3 #include <linux/slab.h>
4 #include <linux/spinlock.h>
5 #include <linux/string.h>
7 #include "include/apparmor.h"
8 #include "include/capability.h"
9 #include "include/context.h"
10 #include "include/file.h"
11 #include "include/ipc.h"
12 #include "include/match.h"
13 #include "include/path.h"
14 #include "include/policy.h"
15 #include "include/policy_unpack.h"
16 #include "include/resource.h"
17 #include "include/sid.h"
20 /* root profile namespace */
21 struct aa_namespace
*root_ns
;
23 const char *profile_mode_names
[] = {
30 * hname_tail - find the last component of an hname
31 * @name: hname to find the base profile name component of (NOT NULL)
33 * Returns: the tail (base profile name) name component of an hname
35 static const char *hname_tail(const char *hname
)
38 hname
= strim((char *)hname
);
39 for (split
= strstr(hname
, "//"); split
; split
= strstr(hname
, "//"))
46 * policy_init - initialize a policy structure
47 * @policy: policy to initialize (NOT NULL)
48 * @prefix: prefix name if any is required. (MAYBE NULL)
49 * @name: name of the policy, init will make a copy of it (NOT NULL)
51 * Note: this fn creates a copy of strings passed in
53 * Returns: true if policy init successful
55 static bool policy_init(struct aa_policy
*policy
, const char *prefix
,
58 /* freed by policy_free */
60 policy
->hname
= kmalloc(strlen(prefix
) + strlen(name
) + 3,
63 sprintf(policy
->hname
, "%s//%s", prefix
, name
);
65 policy
->hname
= kstrdup(name
, GFP_KERNEL
);
68 /* base.name is a substring of fqname */
69 policy
->name
= (char *)hname_tail(policy
->hname
);
70 INIT_LIST_HEAD(&policy
->list
);
71 INIT_LIST_HEAD(&policy
->profiles
);
72 kref_init(&policy
->count
);
78 * policy_destroy - free the elements referenced by @policy
79 * @policy: policy that is to have its elements freed (NOT NULL)
81 static void policy_destroy(struct aa_policy
*policy
)
83 /* still contains profiles -- invalid */
84 if (!list_empty(&policy
->profiles
)) {
85 AA_ERROR("%s: internal error, "
86 "policy '%s' still contains profiles\n",
87 __func__
, policy
->name
);
90 if (!list_empty(&policy
->list
)) {
91 AA_ERROR("%s: internal error, policy '%s' still on list\n",
92 __func__
, policy
->name
);
96 /* don't free name as its a subset of hname */
97 kzfree(policy
->hname
);
101 * __policy_find - find a policy by @name on a policy list
102 * @head: list to search (NOT NULL)
103 * @name: name to search for (NOT NULL)
105 * Requires: correct locks for the @head list be held
107 * Returns: unrefcounted policy that match @name or NULL if not found
109 static struct aa_policy
*__policy_find(struct list_head
*head
, const char *name
)
111 struct aa_policy
*policy
;
113 list_for_each_entry(policy
, head
, list
) {
114 if (!strcmp(policy
->name
, name
))
121 * __policy_strn_find - find a policy that's name matches @len chars of @str
122 * @head: list to search (NOT NULL)
123 * @str: string to search for (NOT NULL)
124 * @len: length of match required
126 * Requires: correct locks for the @head list be held
128 * Returns: unrefcounted policy that match @str or NULL if not found
130 * if @len == strlen(@strlen) then this is equiv to __policy_find
131 * other wise it allows searching for policy by a partial match of name
133 static struct aa_policy
*__policy_strn_find(struct list_head
*head
,
134 const char *str
, int len
)
136 struct aa_policy
*policy
;
138 list_for_each_entry(policy
, head
, list
) {
139 if (aa_strneq(policy
->name
, str
, len
))
147 * Routines for AppArmor namespaces
150 static const char *hidden_ns_name
= "---";
152 * aa_ns_visible - test if @view is visible from @curr
153 * @curr: namespace to treat as the parent (NOT NULL)
154 * @view: namespace to test if visible from @curr (NOT NULL)
156 * Returns: true if @view is visible from @curr else false
158 bool aa_ns_visible(struct aa_namespace
*curr
, struct aa_namespace
*view
)
163 for ( ; view
; view
= view
->parent
) {
164 if (view
->parent
== curr
)
171 * aa_na_name - Find the ns name to display for @view from @curr
172 * @curr - current namespace (NOT NULL)
173 * @view - namespace attempting to view (NOT NULL)
175 * Returns: name of @view visible from @curr
177 const char *aa_ns_name(struct aa_namespace
*curr
, struct aa_namespace
*view
)
179 /* if view == curr then the namespace name isn't displayed */
183 if (aa_ns_visible(curr
, view
)) {
184 /* at this point if a ns is visible it is in a view ns
185 * thus the curr ns.hname is a prefix of its name.
