under ns->lock and if load is successful revision will be in __aa_fs_create_rawdata()
1443 rawdata->name = kasprintf(GFP_KERNEL, "%ld", ns->revision); in __aa_fs_create_rawdata()
1444 if (!rawdata->name) in __aa_fs_create_rawdata()
1445 return -ENOMEM; in __aa_fs_create_rawdata()
1447 dir = aafs_create_dir(rawdata->name, ns_subdata_dir(ns)); in __aa_fs_create_rawdata()
1449 /* ->name freed when rawdata freed */ in __aa_fs_create_rawdata()
1451 rawdata->dents[AAFS_LOADDATA_DIR] = dir; in __aa_fs_create_rawdata()
1457 rawdata->dents[AAFS_LOADDATA_ABI] = dent; in __aa_fs_create_rawdata()
1459 dent = aafs_create_file("revision", S_IFREG | 0444, dir, rawdata, in __aa_fs_create_rawdata()
1463 rawdata->dents[AAFS_LOADDATA_REVISION] = dent; in __aa_fs_create_rawdata()
1470 rawdata->dents[AAFS_LOADDATA_HASH] = dent; in __aa_fs_create_rawdata()
1478 rawdata->dents[AAFS_LOADDATA_COMPRESSED_SIZE] = dent; in __aa_fs_create_rawdata()
1484 rawdata->dents[AAFS_LOADDATA_DATA] = dent; in __aa_fs_create_rawdata()
1485 d_inode(dent)->i_size = rawdata->size; in __aa_fs_create_rawdata()
1487 rawdata->ns = aa_get_ns(ns); in __aa_fs_create_rawdata()
1488 list_add(&rawdata->list, &ns->rawdata_list); in __aa_fs_create_rawdata()
1503 * Requires: @profile->ns->lock held
1513 list_for_each_entry(child, &profile->base.profiles, base.list) in __aafs_profile_rmdir()
1516 for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) { in __aafs_profile_rmdir()
1518 if (!profile->dents[i]) in __aafs_profile_rmdir()
1521 proxy = d_inode(profile->dents[i])->i_private; in __aafs_profile_rmdir()
1522 aafs_remove(profile->dents[i]); in __aafs_profile_rmdir()
1524 profile->dents[i] = NULL; in __aafs_profile_rmdir()
1530 * Requires: @old->ns->lock held
1539 AA_BUG(!mutex_is_locked(&profiles_ns(old)->lock)); in __aafs_profile_migrate_dents()
1542 new->dents[i] = old->dents[i]; in __aafs_profile_migrate_dents()
1543 if (new->dents[i]) in __aafs_profile_migrate_dents()
1544 new->dents[i]->d_inode->i_mtime = current_time(new->dents[i]->d_inode); in __aafs_profile_migrate_dents()
1545 old->dents[i] = NULL; in __aafs_profile_migrate_dents()
1553 struct aa_proxy *proxy = aa_get_proxy(profile->label.proxy); in create_profile_file()
1568 for (depth = 0; profile; profile = rcu_access_pointer(profile->parent)) in profile_depth()
1583 return ERR_PTR(-ENOMEM); in gen_symlink_name()
1585 for (; depth > 0; depth--) { in gen_symlink_name()
1588 size -= 6; in gen_symlink_name()
1594 return ERR_PTR(-ENAMETOOLONG); in gen_symlink_name()
1610 struct aa_proxy *proxy = inode->i_private; in rawdata_get_link_base()
1611 struct aa_label *label; in rawdata_get_link_base() local
1617 return ERR_PTR(-ECHILD); in rawdata_get_link_base()
1619 label = aa_get_label_rcu(&proxy->label); in rawdata_get_link_base()
1620 profile = labels_profile(label); in rawdata_get_link_base()
1622 target = gen_symlink_name(depth, profile->rawdata->name, name); in rawdata_get_link_base()
1623 aa_put_label(label); in rawdata_get_link_base()
1667 * Requires: @profile->ns->lock held
1676 AA_BUG(!mutex_is_locked(&profiles_ns(profile)->lock)); in __aafs_profile_mkdir()
1683 error = -ENOENT; in __aafs_profile_mkdir()
1693 if (!profile->dirname) { in __aafs_profile_mkdir()
1695 len = mangle_name(profile->base.name, NULL); in __aafs_profile_mkdir()
