Eric Lee / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit c97204baf840bf850e14ef4f5f43251239ca43b6

Authored by John Johansen
1 parent a481f4d917

apparmor: rename apparmor file fns and data to indicate use 

prefixes are used for fns/data that are not static to apparmorfs.c
with the prefixes being
  aafs   - special magic apparmorfs for policy namespace data
  aa_sfs - for fns/data that go into securityfs
  aa_fs  - for fns/data that may be used in the either of aafs or
           securityfs

Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
Reviewed-by: Kees Cook <keescook@chromium.org>

Showing 9 changed files with 172 additions and 127 deletions Side-by-side Diff

security/apparmor/Makefile
Diff comments   View file @ c97204b
... ... @@ -20,7 +20,7 @@
20 20 sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \
21 21 -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\
22 22 echo "};" >> $@ ;\
23   - printf '%s' '\#define AA_FS_CAPS_MASK "' >> $@ ;\
  23 + printf '%s' '\#define AA_SFS_CAPS_MASK "' >> $@ ;\
24 24 sed $< -r -n -e '/CAP_FS_MASK/d' \
25 25 -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' | \
26 26 tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
... ... @@ -46,7 +46,7 @@
46 46 # #define RLIMIT_FSIZE 1 /* Maximum filesize */
47 47 # #define RLIMIT_STACK 3 /* max stack size */
48 48 # to
49   -# #define AA_FS_RLIMIT_MASK "fsize stack"
  49 +# #define AA_SFS_RLIMIT_MASK "fsize stack"
50 50 quiet_cmd_make-rlim = GEN $@
51 51 cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
52 52 > $@ ;\
... ... @@ -56,7 +56,7 @@
56 56 echo "static const int rlim_map[RLIM_NLIMITS] = {" >> $@ ;\
57 57 sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
58 58 echo "};" >> $@ ; \
59   - printf '%s' '\#define AA_FS_RLIMIT_MASK "' >> $@ ;\
  59 + printf '%s' '\#define AA_SFS_RLIMIT_MASK "' >> $@ ;\
60 60 sed -r -n 's/^\# ?define[ \t]+RLIMIT_([A-Z0-9_]+).*/\L\1/p' $< | \
61 61 tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
62 62  
security/apparmor/apparmorfs.c
Diff comments   View file @ c97204b
... ... @@ -36,6 +36,35 @@
36 36 #include "include/resource.h"
37 37 #include "include/policy_unpack.h"
38 38  
  39 +/*
  40 + * The apparmor filesystem interface used for policy load and introspection
  41 + * The interface is split into two main components based on their function
  42 + * a securityfs component:
  43 + * used for static files that are always available, and which allows
  44 + * userspace to specificy the location of the security filesystem.
  45 + *
  46 + * fns and data are prefixed with
  47 + * aa_sfs_
  48 + *
  49 + * an apparmorfs component:
  50 + * used loaded policy content and introspection. It is not part of a
  51 + * regular mounted filesystem and is available only through the magic
  52 + * policy symlink in the root of the securityfs apparmor/ directory.
  53 + * Tasks queries will be magically redirected to the correct portion
  54 + * of the policy tree based on their confinement.
  55 + *
  56 + * fns and data are prefixed with
  57 + * aafs_
  58 + *
  59 + * The aa_fs_ prefix is used to indicate the fn is used by both the
  60 + * securityfs and apparmorfs filesystems.
