mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-15 00:04:15 +08:00
79e178a57d
- increase left match history buffer size to provide inproved conflict
resolution in overlapping execution rules.
- switch buffer allocation to use a memory pool and GFP_KERNEL
where possible.
- add compression of policy blobs to reduce memory usage.
+ Cleanups
- fix spelling mistake "immutible" -> "immutable"
+ Bug fixes
- fix unsigned len comparison in update_for_len macro
- fix sparse warning for type-casting of current->real_cred
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE7cSDD705q2rFEEf7BS82cBjVw9gFAl3mvPUACgkQBS82cBjV
w9gM8hAArhbBiGHlYlsGCOws4+ObCSIAxPkKw9ZC+FjTOKE6uN+GDUM+s4TWjbkL
65NKGBqHfHIzRYHD6BNi5I3Yf0xKCXuMenZVptiDHYQ+65mCL6QlZOA5K2Mp67fY
uMKoOIMSAkDkLJHEsH8o1YURAlvY5DjK2XfSrc2GeaExnBZTisfhDwbYjv9OYI6U
JPDP361zzJMSpkcDf5WX5vVuvfjTnAXjfH3av61hiSNAzivd4P1Mp34ellOkz7Ya
Ch6K+32agVcE8LIbalRKhWVw7Fhfbys2+/nBZ0Tb5HPG0tRWbm+ueggOsp8/liWQ
Ik9NigK61lHjd5ttDrswD0UfslTxac2pPFhlYRYoSUSMITOjJke50Q12ZosK4wUY
pdsBiWVDo2W3/E9sretmFpWlzish8q3tNJU55aKD+FTo0yqMC3X7H/l9xGLuLUt/
vHwUcGZNSrAWqc8yMamzEvqj9e1DECMJZQIlE3YJgGLCkcO6LFY+5pSWSvMQIG7v
451oob3QalzqIDyh3OOxlA8pfUVyk9HL48Kw7+0ZJrbJK6pAjHZhE8gFVMPECB7b
n22XrABdPdjAFvlqCzkm4qZ5sjqdk8T9Iexc5bnrFvBW4teHnAX0xrk+gxVpnEYf
dV6ERcxmRjnZhT6FtOQkLOia3gIiAQVi6Rd9K6HHhPH83wNyjjI=
=lPsA
-----END PGP SIGNATURE-----
Merge tag 'apparmor-pr-2019-12-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
Pull apparmor updates from John Johansen:
"Features:
- increase left match history buffer size to provide improved
conflict resolution in overlapping execution rules.
- switch buffer allocation to use a memory pool and GFP_KERNEL where
possible.
- add compression of policy blobs to reduce memory usage.
Cleanups:
- fix spelling mistake "immutible" -> "immutable"
Bug fixes:
- fix unsigned len comparison in update_for_len macro
- fix sparse warning for type-casting of current->real_cred"
* tag 'apparmor-pr-2019-12-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
apparmor: make it so work buffers can be allocated from atomic context
apparmor: reduce rcu_read_lock scope for aa_file_perm mediation
apparmor: fix wrong buffer allocation in aa_new_mount
apparmor: fix unsigned len comparison with less than zero
apparmor: increase left match history buffer size
apparmor: Switch to GFP_KERNEL where possible
apparmor: Use a memory pool instead per-CPU caches
apparmor: Force type-casting of current->real_cred
apparmor: fix spelling mistake "immutible" -> "immutable"
apparmor: fix blob compression when ns is forced on a policy load
apparmor: fix missing ZLIB defines
apparmor: fix blob compression build failure on ppc
apparmor: Initial implementation of raw policy blob compression
128 lines
3.4 KiB
C
128 lines
3.4 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* AppArmor security module
|
|
*
|
|
* This file contains AppArmor policy loading interface function definitions.
|
|
*
|
|
* Copyright (C) 1998-2008 Novell/SUSE
|
|
* Copyright 2009-2010 Canonical Ltd.