186 * Only output the virtualized portion of the name
187 * Add + 2 to skip over // separating curr hname prefix
188 * from the visible tail of the views hname
190 return view
->base
.hname
+ strlen(curr
->base
.hname
) + 2;
192 return hidden_ns_name
;
196 * alloc_namespace - allocate, initialize and return a new namespace
197 * @prefix: parent namespace name (MAYBE NULL)
198 * @name: a preallocated name (NOT NULL)
200 * Returns: refcounted namespace or NULL on failure.
202 static struct aa_namespace
*alloc_namespace(const char *prefix
,
205 struct aa_namespace
*ns
;
207 ns
= kzalloc(sizeof(*ns
), GFP_KERNEL
);
208 AA_DEBUG("%s(%p)\n", __func__
, ns
);
211 if (!policy_init(&ns
->base
, prefix
, name
))
214 INIT_LIST_HEAD(&ns
->sub_ns
);
215 rwlock_init(&ns
->lock
);
217 /* released by free_namespace */
218 ns
->unconfined
= aa_alloc_profile("unconfined");
220 goto fail_unconfined
;
222 ns
->unconfined
->sid
= aa_alloc_sid();
223 ns
->unconfined
->flags
= PFLAG_UNCONFINED
| PFLAG_IX_ON_NAME_ERROR
|
227 * released by free_namespace, however __remove_namespace breaks
228 * the cyclic references (ns->unconfined, and unconfined->ns) and
229 * replaces with refs to parent namespace unconfined
231 ns
->unconfined
->ns
= aa_get_namespace(ns
);
236 kzfree(ns
->base
.name
);
243 * free_namespace - free a profile namespace
244 * @ns: the namespace to free (MAYBE NULL)
246 * Requires: All references to the namespace must have been put, if the
247 * namespace was referenced by a profile confining a task,
249 static void free_namespace(struct aa_namespace
*ns
)
254 policy_destroy(&ns
->base
);
255 aa_put_namespace(ns
->parent
);
257 if (ns
->unconfined
&& ns
->unconfined
->ns
== ns
)
258 ns
->unconfined
->ns
= NULL
;
260 aa_put_profile(ns
->unconfined
);
265 * aa_free_namespace_kref - free aa_namespace by kref (see aa_put_namespace)
266 * @kr: kref callback for freeing of a namespace (NOT NULL)
268 void aa_free_namespace_kref(struct kref
*kref
)
270 free_namespace(container_of(kref
, struct aa_namespace
, base
.count
));
274 * __aa_find_namespace - find a namespace on a list by @name
275 * @head: list to search for namespace on (NOT NULL)
276 * @name: name of namespace to look for (NOT NULL)
278 * Returns: unrefcounted namespace
280 * Requires: ns lock be held
282 static struct aa_namespace
*__aa_find_namespace(struct list_head
*head
,
285 return (struct aa_namespace
*)__policy_find(head
, name
);
289 * aa_find_namespace - look up a profile namespace on the namespace list
290 * @root: namespace to search in (NOT NULL)
291 * @name: name of namespace to find (NOT NULL)
293 * Returns: a refcounted namespace on the list, or NULL if no namespace
294 * called @name exists.