  61 + */
  62 +
  63 +
  64 +/*
  65 + * support fns
  66 + */
  67 +
39 68 /**
40 69 * aa_mangle_name - mangle a profile name to std profile layout form
41 70 * @name: profile name to mangle (NOT NULL)
42 71  
43 72  
44 73  
45 74  
46 75  
... ... @@ -606,28 +635,28 @@
606 635 return count;
607 636 }
608 637  
609   -static const struct file_operations aa_fs_access = {
  638 +static const struct file_operations aa_sfs_access = {
610 639 .write = aa_write_access,
611 640 .read = simple_transaction_read,
612 641 .release = simple_transaction_release,
613 642 .llseek = generic_file_llseek,
614 643 };
615 644  
616   -static int aa_fs_seq_show(struct seq_file *seq, void *v)
  645 +static int aa_sfs_seq_show(struct seq_file *seq, void *v)
617 646 {
618   - struct aa_fs_entry *fs_file = seq->private;
  647 + struct aa_sfs_entry *fs_file = seq->private;
619 648  
620 649 if (!fs_file)
621 650 return 0;
622 651  
623 652 switch (fs_file->v_type) {
624   - case AA_FS_TYPE_BOOLEAN:
  653 + case AA_SFS_TYPE_BOOLEAN:
625 654 seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no");
626 655 break;
627   - case AA_FS_TYPE_STRING:
  656 + case AA_SFS_TYPE_STRING:
628 657 seq_printf(seq, "%s\n", fs_file->v.string);
629 658 break;
630   - case AA_FS_TYPE_U64:
  659 + case AA_SFS_TYPE_U64:
631 660 seq_printf(seq, "%#08lx\n", fs_file->v.u64);
632 661 break;
633 662 default:
634 663  
635 664  
636 665  
... ... @@ -638,14 +667,14 @@
638 667 return 0;
639 668 }
640 669  
641   -static int aa_fs_seq_open(struct inode *inode, struct file *file)
  670 +static int aa_sfs_seq_open(struct inode *inode, struct file *file)
642 671 {
643   - return single_open(file, aa_fs_seq_show, inode->i_private);
  672 + return single_open(file, aa_sfs_seq_show, inode->i_private);
644 673 }
645 674  
646   -const struct file_operations aa_fs_seq_file_ops = {
  675 +const struct file_operations aa_sfs_seq_file_ops = {
647 676 .owner = THIS_MODULE,
648   - .open = aa_fs_seq_open,
  677 + .open = aa_sfs_seq_open,
649 678 .read = seq_read,
650 679 .llseek = seq_lseek,
651 680 .release = single_release,
... ... @@ -996,7 +1025,12 @@
996 1025 }
997 1026  
998 1027 /** fns to setup dynamic per profile/namespace files **/
999   -void __aa_fs_profile_rmdir(struct aa_profile *profile)
  1028 +
  1029 +/**
  1030 + *
  1031 + * Requires: @profile->ns->lock held
  1032 + */
  1033 +void __aafs_profile_rmdir(struct aa_profile *profile)
1000 1034 {
1001 1035 struct aa_profile *child;
1002 1036 int i;
... ... @@ -1005,7 +1039,7 @@
1005 1039 return;
1006 1040  
1007 1041 list_for_each_entry(child, &profile->base.profiles, base.list)
1008   - __aa_fs_profile_rmdir(child);
  1042 + __aafs_profile_rmdir(child);
1009 1043  
1010 1044 for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) {
1011 1045 struct aa_proxy *proxy;
... ... @@ -1019,8 +1053,12 @@
1019 1053 }
1020 1054 }
1021 1055  
1022   -void __aa_fs_profile_migrate_dents(struct aa_profile *old,
1023   - struct aa_profile *new)
  1056 +/**
  1057 + *
  1058 + * Requires: @old->ns->lock held
  1059 + */
  1060 +void __aafs_profile_migrate_dents(struct aa_profile *old,
  1061 + struct aa_profile *new)
1024 1062 {
1025 1063 int i;
1026 1064  
... ... @@ -1081,7 +1119,7 @@
1081 1119 /*
1082 1120 * Requires: @profile->ns->lock held
1083 1121 */
1084   -int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
  1122 +int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
1085 1123 {
1086 1124 struct aa_profile *child;
1087 1125 struct dentry *dent = NULL, *dir;
... ... @@ -1177,7 +1215,7 @@
1177 1215 }
1178 1216  
1179 1217 list_for_each_entry(child, &profile->base.profiles, base.list) {
1180   - error = __aa_fs_profile_mkdir(child, prof_child_dir(profile));
  1218 + error = __aafs_profile_mkdir(child, prof_child_dir(profile));
1181 1219 if (error)
1182 1220 goto fail2;
1183 1221 }
... ... @@ -1188,7 +1226,7 @@