1696 id_len = snprintf(NULL, 0, ".%ld", profile->ns->uniq_id); in __aafs_profile_mkdir()
1698 profile->dirname = kmalloc(len + id_len + 1, GFP_KERNEL); in __aafs_profile_mkdir()
1699 if (!profile->dirname) { in __aafs_profile_mkdir()
1700 error = -ENOMEM; in __aafs_profile_mkdir()
1704 mangle_name(profile->base.name, profile->dirname); in __aafs_profile_mkdir()
1705 sprintf(profile->dirname + len, ".%ld", profile->ns->uniq_id++); in __aafs_profile_mkdir()
1708 dent = aafs_create_dir(profile->dirname, parent); in __aafs_profile_mkdir()
1717 profile->dents[AAFS_PROF_NAME] = dent; in __aafs_profile_mkdir()
1723 profile->dents[AAFS_PROF_MODE] = dent; in __aafs_profile_mkdir()
1729 profile->dents[AAFS_PROF_ATTACH] = dent; in __aafs_profile_mkdir()
1731 if (profile->hash) { in __aafs_profile_mkdir()
1736 profile->dents[AAFS_PROF_HASH] = dent; in __aafs_profile_mkdir()
1739 if (profile->rawdata) { in __aafs_profile_mkdir()
1741 profile->label.proxy, NULL, NULL, in __aafs_profile_mkdir()
1745 aa_get_proxy(profile->label.proxy); in __aafs_profile_mkdir()
1746 profile->dents[AAFS_PROF_RAW_HASH] = dent; in __aafs_profile_mkdir()
1749 profile->label.proxy, NULL, NULL, in __aafs_profile_mkdir()
1753 aa_get_proxy(profile->label.proxy); in __aafs_profile_mkdir()
1754 profile->dents[AAFS_PROF_RAW_ABI] = dent; in __aafs_profile_mkdir()
1757 profile->label.proxy, NULL, NULL, in __aafs_profile_mkdir()
1761 aa_get_proxy(profile->label.proxy); in __aafs_profile_mkdir()
1762 profile->dents[AAFS_PROF_RAW_DATA] = dent; in __aafs_profile_mkdir()
1765 list_for_each_entry(child, &profile->base.profiles, base.list) { in __aafs_profile_mkdir()
1786 struct aa_label *label; in ns_mkdir_op() local
1789 label = begin_current_label_crit_section(); in ns_mkdir_op()
1790 error = aa_may_manage_policy(label, NULL, AA_MAY_LOAD_POLICY); in ns_mkdir_op()
1791 end_current_label_crit_section(label); in ns_mkdir_op()
1795 parent = aa_get_ns(dir->i_private); in ns_mkdir_op()
1803 mutex_lock_nested(&parent->lock, parent->level); in ns_mkdir_op()
1813 ns = __aa_find_or_create_ns(parent, READ_ONCE(dentry->d_name.name), in ns_mkdir_op()
1825 mutex_unlock(&parent->lock); in ns_mkdir_op()
1835 struct aa_label *label; in ns_rmdir_op() local
1838 label = begin_current_label_crit_section(); in ns_rmdir_op()
1839 error = aa_may_manage_policy(label, NULL, AA_MAY_LOAD_POLICY); in ns_rmdir_op()
1840 end_current_label_crit_section(label); in ns_rmdir_op()
1844 parent = aa_get_ns(dir->i_private); in ns_rmdir_op()
1850 inode_unlock(dentry->d_inode); in ns_rmdir_op()
1852 mutex_lock_nested(&parent->lock, parent->level); in ns_rmdir_op()
1853 ns = aa_get_ns(__aa_findn_ns(&parent->sub_ns, dentry->d_name.name, in ns_rmdir_op()
1854 dentry->d_name.len)); in ns_rmdir_op()
1856 error = -ENOENT; in ns_rmdir_op()
1865 mutex_unlock(&parent->lock); in ns_rmdir_op()
1867 inode_lock(dentry->d_inode); in ns_rmdir_op()
1883 AA_BUG(!mutex_is_locked(&ns->lock)); in __aa_fs_list_remove_rawdata()
1885 list_for_each_entry_safe(ent, tmp, &ns->rawdata_list, list) in __aa_fs_list_remove_rawdata()
1891 * Requires: @ns->lock held
1901 AA_BUG(!mutex_is_locked(&ns->lock)); in __aafs_ns_rmdir()
1903 list_for_each_entry(child, &ns->base.profiles, base.list) in __aafs_ns_rmdir()
1906 list_for_each_entry(sub, &ns->sub_ns, base.list) { in __aafs_ns_rmdir()