296 * refcount released by caller
298 struct aa_namespace
*aa_find_namespace(struct aa_namespace
*root
,
301 struct aa_namespace
*ns
= NULL
;
303 read_lock(&root
->lock
);
304 ns
= aa_get_namespace(__aa_find_namespace(&root
->sub_ns
, name
));
305 read_unlock(&root
->lock
);
311 * aa_prepare_namespace - find an existing or create a new namespace of @name
312 * @name: the namespace to find or add (MAYBE NULL)
314 * Returns: refcounted namespace or NULL if failed to create one
316 static struct aa_namespace
*aa_prepare_namespace(const char *name
)
318 struct aa_namespace
*ns
, *root
;
320 root
= aa_current_profile()->ns
;
322 write_lock(&root
->lock
);
324 /* if name isn't specified the profile is loaded to the current ns */
326 /* released by caller */
327 ns
= aa_get_namespace(root
);
331 /* try and find the specified ns and if it doesn't exist create it */
332 /* released by caller */
333 ns
= aa_get_namespace(__aa_find_namespace(&root
->sub_ns
, name
));
335 /* namespace not found */
336 struct aa_namespace
*new_ns
;
337 write_unlock(&root
->lock
);
338 new_ns
= alloc_namespace(root
->base
.hname
, name
);
341 write_lock(&root
->lock
);
342 /* test for race when new_ns was allocated */
343 ns
= __aa_find_namespace(&root
->sub_ns
, name
);
346 new_ns
->parent
= aa_get_namespace(root
);
348 list_add(&new_ns
->base
.list
, &root
->sub_ns
);
350 ns
= aa_get_namespace(new_ns
);
352 /* raced so free the new one */
353 free_namespace(new_ns
);
354 /* get reference on namespace */
355 aa_get_namespace(ns
);
359 write_unlock(&root
->lock
);
366 * __list_add_profile - add a profile to a list
367 * @list: list to add it to (NOT NULL)
368 * @profile: the profile to add (NOT NULL)
370 * refcount @profile, should be put by __list_remove_profile
372 * Requires: namespace lock be held, or list not be shared
374 static void __list_add_profile(struct list_head
*list
,
375 struct aa_profile
*profile
)
377 list_add(&profile
->base
.list
, list
);
378 /* get list reference */
379 aa_get_profile(profile
);
383 * __list_remove_profile - remove a profile from the list it is on
384 * @profile: the profile to remove (NOT NULL)
386 * remove a profile from the list, warning generally removal should
387 * be done with __replace_profile as most profile removals are
388 * replacements to the unconfined profile.
390 * put @profile list refcount
392 * Requires: namespace lock be held, or list not have been live
394 static void __list_remove_profile(struct aa_profile
*profile
)
396 list_del_init(&profile
->base
.list
);
397 if (!(profile
->flags
& PFLAG_NO_LIST_REF
))
398 /* release list reference */
399 aa_put_profile(profile
);
403 * __replace_profile - replace @old with @new on a list
404 * @old: profile to be replaced (NOT NULL)
405 * @new: profile to replace @old with (NOT NULL)
407 * Will duplicate and refcount elements that @new inherits from @old
408 * and will inherit @old children.
410 * refcount @new for list, put @old list refcount
412 * Requires: namespace list lock be held, or list not be shared
414 static void __replace_profile(struct aa_profile
*old
, struct aa_profile
*new)
416 struct aa_policy
*policy
;
417 struct aa_profile
*child
, *tmp
;
420 policy
= &old
->parent
->base
;
422 policy
= &old
->ns
->base
;
424 /* released when @new is freed */
425 new->parent
= aa_get_profile(old
->parent
);
426 new->ns
= aa_get_namespace(old
->ns
);
428 __list_add_profile(&policy
->profiles
, new);
429 /* inherit children */
430 list_for_each_entry_safe(child
, tmp
, &old
->base
.profiles
, base
.list
) {
431 aa_put_profile(child
->parent
);
432 child
->parent
= aa_get_profile(new);
433 /* list refcount transferred to @new*/
434 list_move(&child
->base
.list
, &new->base
.profiles
);
437 /* released by free_profile */
438 old
->replacedby
= aa_get_profile(new);
439 __list_remove_profile(old
);
442 static void __profile_list_release(struct list_head
*head
);
445 * __remove_profile - remove old profile, and children
446 * @profile: profile to be replaced (NOT NULL)
448 * Requires: namespace list lock be held, or list not be shared
450 static void __remove_profile(struct aa_profile
*profile
)
452 /* release any children lists first */
453 __profile_list_release(&profile
->base
.profiles
);
454 /* released by free_profile */
455 profile
->replacedby
= aa_get_profile(profile
->ns
->unconfined
);
456 __list_remove_profile(profile
);
460 * __profile_list_release - remove all profiles on the list and put refs
461 * @head: list of profiles (NOT NULL)
463 * Requires: namespace lock be held
465 static void __profile_list_release(struct list_head
*head
)
467 struct aa_profile
*profile
, *tmp
;
468 list_for_each_entry_safe(profile
, tmp
, head
, base
.list
)
469 __remove_profile(profile
);
472 static void __ns_list_release(struct list_head
*head
);
475 * destroy_namespace - remove everything contained by @ns
476 * @ns: namespace to have it contents removed (NOT NULL)
478 static void destroy_namespace(struct aa_namespace
*ns
)
483 write_lock(&ns
->lock
);
484 /* release all profiles in this namespace */
485 __profile_list_release(&ns
->base
.profiles
);
487 /* release all sub namespaces */
488 __ns_list_release(&ns
->sub_ns
);
490 write_unlock(&ns
->lock
);
494 * __remove_namespace - remove a namespace and all its children
495 * @ns: namespace to be removed (NOT NULL)
497 * Requires: ns->parent->lock be held and ns removed from parent.