1188 1226 error = PTR_ERR(dent);
1189 1227  
1190 1228 fail2:
1191   - __aa_fs_profile_rmdir(profile);
  1229 + __aafs_profile_rmdir(profile);
1192 1230  
1193 1231 return error;
1194 1232 }
... ... @@ -1203,7 +1241,11 @@
1203 1241 __aa_fs_remove_rawdata(ent);
1204 1242 }
1205 1243  
1206   -void __aa_fs_ns_rmdir(struct aa_ns *ns)
  1244 +/**
  1245 + *
  1246 + * Requires: @ns->lock held
  1247 + */
  1248 +void __aafs_ns_rmdir(struct aa_ns *ns)
1207 1249 {
1208 1250 struct aa_ns *sub;
1209 1251 struct aa_profile *child;
1210 1252  
... ... @@ -1213,11 +1255,11 @@
1213 1255 return;
1214 1256  
1215 1257 list_for_each_entry(child, &ns->base.profiles, base.list)
1216   - __aa_fs_profile_rmdir(child);
  1258 + __aafs_profile_rmdir(child);
1217 1259  
1218 1260 list_for_each_entry(sub, &ns->sub_ns, base.list) {
1219 1261 mutex_lock(&sub->lock);
1220   - __aa_fs_ns_rmdir(sub);
  1262 + __aafs_ns_rmdir(sub);
1221 1263 mutex_unlock(&sub->lock);
1222 1264 }
1223 1265  
... ... @@ -1247,7 +1289,7 @@
1247 1289 }
1248 1290  
1249 1291 /* assumes cleanup in caller */
1250   -static int __aa_fs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir)
  1292 +static int __aafs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir)
1251 1293 {
1252 1294 struct dentry *dent;
1253 1295  
... ... @@ -1294,7 +1336,10 @@
1294 1336 return 0;
1295 1337 }
1296 1338  
1297   -int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name)
  1339 +/*
  1340 + * Requires: @ns->lock held
  1341 + */
  1342 +int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name)
1298 1343 {
1299 1344 struct aa_ns *sub;
1300 1345 struct aa_profile *child;
1301 1346  
... ... @@ -1314,13 +1359,13 @@
1314 1359 goto fail;
1315 1360  
1316 1361 ns_dir(ns) = dir = dent;
1317   - error = __aa_fs_ns_mkdir_entries(ns, dir);
  1362 + error = __aafs_ns_mkdir_entries(ns, dir);
1318 1363 if (error)
1319 1364 goto fail2;
1320 1365  
1321 1366 /* profiles */
1322 1367 list_for_each_entry(child, &ns->base.profiles, base.list) {
1323   - error = __aa_fs_profile_mkdir(child, ns_subprofs_dir(ns));
  1368 + error = __aafs_profile_mkdir(child, ns_subprofs_dir(ns));
1324 1369 if (error)
1325 1370 goto fail2;
1326 1371 }
... ... @@ -1328,7 +1373,7 @@
1328 1373 /* subnamespaces */
1329 1374 list_for_each_entry(sub, &ns->sub_ns, base.list) {
1330 1375 mutex_lock(&sub->lock);
1331   - error = __aa_fs_ns_mkdir(sub, ns_subns_dir(ns), NULL);
  1376 + error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL);
1332 1377 mutex_unlock(&sub->lock);
1333 1378 if (error)
1334 1379 goto fail2;
... ... @@ -1340,7 +1385,7 @@
1340 1385 error = PTR_ERR(dent);
1341 1386  
1342 1387 fail2:
1343   - __aa_fs_ns_rmdir(ns);
  1388 + __aafs_ns_rmdir(ns);
1344 1389  
1345 1390 return error;
1346 1391 }
... ... @@ -1550,7 +1595,7 @@
1550 1595 return 0;
1551 1596 }
1552 1597  
1553   -static const struct seq_operations aa_fs_profiles_op = {
  1598 +static const struct seq_operations aa_sfs_profiles_op = {
1554 1599 .start = p_start,
1555 1600 .next = p_next,
1556 1601 .stop = p_stop,
... ... @@ -1562,7 +1607,7 @@
1562 1607 if (!policy_view_capable(NULL))
1563 1608 return -EACCES;
1564 1609  
1565   - return seq_open(file, &aa_fs_profiles_op);
  1610 + return seq_open(file, &aa_sfs_profiles_op);
1566 1611 }
1567 1612  
1568 1613 static int profiles_release(struct inode *inode, struct file *file)
... ... @@ -1570,7 +1615,7 @@
1570 1615 return seq_release(inode, file);
1571 1616 }
1572 1617  
1573   -static const struct file_operations aa_fs_profiles_fops = {
  1618 +static const struct file_operations aa_sfs_profiles_fops = {
1574 1619 .open = profiles_open,
1575 1620 .read = seq_read,
1576 1621 .llseek = seq_lseek,
1577 1622  
1578 1623  
1579 1624  
1580 1625  
1581 1626  
1582 1627  
1583 1628  
1584 1629  
... ... @@ -1579,63 +1624,63 @@
1579 1624  
1580 1625  
1581 1626 /** Base file system setup **/