1907 mutex_lock_nested(&sub->lock, sub->level); in __aafs_ns_rmdir()
1909 mutex_unlock(&sub->lock); in __aafs_ns_rmdir()
1915 sub = d_inode(ns_subns_dir(ns))->i_private; in __aafs_ns_rmdir()
1919 sub = d_inode(ns_subload(ns))->i_private; in __aafs_ns_rmdir()
1923 sub = d_inode(ns_subreplace(ns))->i_private; in __aafs_ns_rmdir()
1927 sub = d_inode(ns_subremove(ns))->i_private; in __aafs_ns_rmdir()
1931 sub = d_inode(ns_subrevision(ns))->i_private; in __aafs_ns_rmdir()
1935 for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) { in __aafs_ns_rmdir()
1936 aafs_remove(ns->dents[i]); in __aafs_ns_rmdir()
1937 ns->dents[i] = NULL; in __aafs_ns_rmdir()
1959 dent = aafs_create_file("revision", 0444, dir, ns, in __aafs_ns_mkdir_entries()
1999 * Requires: @ns->lock held
2011 AA_BUG(!mutex_is_locked(&ns->lock)); in __aafs_ns_mkdir()
2014 name = ns->base.name; in __aafs_ns_mkdir()
2029 list_for_each_entry(child, &ns->base.profiles, base.list) { in __aafs_ns_mkdir()
2036 list_for_each_entry(sub, &ns->sub_ns, base.list) { in __aafs_ns_mkdir()
2037 mutex_lock_nested(&sub->lock, sub->level); in __aafs_ns_mkdir()
2039 mutex_unlock(&sub->lock); in __aafs_ns_mkdir()
2056 #define list_entry_is_head(pos, head, member) (&pos->member == (head))
2059 * __next_ns - find the next namespace to list
2067 * Requires: ns->parent->lock to be held
2068 * NOTE: will not unlock root->lock
2076 AA_BUG(ns != root && !mutex_is_locked(&ns->parent->lock)); in __next_ns()
2079 if (!list_empty(&ns->sub_ns)) { in __next_ns()
2080 next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list); in __next_ns()
2081 mutex_lock_nested(&next->lock, next->level); in __next_ns()
2086 parent = ns->parent; in __next_ns()
2088 mutex_unlock(&ns->lock); in __next_ns()
2090 if (!list_entry_is_head(next, &parent->sub_ns, base.list)) { in __next_ns()
2091 mutex_lock_nested(&next->lock, next->level); in __next_ns()
2095 parent = parent->parent; in __next_ns()
2102 * __first_profile - find the first profile in a namespace
2107 * Requires: profile->ns.lock to be held
2113 AA_BUG(ns && !mutex_is_locked(&ns->lock)); in __first_profile()
2116 if (!list_empty(&ns->base.profiles)) in __first_profile()
2117 return list_first_entry(&ns->base.profiles, in __first_profile()
2124 * __next_profile - step to the next profile in a profile tree
2130 * Requires: profile->ns.lock to be held
2135 struct aa_ns *ns = p->ns; in __next_profile()
2137 AA_BUG(!mutex_is_locked(&profiles_ns(p)->lock)); in __next_profile()
2140 if (!list_empty(&p->base.profiles)) in __next_profile()
2141 return list_first_entry(&p->base.profiles, typeof(*p), in __next_profile()
2145 parent = rcu_dereference_protected(p->parent, in __next_profile()
2146 mutex_is_locked(&p->ns->lock)); in __next_profile()
2149 if (!list_entry_is_head(p, &parent->base.profiles, base.list)) in __next_profile()
2152 parent = rcu_dereference_protected(parent->parent, in __next_profile()
2153 mutex_is_locked(&parent->ns->lock)); in __next_profile()
2158 if (!list_entry_is_head(p, &ns->base.profiles, base.list)) in __next_profile()
2165 * next_profile - step to the next profile in where ever it may be
2179 return __first_profile(root, __next_ns(root, profile->ns)); in next_profile()
2183 * p_start - start a depth first traversal of profile tree
2189 * acquires first ns->lock