499 static void __remove_namespace(struct aa_namespace
*ns
)
501 struct aa_profile
*unconfined
= ns
->unconfined
;
503 /* remove ns from namespace list */
504 list_del_init(&ns
->base
.list
);
507 * break the ns, unconfined profile cyclic reference and forward
508 * all new unconfined profiles requests to the parent namespace
509 * This will result in all confined tasks that have a profile
510 * being removed, inheriting the parent->unconfined profile.
513 ns
->unconfined
= aa_get_profile(ns
->parent
->unconfined
);
515 destroy_namespace(ns
);
517 /* release original ns->unconfined ref */
518 aa_put_profile(unconfined
);
519 /* release ns->base.list ref, from removal above */
520 aa_put_namespace(ns
);
524 * __ns_list_release - remove all profile namespaces on the list put refs
525 * @head: list of profile namespaces (NOT NULL)
527 * Requires: namespace lock be held
529 static void __ns_list_release(struct list_head
*head
)
531 struct aa_namespace
*ns
, *tmp
;
532 list_for_each_entry_safe(ns
, tmp
, head
, base
.list
)
533 __remove_namespace(ns
);
538 * aa_alloc_root_ns - allocate the root profile namespace
540 * Returns: %0 on success else error
543 int __init
aa_alloc_root_ns(void)
545 /* released by aa_free_root_ns - used as list ref*/
546 root_ns
= alloc_namespace(NULL
, "root");
554 * aa_free_root_ns - free the root profile namespace
556 void __init
aa_free_root_ns(void)
558 struct aa_namespace
*ns
= root_ns
;
561 destroy_namespace(ns
);
562 aa_put_namespace(ns
);
566 * aa_alloc_profile - allocate, initialize and return a new profile
567 * @hname: name of the profile (NOT NULL)
569 * Returns: refcount profile or NULL on failure
571 struct aa_profile
*aa_alloc_profile(const char *hname
)
573 struct aa_profile
*profile
;
575 /* freed by free_profile - usually through aa_put_profile */
576 profile
= kzalloc(sizeof(*profile
), GFP_KERNEL
);
580 if (!policy_init(&profile
->base
, NULL
, hname
)) {
585 /* refcount released by caller */
590 * aa_new_null_profile - create a new null-X learning profile
591 * @parent: profile that caused this profile to be created (NOT NULL)
592 * @hat: true if the null- learning profile is a hat
594 * Create a null- complain mode profile used in learning mode. The name of
595 * the profile is unique and follows the format of parent//null-sid.
597 * null profiles are added to the profile list but the list does not
598 * hold a count on them so that they are automatically released when
601 * Returns: new refcounted profile else NULL on failure
603 struct aa_profile
*aa_new_null_profile(struct aa_profile
*parent
, int hat
)
605 struct aa_profile
*profile
= NULL
;
607 u32 sid
= aa_alloc_sid();
610 name
= kmalloc(strlen(parent
->base
.hname
) + 2 + 7 + 8, GFP_KERNEL
);
613 sprintf(name
, "%s//null-%x", parent
->base
.hname
, sid
);
615 profile
= aa_alloc_profile(name
);
621 profile
->mode
= APPARMOR_COMPLAIN
;
622 profile
->flags
= PFLAG_NULL
;
624 profile
->flags
|= PFLAG_HAT
;
626 /* released on free_profile */
627 profile
->parent
= aa_get_profile(parent
);
628 profile
->ns
= aa_get_namespace(parent
->ns
);
630 write_lock(&profile
->ns
->lock
);
631 __list_add_profile(&parent
->base
.profiles
, profile
);
632 write_unlock(&profile
->ns
->lock
);
634 /* refcount released by caller */
643 * free_profile - free a profile
644 * @profile: the profile to free (MAYBE NULL)
646 * Free a profile, its hats and null_profile. All references to the profile,
647 * its hats and null_profile must have been put.