1582   -static struct aa_fs_entry aa_fs_entry_file[] = {
1583   - AA_FS_FILE_STRING("mask", "create read write exec append mmap_exec " \
1584   - "link lock"),
  1627 +static struct aa_sfs_entry aa_sfs_entry_file[] = {
  1628 + AA_SFS_FILE_STRING("mask",
  1629 + "create read write exec append mmap_exec link lock"),
1585 1630 { }
1586 1631 };
1587 1632  
1588   -static struct aa_fs_entry aa_fs_entry_domain[] = {
1589   - AA_FS_FILE_BOOLEAN("change_hat", 1),
1590   - AA_FS_FILE_BOOLEAN("change_hatv", 1),
1591   - AA_FS_FILE_BOOLEAN("change_onexec", 1),
1592   - AA_FS_FILE_BOOLEAN("change_profile", 1),
1593   - AA_FS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1),
1594   - AA_FS_FILE_STRING("version", "1.2"),
  1633 +static struct aa_sfs_entry aa_sfs_entry_domain[] = {
  1634 + AA_SFS_FILE_BOOLEAN("change_hat", 1),
  1635 + AA_SFS_FILE_BOOLEAN("change_hatv", 1),
  1636 + AA_SFS_FILE_BOOLEAN("change_onexec", 1),
  1637 + AA_SFS_FILE_BOOLEAN("change_profile", 1),
  1638 + AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1),
  1639 + AA_SFS_FILE_STRING("version", "1.2"),
1595 1640 { }
1596 1641 };
1597 1642  
1598   -static struct aa_fs_entry aa_fs_entry_versions[] = {
1599   - AA_FS_FILE_BOOLEAN("v5", 1),
  1643 +static struct aa_sfs_entry aa_sfs_entry_versions[] = {
  1644 + AA_SFS_FILE_BOOLEAN("v5", 1),
1600 1645 { }
1601 1646 };
1602 1647  
1603   -static struct aa_fs_entry aa_fs_entry_policy[] = {
1604   - AA_FS_DIR("versions", aa_fs_entry_versions),
1605   - AA_FS_FILE_BOOLEAN("set_load", 1),
  1648 +static struct aa_sfs_entry aa_sfs_entry_policy[] = {
  1649 + AA_SFS_DIR("versions", aa_sfs_entry_versions),
  1650 + AA_SFS_FILE_BOOLEAN("set_load", 1),
1606 1651 { }
1607 1652 };
1608 1653  
1609   -static struct aa_fs_entry aa_fs_entry_features[] = {
1610   - AA_FS_DIR("policy", aa_fs_entry_policy),
1611   - AA_FS_DIR("domain", aa_fs_entry_domain),
1612   - AA_FS_DIR("file", aa_fs_entry_file),
1613   - AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
1614   - AA_FS_DIR("rlimit", aa_fs_entry_rlimit),
1615   - AA_FS_DIR("caps", aa_fs_entry_caps),
  1654 +static struct aa_sfs_entry aa_sfs_entry_features[] = {
  1655 + AA_SFS_DIR("policy", aa_sfs_entry_policy),
  1656 + AA_SFS_DIR("domain", aa_sfs_entry_domain),
  1657 + AA_SFS_DIR("file", aa_sfs_entry_file),
  1658 + AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
  1659 + AA_SFS_DIR("rlimit", aa_sfs_entry_rlimit),
  1660 + AA_SFS_DIR("caps", aa_sfs_entry_caps),
1616 1661 { }
1617 1662 };
1618 1663  
1619   -static struct aa_fs_entry aa_fs_entry_apparmor[] = {
1620   - AA_FS_FILE_FOPS(".access", 0640, &aa_fs_access),
1621   - AA_FS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops),
1622   - AA_FS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops),
1623   - AA_FS_FILE_FOPS("profiles", 0440, &aa_fs_profiles_fops),
1624   - AA_FS_DIR("features", aa_fs_entry_features),
  1664 +static struct aa_sfs_entry aa_sfs_entry_apparmor[] = {
  1665 + AA_SFS_FILE_FOPS(".access", 0640, &aa_sfs_access),
  1666 + AA_SFS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops),
  1667 + AA_SFS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops),
  1668 + AA_SFS_FILE_FOPS("profiles", 0440, &aa_sfs_profiles_fops),
  1669 + AA_SFS_DIR("features", aa_sfs_entry_features),
1625 1670 { }
1626 1671 };
1627 1672  
1628   -static struct aa_fs_entry aa_fs_entry =
1629   - AA_FS_DIR("apparmor", aa_fs_entry_apparmor);
  1673 +static struct aa_sfs_entry aa_sfs_entry =
  1674 + AA_SFS_DIR("apparmor", aa_sfs_entry_apparmor);
1630 1675  
1631 1676 /**
1632 1677 * entry_create_file - create a file entry in the apparmor securityfs
1633   - * @fs_file: aa_fs_entry to build an entry for (NOT NULL)
  1678 + * @fs_file: aa_sfs_entry to build an entry for (NOT NULL)
1634 1679 * @parent: the parent dentry in the securityfs
1635 1680 *
1636 1681 * Use entry_remove_file to remove entries created with this fn.
