1992ec6ce4
This is a sync and squash to the apparmor 3 alpha 4 development snapshot backported from 3.12. The set of patches in this squash are available is the aa3.0-presquash branch of the dev tree. Several of the patches in the squash have been submitted upstream. Several more will be submitted soon, and other parts are still in active review and development. This squash will be updated to remove patches as they are pulled into the upstream tree, and add new patches as they become available to the stable apparmor dev branch. In addition to the apparmor 3 sync this contains the backport patch series for the 3.4 manta kernel - apparmor: 3.10 backport revert no delay vfree() - apparmor: 3.8 backport provide file_inode helper 496ad9aa - apparmor: 3.6 backport revert uapi for capnames 43c422ed - apparmor: 3.6 backport revert uapi for resnames 8a1ab315 - apparmor: 3.6 backport define kuid_t d2b31ca64 - apparmor: 3.6 backport kuid_t support for audit 2db81452 - apparmor: 3.6 backport remove const from sb_mount 808d4e3c - apparmor: 3.4 backport revert file_mmap e5467859 - apparmor: 3.4 backport cap_mmap_addr d007794a - apparmor: 3.4 backport fake no_new_privs 259e5e6c - apparmor: 3.4 backport revert task audi_data 0972c74e - apparmor: 3.4 backport alias file_open 83d49856 - UBUNTU: SAUCE: (no-up) apparmor: update config options Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
156 lines
3.8 KiB
C
156 lines
3.8 KiB
C
/*
|
|
* AppArmor security module
|
|
*
|
|
* This file contains basic common functions used in AppArmor
|
|
*
|
|
* Copyright (C) 1998-2008 Novell/SUSE
|
|
* Copyright 2009-2010 Canonical Ltd.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation, version 2 of the
|
|
* License.
|
|
*/
|
|
|
|
#include <linux/mm.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/string.h>
|
|
#include <linux/vmalloc.h>
|
|
|
|
#include "include/audit.h"
|
|
#include "include/apparmor.h"
|
|
|
|
|
|
/**
|
|
* aa_split_fqname - split a fqname into a profile and namespace name
|
|
* @fqname: a full qualified name in namespace profile format (NOT NULL)
|
|
* @ns_name: pointer to portion of the string containing the ns name (NOT NULL)
|
|
*
|
|
* Returns: profile name or NULL if one is not specified
|
|
*
|
|
* Split a namespace name from a profile name (see policy.c for naming
|
|
* description). If a portion of the name is missing it returns NULL for
|
|
* that portion.
|
|
*
|
|
* NOTE: may modify the @fqname string. The pointers returned point
|
|
* into the @fqname string.
|
|
*/
|
|
char *aa_split_fqname(char *fqname, char **ns_name)
|
|
{
|
|
char *name = strim(fqname);
|
|
|
|
*ns_name = NULL;
|
|
if (name[0] == ':') {
|
|
char *split = strchr(&name[1], ':');
|
|
*ns_name = skip_spaces(&name[1]);
|
|
if (split) {
|
|
/* overwrite ':' with \0 */
|
|
*split++ = 0;
|
|
if (strncmp(split, "//", 2) == 0)
|
|
split += 2;
|
|
name = skip_spaces(split);
|
|
} else
|
|
/* a ns name without a following profile is allowed */
|
|
name = NULL;
|
|
}
|
|
if (name && *name == 0)
|
|
name = NULL;
|
|
|
|
return name;
|
|
}
|
|
|
|
/**
|
|
* aa_info_message - log a none profile related status message
|
|
* @str: message to log
|
|
*/
|
|
void aa_info_message(const char *str)
|
|
{
|
|
if (audit_enabled) {
|
|
struct common_audit_data sa;
|
|
struct apparmor_audit_data aad = {0,};
|
|
sa.type = LSM_AUDIT_DATA_NONE;
|
|
aad_set(&sa, &aad);
|
|
aad.info = str;
|
|
aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL);
|
|
}
|
|
printk(KERN_INFO "AppArmor: %s\n", str);
|
|
}
|
|
|
|
/**
|
|
* __aa_kvmalloc - do allocation preferring kmalloc but falling back to vmalloc
|
|
* @size: how many bytes of memory are required
|
|
* @flags: the type of memory to allocate (see kmalloc).
|
|
*
|
|
* Return: allocated buffer or NULL if failed
|
|
*
|
|
* It is possible that policy being loaded from the user is larger than
|
|
* what can be allocated by kmalloc, in those cases fall back to vmalloc.
|
|
*/
|
|
void *__aa_kvmalloc(size_t size, gfp_t flags)
|
|
{
|
|
void *buffer = NULL;
|
|
|
|
if (size == 0)
|
|
return NULL;
|
|
|
|
/* do not attempt kmalloc if we need more than 16 pages at once */
|
|
if (size <= (16*PAGE_SIZE))
|
|
buffer = kmalloc(size, flags | GFP_NOIO | __GFP_NOWARN);
|
|
if (!buffer) {
|
|
if (flags & __GFP_ZERO)
|
|
buffer = vzalloc(size);
|
|
else
|
|
buffer = vmalloc(size);
|
|
}
|
|
return buffer;
|
|
}
|
|
|
|
/**
|
|
* do_vfree - workqueue routine for freeing vmalloced memory
|
|
* @work: data to be freed
|
|
*
|
|
* The work_struct is overlaid to the data being freed, as at the point
|
|
* the work is scheduled the data is no longer valid, be its freeing
|
|
* needs to be delayed until safe.
|
|
*/
|
|
static void do_vfree(struct work_struct *work)
|
|
{
|
|
vfree(work);
|
|
}
|
|
|
|
/**
|
|
* kvfree - free an allocation do by kvmalloc
|
|
* @buffer: buffer to free (MAYBE_NULL)
|
|
*
|
|
* Free a buffer allocated by kvmalloc
|
|
*/
|
|
void kvfree(void *buffer)
|
|
{
|
|
if (is_vmalloc_addr(buffer)) {
|
|
/* Data is no longer valid so just use the allocated space
|
|
* as the work_struct
|
|
*/
|
|
struct work_struct *work = (struct work_struct *) buffer;
|
|
INIT_WORK(work, do_vfree);
|
|
schedule_work(work);
|
|
} else
|
|
kfree(buffer);
|
|
}
|
|
|
|
|
|
__counted char *aa_str_alloc(int size, gfp_t gfp)
|
|
{
|
|
struct counted_str *str;
|
|
str = kmalloc(sizeof(struct counted_str) + size, gfp);
|
|
if (!str)
|
|
return NULL;
|
|
|
|
kref_init(&str->count);
|
|
return str->name;
|
|
}
|
|
|
|
void aa_str_kref(struct kref *kref)
|
|
{
|
|
kfree(container_of(kref, struct counted_str, count));
|
|
}
|