649 * If the profile was referenced from a task context, free_profile() will
650 * be called from an rcu callback routine, so we must not sleep here.
652 static void free_profile(struct aa_profile
*profile
)
654 AA_DEBUG("%s(%p)\n", __func__
, profile
);
659 if (!list_empty(&profile
->base
.list
)) {
660 AA_ERROR("%s: internal error, "
661 "profile '%s' still on ns list\n",
662 __func__
, profile
->base
.name
);
666 /* free children profiles */
667 policy_destroy(&profile
->base
);
668 aa_put_profile(profile
->parent
);
670 aa_put_namespace(profile
->ns
);
671 kzfree(profile
->rename
);
673 aa_free_file_rules(&profile
->file
);
674 aa_free_cap_rules(&profile
->caps
);
675 aa_free_rlimit_rules(&profile
->rlimits
);
677 aa_free_sid(profile
->sid
);
678 aa_put_dfa(profile
->xmatch
);
680 aa_put_profile(profile
->replacedby
);
686 * aa_free_profile_kref - free aa_profile by kref (called by aa_put_profile)
687 * @kr: kref callback for freeing of a profile (NOT NULL)
689 void aa_free_profile_kref(struct kref
*kref
)
691 struct aa_profile
*p
= container_of(kref
, struct aa_profile
,
697 /* TODO: profile accounting - setup in remove */
700 * __find_child - find a profile on @head list with a name matching @name
701 * @head: list to search (NOT NULL)
702 * @name: name of profile (NOT NULL)
704 * Requires: ns lock protecting list be held
706 * Returns: unrefcounted profile ptr, or NULL if not found
708 static struct aa_profile
*__find_child(struct list_head
*head
, const char *name
)
710 return (struct aa_profile
*)__policy_find(head
, name
);
714 * __strn_find_child - find a profile on @head list using substring of @name
715 * @head: list to search (NOT NULL)
716 * @name: name of profile (NOT NULL)
717 * @len: length of @name substring to match
719 * Requires: ns lock protecting list be held
721 * Returns: unrefcounted profile ptr, or NULL if not found
723 static struct aa_profile
*__strn_find_child(struct list_head
*head
,
724 const char *name
, int len
)
726 return (struct aa_profile
*)__policy_strn_find(head
, name
, len
);
730 * aa_find_child - find a profile by @name in @parent
731 * @parent: profile to search (NOT NULL)
732 * @name: profile name to search for (NOT NULL)
734 * Returns: a refcounted profile or NULL if not found
736 struct aa_profile
*aa_find_child(struct aa_profile
*parent
, const char *name
)
738 struct aa_profile
*profile
;
740 read_lock(&parent
->ns
->lock
);
741 profile
= aa_get_profile(__find_child(&parent
->base
.profiles
, name
));
742 read_unlock(&parent
->ns
->lock
);
744 /* refcount released by caller */
749 * __lookup_parent - lookup the parent of a profile of name @hname
750 * @ns: namespace to lookup profile in (NOT NULL)
751 * @hname: hierarchical profile name to find parent of (NOT NULL)
753 * Lookups up the parent of a fully qualified profile name, the profile
754 * that matches hname does not need to exist, in general this
755 * is used to load a new profile.
757 * Requires: ns->lock be held
759 * Returns: unrefcounted policy or NULL if not found
761 static struct aa_policy
*__lookup_parent(struct aa_namespace
*ns
,
764 struct aa_policy
*policy
;
765 struct aa_profile
*profile
= NULL
;
770 for (split
= strstr(hname
, "//"); split
;) {
771 profile
= __strn_find_child(&policy
->profiles
, hname
,
775 policy
= &profile
->base
;
777 split
= strstr(hname
, "//");
781 return &profile
->base
;
785 * __lookup_profile - lookup the profile matching @hname
786 * @base: base list to start looking up profile name from (NOT NULL)
787 * @hname: hierarchical profile name (NOT NULL)
789 * Requires: ns->lock be held
791 * Returns: unrefcounted profile pointer or NULL if not found
793 * Do a relative name lookup, recursing through profile tree.