1637 1682 */
1638   -static int __init entry_create_file(struct aa_fs_entry *fs_file,
  1683 +static int __init entry_create_file(struct aa_sfs_entry *fs_file,
1639 1684 struct dentry *parent)
1640 1685 {
1641 1686 int error = 0;
1642 1687  
1643 1688  
1644 1689  
... ... @@ -1651,18 +1696,18 @@
1651 1696 return error;
1652 1697 }
1653 1698  
1654   -static void __init entry_remove_dir(struct aa_fs_entry *fs_dir);
  1699 +static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir);
1655 1700 /**
1656 1701 * entry_create_dir - recursively create a directory entry in the securityfs
1657   - * @fs_dir: aa_fs_entry (and all child entries) to build (NOT NULL)
  1702 + * @fs_dir: aa_sfs_entry (and all child entries) to build (NOT NULL)
1658 1703 * @parent: the parent dentry in the securityfs
1659 1704 *
1660 1705 * Use entry_remove_dir to remove entries created with this fn.
1661 1706 */
1662   -static int __init entry_create_dir(struct aa_fs_entry *fs_dir,
1663   - struct dentry *parent)
  1707 +static int __init entry_create_dir(struct aa_sfs_entry *fs_dir,
  1708 + struct dentry *parent)
1664 1709 {
1665   - struct aa_fs_entry *fs_file;
  1710 + struct aa_sfs_entry *fs_file;
1666 1711 struct dentry *dir;
1667 1712 int error;
1668 1713  
... ... @@ -1672,7 +1717,7 @@
1672 1717 fs_dir->dentry = dir;
1673 1718  
1674 1719 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) {
1675   - if (fs_file->v_type == AA_FS_TYPE_DIR)
  1720 + if (fs_file->v_type == AA_SFS_TYPE_DIR)
1676 1721 error = entry_create_dir(fs_file, fs_dir->dentry);
1677 1722 else
1678 1723 error = entry_create_file(fs_file, fs_dir->dentry);
1679 1724  
... ... @@ -1689,10 +1734,10 @@
1689 1734 }
1690 1735  
1691 1736 /**
1692   - * aafs_remove_file - drop a single file entry in the apparmor securityfs
1693   - * @fs_file: aa_fs_entry to detach from the securityfs (NOT NULL)
  1737 + * entry_remove_file - drop a single file entry in the apparmor securityfs
  1738 + * @fs_file: aa_sfs_entry to detach from the securityfs (NOT NULL)
1694 1739 */
1695   -static void __init aafs_remove_file(struct aa_fs_entry *fs_file)
  1740 +static void __init entry_remove_file(struct aa_sfs_entry *fs_file)
1696 1741 {
1697 1742 if (!fs_file->dentry)
1698 1743 return;
1699 1744  
1700 1745  
1701 1746  
1702 1747  
1703 1748  
... ... @@ -1703,20 +1748,20 @@
1703 1748  
1704 1749 /**
1705 1750 * entry_remove_dir - recursively drop a directory entry from the securityfs
1706   - * @fs_dir: aa_fs_entry (and all child entries) to detach (NOT NULL)
  1751 + * @fs_dir: aa_sfs_entry (and all child entries) to detach (NOT NULL)
1707 1752 */
1708   -static void __init entry_remove_dir(struct aa_fs_entry *fs_dir)
  1753 +static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir)
1709 1754 {
1710   - struct aa_fs_entry *fs_file;
  1755 + struct aa_sfs_entry *fs_file;
1711 1756  
1712 1757 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) {
1713   - if (fs_file->v_type == AA_FS_TYPE_DIR)
  1758 + if (fs_file->v_type == AA_SFS_TYPE_DIR)
1714 1759 entry_remove_dir(fs_file);