2196 f->private = root; in p_start()
2199 mutex_lock_nested(&root->lock, root->level); in p_start()
2203 for (; profile && l > 0; l--) in p_start()
2210 * p_next - read the next profile entry
2222 struct aa_ns *ns = f->private; in p_next()
2229 * p_stop - stop depth first traversal
2238 struct aa_ns *root = f->private, *ns; in p_stop()
2241 for (ns = profile->ns; ns && ns != root; ns = ns->parent) in p_stop()
2242 mutex_unlock(&ns->lock); in p_stop()
2244 mutex_unlock(&root->lock); in p_stop()
2249 * seq_show_profile - show a profile entry
2258 struct aa_ns *root = f->private; in seq_show_profile()
2260 aa_label_seq_xprint(f, root, &profile->label, in seq_show_profile()
2277 return -EACCES; in profiles_open()
2365 AA_SFS_DIR("label", aa_sfs_entry_query_label),
2399 * entry_create_file - create a file entry in the apparmor securityfs
2410 fs_file->dentry = securityfs_create_file(fs_file->name, in entry_create_file()
2411 S_IFREG | fs_file->mode, in entry_create_file()
2413 fs_file->file_ops); in entry_create_file()
2414 if (IS_ERR(fs_file->dentry)) { in entry_create_file()
2415 error = PTR_ERR(fs_file->dentry); in entry_create_file()
2416 fs_file->dentry = NULL; in entry_create_file()
2423 * entry_create_dir - recursively create a directory entry in the securityfs
2436 dir = securityfs_create_dir(fs_dir->name, parent); in entry_create_dir()
2439 fs_dir->dentry = dir; in entry_create_dir()
2441 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { in entry_create_dir()
2442 if (fs_file->v_type == AA_SFS_TYPE_DIR) in entry_create_dir()
2443 error = entry_create_dir(fs_file, fs_dir->dentry); in entry_create_dir()
2445 error = entry_create_file(fs_file, fs_dir->dentry); in entry_create_dir()
2459 * entry_remove_file - drop a single file entry in the apparmor securityfs
2464 if (!fs_file->dentry) in entry_remove_file()
2467 securityfs_remove(fs_file->dentry); in entry_remove_file()
2468 fs_file->dentry = NULL; in entry_remove_file()
2472 * entry_remove_dir - recursively drop a directory entry from the securityfs
2479 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { in entry_remove_dir()
2480 if (fs_file->v_type == AA_SFS_TYPE_DIR) in entry_remove_dir()
2490 * aa_destroy_aafs - cleanup and free aafs
2509 int error = simple_pin_fs(parent->d_sb->s_type, &mount, &count); in aa_mk_null_file()
2520 inode = new_inode(parent->d_inode->i_sb); in aa_mk_null_file()
2522 error = -ENOMEM; in aa_mk_null_file()
2526 inode->i_ino = get_next_ino(); in aa_mk_null_file()
2527 inode->i_mode = S_IFCHR | S_IRUGO | S_IWUGO; in aa_mk_null_file()
2528 inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode); in aa_mk_null_file()
2556 return ERR_PTR(-ECHILD); in policy_get_link()
2574 d_inode(dentry)->i_ino); in policy_readlink()
2578 res = -ENOENT; in policy_readlink()
2590 * aa_create_aafs - create the apparmor security filesystem
2606 return -EEXIST; in aa_create_aafs()
2613 aafs_mnt->mnt_sb->s_flags &= ~SB_NOUSER; in aa_create_aafs()
2638 dent = securityfs_create_file("revision", 0444, aa_sfs_entry.dentry, in aa_create_aafs()
2645 mutex_lock_nested(&root_ns->lock, root_ns->level); in aa_create_aafs()
2646 error = __aafs_ns_mkdir(root_ns, aafs_mnt->mnt_root, ".policy", in aa_create_aafs()
2647 aafs_mnt->mnt_root); in aa_create_aafs()
2648 mutex_unlock(&root_ns->lock); in aa_create_aafs()