795 static struct aa_profile
*__lookup_profile(struct aa_policy
*base
,
798 struct aa_profile
*profile
= NULL
;
801 for (split
= strstr(hname
, "//"); split
;) {
802 profile
= __strn_find_child(&base
->profiles
, hname
,
807 base
= &profile
->base
;
809 split
= strstr(hname
, "//");
812 profile
= __find_child(&base
->profiles
, hname
);
818 * aa_lookup_profile - find a profile by its full or partial name
819 * @ns: the namespace to start from (NOT NULL)
820 * @hname: name to do lookup on. Does not contain namespace prefix (NOT NULL)
822 * Returns: refcounted profile or NULL if not found
824 struct aa_profile
*aa_lookup_profile(struct aa_namespace
*ns
, const char *hname
)
826 struct aa_profile
*profile
;
828 read_lock(&ns
->lock
);
829 profile
= aa_get_profile(__lookup_profile(&ns
->base
, hname
));
830 read_unlock(&ns
->lock
);
832 /* refcount released by caller */
837 * replacement_allowed - test to see if replacement is allowed
838 * @profile: profile to test if it can be replaced (MAYBE NULL)
839 * @noreplace: true if replacement shouldn't be allowed but addition is okay
840 * @info: Returns - info about why replacement failed (NOT NULL)
842 * Returns: %0 if replacement allowed else error code
844 static int replacement_allowed(struct aa_profile
*profile
, int noreplace
,
848 if (profile
->flags
& PFLAG_IMMUTABLE
) {
849 *info
= "cannot replace immutible profile";
851 } else if (noreplace
) {
852 *info
= "profile already exists";
860 * __add_new_profile - simple wrapper around __list_add_profile
861 * @ns: namespace that profile is being added to (NOT NULL)
862 * @policy: the policy container to add the profile to (NOT NULL)
863 * @profile: profile to add (NOT NULL)
865 * add a profile to a list and do other required basic allocations
867 static void __add_new_profile(struct aa_namespace
*ns
, struct aa_policy
*policy
,
868 struct aa_profile
*profile
)
870 if (policy
!= &ns
->base
)
871 /* released on profile replacement or free_profile */
872 profile
->parent
= aa_get_profile((struct aa_profile
*) policy
);
873 __list_add_profile(&policy
->profiles
, profile
);
874 /* released on free_profile */
875 profile
->sid
= aa_alloc_sid();
876 profile
->ns
= aa_get_namespace(ns
);
880 * aa_audit_policy - Do auditing of policy changes
881 * @op: policy operation being performed
882 * @gfp: memory allocation flags
883 * @name: name of profile being manipulated (NOT NULL)
884 * @info: any extra information to be audited (MAYBE NULL)
887 * Returns: the error to be returned after audit is done
889 static int audit_policy(int op
, gfp_t gfp
, const char *name
, const char *info
,
892 struct common_audit_data sa
;
893 COMMON_AUDIT_DATA_INIT(&sa
, NONE
);
897 sa
.aad
.error
= error
;
899 return aa_audit(AUDIT_APPARMOR_STATUS
, __aa_current_profile(), gfp
,
904 * aa_may_manage_policy - can the current task manage policy
905 * @op: the policy manipulation operation being done
907 * Returns: true if the task is allowed to manipulate policy
909 bool aa_may_manage_policy(int op
)
911 /* check if loading policy is locked out */
912 if (aa_g_lock_policy
) {
913 audit_policy(op
, GFP_KERNEL
, NULL
, "policy_locked", -EACCES
);
917 if (!capable(CAP_MAC_ADMIN
)) {
918 audit_policy(op
, GFP_KERNEL
, NULL
, "not policy admin", -EACCES
);
926 * aa_replace_profiles - replace profile(s) on the profile list
927 * @udata: serialized data stream (NOT NULL)
928 * @size: size of the serialized data stream
929 * @noreplace: true if only doing addition, no replacement allowed
931 * unpack and replace a profile on the profile list and uses of that profile
932 * by any aa_task_cxt. If the profile does not exist on the profile list
935 * Returns: size of data consumed else error code on failure.