|
|
*/
|
|
|
|
#ifndef __POLICY_INTERFACE_H
|
|
#define __POLICY_INTERFACE_H
|
|
|
|
#include <linux/list.h>
|
|
#include <linux/kref.h>
|
|
#include <linux/dcache.h>
|
|
#include <linux/workqueue.h>
|
|
|
|
struct aa_load_ent {
|
|
struct list_head list;
|
|
struct aa_profile *new;
|
|
struct aa_profile *old;
|
|
struct aa_profile *rename;
|
|
const char *ns_name;
|
|
};
|
|
|
|
void aa_load_ent_free(struct aa_load_ent *ent);
|
|
struct aa_load_ent *aa_load_ent_alloc(void);
|
|
|
|
#define PACKED_FLAG_HAT 1
|
|
|
|
#define PACKED_MODE_ENFORCE 0
|
|
#define PACKED_MODE_COMPLAIN 1
|
|
#define PACKED_MODE_KILL 2
|
|
#define PACKED_MODE_UNCONFINED 3
|
|
|
|
struct aa_ns;
|
|
|
|
enum {
|
|
AAFS_LOADDATA_ABI = 0,
|
|
AAFS_LOADDATA_REVISION,
|
|
AAFS_LOADDATA_HASH,
|
|
AAFS_LOADDATA_DATA,
|
|
AAFS_LOADDATA_COMPRESSED_SIZE,
|
|
AAFS_LOADDATA_DIR, /* must be last actual entry */
|
|
AAFS_LOADDATA_NDENTS /* count of entries */
|
|
};
|
|
|
|
/*
|
|
* struct aa_loaddata - buffer of policy raw_data set
|
|
*
|
|
* there is no loaddata ref for being on ns list, nor a ref from
|
|
* d_inode(@dentry) when grab a ref from these, @ns->lock must be held
|
|
* && __aa_get_loaddata() needs to be used, and the return value
|
|
* checked, if NULL the loaddata is already being reaped and should be
|
|
* considered dead.
|
|
*/
|
|
struct aa_loaddata {
|
|
struct kref count;
|
|
struct list_head list;
|
|
struct work_struct work;
|
|
struct dentry *dents[AAFS_LOADDATA_NDENTS];
|
|
struct aa_ns *ns;
|
|
char *name;
|
|
size_t size; /* the original size of the payload */
|
|
size_t compressed_size; /* the compressed size of the payload */
|
|
long revision; /* the ns policy revision this caused */
|
|
int abi;
|
|
unsigned char *hash;
|
|
|
|
/* Pointer to payload. If @compressed_size > 0, then this is the
|
|
* compressed version of the payload, else it is the uncompressed
|
|
* version (with the size indicated by @size).
|
|
*/
|
|
char *data;
|
|
};
|
|
|
|
int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, const char **ns);
|
|
|
|
/**
|
|
* __aa_get_loaddata - get a reference count to uncounted data reference
|
|
* @data: reference to get a count on
|
|
*
|
|
* Returns: pointer to reference OR NULL if race is lost and reference is
|
|
* being repeated.
|
|
* Requires: @data->ns->lock held, and the return code MUST be checked
|
|
*
|
|
* Use only from inode->i_private and @data->list found references
|
|
*/
|
|
static inline struct aa_loaddata *
|
|
__aa_get_loaddata(struct aa_loaddata *data)
|
|
{
|
|
if (data && kref_get_unless_zero(&(data->count)))
|
|
return data;
|
|
|
|
return NULL;
|
|
}
|
|
|
|
/**
|
|
* aa_get_loaddata - get a reference count from a counted data reference
|
|
* @data: reference to get a count on
|
|
*
|
|
* Returns: point to reference
|
|
* Requires: @data to have a valid reference count on it. It is a bug
|
|
* if the race to reap can be encountered when it is used.
|
|
*/
|
|
static inline struct aa_loaddata *
|
|
aa_get_loaddata(struct aa_loaddata *data)
|
|
{
|
|
struct aa_loaddata *tmp = __aa_get_loaddata(data);
|
|
|
|
AA_BUG(data && !tmp);
|
|
|
|
return tmp;
|
|
}
|
|
|
|
void __aa_loaddata_update(struct aa_loaddata *data, long revision);
|
|
bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r);
|
|
void aa_loaddata_kref(struct kref *kref);
|
|
struct aa_loaddata *aa_loaddata_alloc(size_t size);
|
|
static inline void aa_put_loaddata(struct aa_loaddata *data)
|
|
{
|
|
if (data)
|
|
kref_put(&data->count, aa_loaddata_kref);
|
|
}
|
|
|
|
#endif /* __POLICY_INTERFACE_H */
|