1715 1760 else
1716   - aafs_remove_file(fs_file);
  1761 + entry_remove_file(fs_file);
1717 1762 }
1718 1763  
1719   - aafs_remove_file(fs_dir);
  1764 + entry_remove_file(fs_dir);
1720 1765 }
1721 1766  
1722 1767 /**
... ... @@ -1726,7 +1771,7 @@
1726 1771 */
1727 1772 void __init aa_destroy_aafs(void)
1728 1773 {
1729   - entry_remove_dir(&aa_fs_entry);
  1774 + entry_remove_dir(&aa_sfs_entry);
1730 1775 }
1731 1776  
1732 1777  
... ... @@ -1843,7 +1888,7 @@
1843 1888 if (!apparmor_initialized)
1844 1889 return 0;
1845 1890  
1846   - if (aa_fs_entry.dentry) {
  1891 + if (aa_sfs_entry.dentry) {
1847 1892 AA_ERROR("%s: AppArmor securityfs already exists\n", __func__);
1848 1893 return -EEXIST;
1849 1894 }
1850 1895  
... ... @@ -1855,11 +1900,11 @@
1855 1900 aafs_mnt->mnt_sb->s_flags &= ~MS_NOUSER;
1856 1901  
1857 1902 /* Populate fs tree. */
1858   - error = entry_create_dir(&aa_fs_entry, NULL);
  1903 + error = entry_create_dir(&aa_sfs_entry, NULL);
1859 1904 if (error)
1860 1905 goto error;
1861 1906  
1862   - dent = securityfs_create_file(".load", 0666, aa_fs_entry.dentry,
  1907 + dent = securityfs_create_file(".load", 0666, aa_sfs_entry.dentry,
1863 1908 NULL, &aa_fs_profile_load);
1864 1909 if (IS_ERR(dent)) {
1865 1910 error = PTR_ERR(dent);
... ... @@ -1867,7 +1912,7 @@
1867 1912 }
1868 1913 ns_subload(root_ns) = dent;
1869 1914  
1870   - dent = securityfs_create_file(".replace", 0666, aa_fs_entry.dentry,
  1915 + dent = securityfs_create_file(".replace", 0666, aa_sfs_entry.dentry,
1871 1916 NULL, &aa_fs_profile_replace);
1872 1917 if (IS_ERR(dent)) {
1873 1918 error = PTR_ERR(dent);
... ... @@ -1875,7 +1920,7 @@
1875 1920 }
1876 1921 ns_subreplace(root_ns) = dent;
1877 1922  
1878   - dent = securityfs_create_file(".remove", 0666, aa_fs_entry.dentry,
  1923 + dent = securityfs_create_file(".remove", 0666, aa_sfs_entry.dentry,
1879 1924 NULL, &aa_fs_profile_remove);
1880 1925 if (IS_ERR(dent)) {
1881 1926 error = PTR_ERR(dent);
1882 1927  
... ... @@ -1884,13 +1929,13 @@
1884 1929 ns_subremove(root_ns) = dent;
1885 1930  
1886 1931 mutex_lock(&root_ns->lock);
1887   - error = __aa_fs_ns_mkdir(root_ns, aa_fs_entry.dentry, "policy");
  1932 + error = __aafs_ns_mkdir(root_ns, aa_sfs_entry.dentry, "policy");
1888 1933 mutex_unlock(&root_ns->lock);
1889 1934  
1890 1935 if (error)
1891 1936 goto error;
1892 1937  
1893   - error = aa_mk_null_file(aa_fs_entry.dentry);
  1938 + error = aa_mk_null_file(aa_sfs_entry.dentry);
1894 1939 if (error)
1895 1940 goto error;
1896 1941  
security/apparmor/capability.c
Diff comments   View file @ c97204b
... ... @@ -28,8 +28,8 @@
28 28 */
29 29 #include "capability_names.h"
30 30  
31   -struct aa_fs_entry aa_fs_entry_caps[] = {
32   - AA_FS_FILE_STRING("mask", AA_FS_CAPS_MASK),
  31 +struct aa_sfs_entry aa_sfs_entry_caps[] = {
  32 + AA_SFS_FILE_STRING("mask", AA_SFS_CAPS_MASK),
33 33 { }
34 34 };
35 35  
security/apparmor/include/apparmorfs.h
Diff comments   View file @ c97204b
... ... @@ -17,49 +17,49 @@
17 17  
18 18 extern struct path aa_null;
19 19  