937 ssize_t
aa_replace_profiles(void *udata
, size_t size
, bool noreplace
)
939 struct aa_policy
*policy
;
940 struct aa_profile
*old_profile
= NULL
, *new_profile
= NULL
;
941 struct aa_profile
*rename_profile
= NULL
;
942 struct aa_namespace
*ns
= NULL
;
943 const char *ns_name
, *name
= NULL
, *info
= NULL
;
944 int op
= OP_PROF_REPL
;
948 new_profile
= aa_unpack(udata
, size
, &ns_name
);
949 if (IS_ERR(new_profile
)) {
950 error
= PTR_ERR(new_profile
);
956 ns
= aa_prepare_namespace(ns_name
);
958 info
= "failed to prepare namespace";
964 name
= new_profile
->base
.hname
;
966 write_lock(&ns
->lock
);
967 /* no ref on policy only use inside lock */
968 policy
= __lookup_parent(ns
, new_profile
->base
.hname
);
971 info
= "parent does not exist";
976 old_profile
= __find_child(&policy
->profiles
, new_profile
->base
.name
);
978 aa_get_profile(old_profile
);
980 if (new_profile
->rename
) {
981 rename_profile
= __lookup_profile(&ns
->base
,
982 new_profile
->rename
);
984 aa_get_profile(rename_profile
);
986 if (!rename_profile
) {
987 info
= "profile to rename does not exist";
988 name
= new_profile
->rename
;
994 error
= replacement_allowed(old_profile
, noreplace
, &info
);
998 error
= replacement_allowed(rename_profile
, noreplace
, &info
);
1003 if (!old_profile
&& !rename_profile
)
1006 error
= audit_policy(op
, GFP_ATOMIC
, name
, info
, error
);
1010 __replace_profile(rename_profile
, new_profile
);
1012 /* when there are both rename and old profiles
1013 * inherit old profiles sid
1016 aa_free_sid(new_profile
->sid
);
1017 __replace_profile(old_profile
, new_profile
);
1019 if (!(old_profile
|| rename_profile
))
1020 __add_new_profile(ns
, policy
, new_profile
);
1022 write_unlock(&ns
->lock
);
1025 aa_put_namespace(ns
);
1026 aa_put_profile(rename_profile
);
1027 aa_put_profile(old_profile
);
1028 aa_put_profile(new_profile
);
1034 error
= audit_policy(op
, GFP_KERNEL
, name
, info
, error
);
1039 * aa_remove_profiles - remove profile(s) from the system
1040 * @fqname: name of the profile or namespace to remove (NOT NULL)
1041 * @size: size of the name
1043 * Remove a profile or sub namespace from the current namespace, so that
1044 * they can not be found anymore and mark them as replaced by unconfined
1046 * NOTE: removing confinement does not restore rlimits to preconfinemnet values
1048 * Returns: size of data consume else error code if fails
1050 ssize_t
aa_remove_profiles(char *fqname
, size_t size
)
1052 struct aa_namespace
*root
, *ns
= NULL
;
1053 struct aa_profile
*profile
= NULL
;
1054 const char *name
= fqname
, *info
= NULL
;
1058 info
= "no profile specified";
1063 root
= aa_current_profile()->ns
;
1065 if (fqname
[0] == ':') {
1067 name
= aa_split_fqname(fqname
, &ns_name
);
1069 /* released below */
1070 ns
= aa_find_namespace(root
, ns_name
);
1072 info
= "namespace does not exist";
1078 /* released below */
1079 ns
= aa_get_namespace(root
);
1082 /* remove namespace - can only happen if fqname[0] == ':' */
1083 write_lock(&ns
->parent
->lock
);
1084 __remove_namespace(ns
);
1085 write_unlock(&ns
->parent
->lock
);
1087 /* remove profile */
1088 write_lock(&ns
->lock
);
1089 profile
= aa_get_profile(__lookup_profile(&ns
->base
, name
));
1092 info
= "profile does not exist";
1095 name
= profile
->base
.hname
;
1096 __remove_profile(profile
);
1097 write_unlock(&ns
->lock
);
1100 /* don't fail removal if audit fails */
1101 (void) audit_policy(OP_PROF_RM
, GFP_KERNEL
, name
, info
, error
);
1102 aa_put_namespace(ns
);
1103 aa_put_profile(profile
);
1107 write_unlock(&ns
->lock
);
1108 aa_put_namespace(ns
);
1111 (void) audit_policy(OP_PROF_RM
, GFP_KERNEL
, name
, info
, error
);