20   -enum aa_fs_type {
21   - AA_FS_TYPE_BOOLEAN,
22   - AA_FS_TYPE_STRING,
23   - AA_FS_TYPE_U64,
24   - AA_FS_TYPE_FOPS,
25   - AA_FS_TYPE_DIR,
  20 +enum aa_sfs_type {
  21 + AA_SFS_TYPE_BOOLEAN,
  22 + AA_SFS_TYPE_STRING,
  23 + AA_SFS_TYPE_U64,
  24 + AA_SFS_TYPE_FOPS,
  25 + AA_SFS_TYPE_DIR,
26 26 };
27 27  
28   -struct aa_fs_entry;
  28 +struct aa_sfs_entry;
29 29  
30   -struct aa_fs_entry {
  30 +struct aa_sfs_entry {
31 31 const char *name;
32 32 struct dentry *dentry;
33 33 umode_t mode;
34   - enum aa_fs_type v_type;
  34 + enum aa_sfs_type v_type;
35 35 union {
36 36 bool boolean;
37 37 char *string;
38 38 unsigned long u64;
39   - struct aa_fs_entry *files;
  39 + struct aa_sfs_entry *files;
40 40 } v;
41 41 const struct file_operations *file_ops;
42 42 };
43 43  
44   -extern const struct file_operations aa_fs_seq_file_ops;
  44 +extern const struct file_operations aa_sfs_seq_file_ops;
45 45  
46   -#define AA_FS_FILE_BOOLEAN(_name, _value) \
  46 +#define AA_SFS_FILE_BOOLEAN(_name, _value) \
47 47 { .name = (_name), .mode = 0444, \
48   - .v_type = AA_FS_TYPE_BOOLEAN, .v.boolean = (_value), \
49   - .file_ops = &aa_fs_seq_file_ops }
50   -#define AA_FS_FILE_STRING(_name, _value) \
  48 + .v_type = AA_SFS_TYPE_BOOLEAN, .v.boolean = (_value), \
  49 + .file_ops = &aa_sfs_seq_file_ops }
  50 +#define AA_SFS_FILE_STRING(_name, _value) \
51 51 { .name = (_name), .mode = 0444, \
52   - .v_type = AA_FS_TYPE_STRING, .v.string = (_value), \
53   - .file_ops = &aa_fs_seq_file_ops }
54   -#define AA_FS_FILE_U64(_name, _value) \
  52 + .v_type = AA_SFS_TYPE_STRING, .v.string = (_value), \
  53 + .file_ops = &aa_sfs_seq_file_ops }
  54 +#define AA_SFS_FILE_U64(_name, _value) \
55 55 { .name = (_name), .mode = 0444, \
56   - .v_type = AA_FS_TYPE_U64, .v.u64 = (_value), \
57   - .file_ops = &aa_fs_seq_file_ops }
58   -#define AA_FS_FILE_FOPS(_name, _mode, _fops) \
59   - { .name = (_name), .v_type = AA_FS_TYPE_FOPS, \
  56 + .v_type = AA_SFS_TYPE_U64, .v.u64 = (_value), \
  57 + .file_ops = &aa_sfs_seq_file_ops }
  58 +#define AA_SFS_FILE_FOPS(_name, _mode, _fops) \
  59 + { .name = (_name), .v_type = AA_SFS_TYPE_FOPS, \
60 60 .mode = (_mode), .file_ops = (_fops) }
61   -#define AA_FS_DIR(_name, _value) \
62   - { .name = (_name), .v_type = AA_FS_TYPE_DIR, .v.files = (_value) }
  61 +#define AA_SFS_DIR(_name, _value) \
  62 + { .name = (_name), .v_type = AA_SFS_TYPE_DIR, .v.files = (_value) }
63 63  
64 64 extern void __init aa_destroy_aafs(void);
65 65  
66 66  
... ... @@ -107,12 +107,12 @@
107 107 #define prof_child_dir(X) ((X)->dents[AAFS_PROF_PROFS])
108 108  
109 109 void __aa_bump_ns_revision(struct aa_ns *ns);
110   -void __aa_fs_profile_rmdir(struct aa_profile *profile);
111   -void __aa_fs_profile_migrate_dents(struct aa_profile *old,
  110 +void __aafs_profile_rmdir(struct aa_profile *profile);
  111 +void __aafs_profile_migrate_dents(struct aa_profile *old,
112 112 struct aa_profile *new);
113   -int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent);
114   -void __aa_fs_ns_rmdir(struct aa_ns *ns);
115   -int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent,
  113 +int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent);
  114 +void __aafs_ns_rmdir(struct aa_ns *ns);
  115 +int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent,
116 116 const char *name);
117 117  
118 118 struct aa_loaddata;
security/apparmor/include/capability.h
Diff comments   View file @ c97204b
... ... @@ -36,7 +36,7 @@
36 36 kernel_cap_t extended;
37 37 };
38 38  
39   -extern struct aa_fs_entry aa_fs_entry_caps[];
  39 +extern struct aa_sfs_entry aa_sfs_entry_caps[];
40 40  
41 41 int aa_capable(struct aa_profile *profile, int cap, int audit);
42 42  
security/apparmor/include/resource.h
Diff comments   View file @ c97204b
... ... @@ -34,7 +34,7 @@
34 34 struct rlimit limits[RLIM_NLIMITS];
35 35 };
36 36  
37   -extern struct aa_fs_entry aa_fs_entry_rlimit[];
  37 +extern struct aa_sfs_entry aa_sfs_entry_rlimit[];
38 38  
39 39 int aa_map_resource(int resource);
40 40 int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *,
security/apparmor/policy.c
Diff comments   View file @ c97204b
... ... @@ -160,7 +160,7 @@
160 160 __aa_profile_list_release(&profile->base.profiles);
161 161 /* released by free_profile */
162 162 __aa_update_proxy(profile, profile->ns->unconfined);
163   - __aa_fs_profile_rmdir(profile);
  163 + __aafs_profile_rmdir(profile);
164 164 __list_remove_profile(profile);
165 165 }
166 166  
... ... @@ -784,7 +784,7 @@
784 784 /* aafs interface uses proxy */
785 785 rcu_assign_pointer(new->proxy->profile,
786 786 aa_get_profile(new));
787   - __aa_fs_profile_migrate_dents(old, new);
  787 + __aafs_profile_migrate_dents(old, new);
788 788  
789 789 if (list_empty(&new->base.list)) {
790 790 /* new is not on a list already */
... ... @@ -971,7 +971,7 @@
971 971 parent = prof_child_dir(p);
972 972 } else
973 973 parent = ns_subprofs_dir(ent->new->ns);
974   - error = __aa_fs_profile_mkdir(ent->new, parent);
  974 + error = __aafs_profile_mkdir(ent->new, parent);
975 975 }
976 976  
977 977 if (error) {
security/apparmor/policy_ns.c
Diff comments   View file @ c97204b
... ... @@ -196,7 +196,7 @@
196 196 if (!ns)
197 197 return NULL;
198 198 mutex_lock(&ns->lock);
199   - error = __aa_fs_ns_mkdir(ns, ns_subns_dir(parent), name);
  199 + error = __aafs_ns_mkdir(ns, ns_subns_dir(parent), name);
200 200 if (error) {
201 201 AA_ERROR("Failed to create interface for ns %s\n",
202 202 ns->base.name);
... ... @@ -284,7 +284,7 @@
284 284  
285 285 if (ns->parent)
286 286 __aa_update_proxy(ns->unconfined, ns->parent->unconfined);
287   - __aa_fs_ns_rmdir(ns);
  287 + __aafs_ns_rmdir(ns);
288 288 mutex_unlock(&ns->lock);
289 289 }
290 290  
security/apparmor/resource.c
Diff comments   View file @ c97204b
... ... @@ -24,8 +24,8 @@
24 24 */
25 25 #include "rlim_names.h"
26 26  
27   -struct aa_fs_entry aa_fs_entry_rlimit[] = {
28   - AA_FS_FILE_STRING("mask", AA_FS_RLIMIT_MASK),
  27 +struct aa_sfs_entry aa_sfs_entry_rlimit[] = {
  28 + AA_SFS_FILE_STRING("mask", AA_SFS_RLIMIT_MASK),
29 29 { }
30 30 };
31 31