Commit c97204baf840bf850e14ef4f5f43251239ca43b6
1 parent
a481f4d917
apparmor: rename apparmor file fns and data to indicate use
prefixes are used for fns/data that are not static to apparmorfs.c with the prefixes being aafs - special magic apparmorfs for policy namespace data aa_sfs - for fns/data that go into securityfs aa_fs - for fns/data that may be used in the either of aafs or securityfs Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
Showing 9 changed files with 172 additions and 127 deletions Side-by-side Diff
security/apparmor/Makefile
... | ... | @@ -20,7 +20,7 @@ |
20 | 20 | sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \ |
21 | 21 | -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\ |
22 | 22 | echo "};" >> $@ ;\ |
23 | - printf '%s' '\#define AA_FS_CAPS_MASK "' >> $@ ;\ | |
23 | + printf '%s' '\#define AA_SFS_CAPS_MASK "' >> $@ ;\ | |
24 | 24 | sed $< -r -n -e '/CAP_FS_MASK/d' \ |
25 | 25 | -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' | \ |
26 | 26 | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ |
... | ... | @@ -46,7 +46,7 @@ |
46 | 46 | # #define RLIMIT_FSIZE 1 /* Maximum filesize */ |
47 | 47 | # #define RLIMIT_STACK 3 /* max stack size */ |
48 | 48 | # to |
49 | -# #define AA_FS_RLIMIT_MASK "fsize stack" | |
49 | +# #define AA_SFS_RLIMIT_MASK "fsize stack" | |
50 | 50 | quiet_cmd_make-rlim = GEN $@ |
51 | 51 | cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \ |
52 | 52 | > $@ ;\ |
... | ... | @@ -56,7 +56,7 @@ |
56 | 56 | echo "static const int rlim_map[RLIM_NLIMITS] = {" >> $@ ;\ |
57 | 57 | sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\ |
58 | 58 | echo "};" >> $@ ; \ |
59 | - printf '%s' '\#define AA_FS_RLIMIT_MASK "' >> $@ ;\ | |
59 | + printf '%s' '\#define AA_SFS_RLIMIT_MASK "' >> $@ ;\ | |
60 | 60 | sed -r -n 's/^\# ?define[ \t]+RLIMIT_([A-Z0-9_]+).*/\L\1/p' $< | \ |
61 | 61 | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ |
62 | 62 |
security/apparmor/apparmorfs.c
... | ... | @@ -36,6 +36,35 @@ |
36 | 36 | #include "include/resource.h" |
37 | 37 | #include "include/policy_unpack.h" |
38 | 38 | |
39 | +/* | |
40 | + * The apparmor filesystem interface used for policy load and introspection | |
41 | + * The interface is split into two main components based on their function | |
42 | + * a securityfs component: | |
43 | + * used for static files that are always available, and which allows | |
44 | + * userspace to specificy the location of the security filesystem. | |
45 | + * | |
46 | + * fns and data are prefixed with | |
47 | + * aa_sfs_ | |
48 | + * | |
49 | + * an apparmorfs component: | |
50 | + * used loaded policy content and introspection. It is not part of a | |
51 | + * regular mounted filesystem and is available only through the magic | |
52 | + * policy symlink in the root of the securityfs apparmor/ directory. | |
53 | + * Tasks queries will be magically redirected to the correct portion | |
54 | + * of the policy tree based on their confinement. | |
55 | + * | |
56 | + * fns and data are prefixed with | |
57 | + * aafs_ | |
58 | + * | |
59 | + * The aa_fs_ prefix is used to indicate the fn is used by both the | |
60 | + * securityfs and apparmorfs filesystems. | |
61 | + */ | |
62 | + | |
63 | + | |
64 | +/* | |
65 | + * support fns | |
66 | + */ | |
67 | + | |
39 | 68 | /** |
40 | 69 | * aa_mangle_name - mangle a profile name to std profile layout form |
41 | 70 | * @name: profile name to mangle (NOT NULL) |
42 | 71 | |
43 | 72 | |
44 | 73 | |
45 | 74 | |
46 | 75 | |
... | ... | @@ -606,28 +635,28 @@ |
606 | 635 | return count; |
607 | 636 | } |
608 | 637 | |
609 | -static const struct file_operations aa_fs_access = { | |
638 | +static const struct file_operations aa_sfs_access = { | |
610 | 639 | .write = aa_write_access, |
611 | 640 | .read = simple_transaction_read, |
612 | 641 | .release = simple_transaction_release, |
613 | 642 | .llseek = generic_file_llseek, |
614 | 643 | }; |
615 | 644 | |
616 | -static int aa_fs_seq_show(struct seq_file *seq, void *v) | |
645 | +static int aa_sfs_seq_show(struct seq_file *seq, void *v) | |
617 | 646 | { |
618 | - struct aa_fs_entry *fs_file = seq->private; | |
647 | + struct aa_sfs_entry *fs_file = seq->private; | |
619 | 648 | |
620 | 649 | if (!fs_file) |
621 | 650 | return 0; |
622 | 651 | |
623 | 652 | switch (fs_file->v_type) { |
624 | - case AA_FS_TYPE_BOOLEAN: | |
653 | + case AA_SFS_TYPE_BOOLEAN: | |
625 | 654 | seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no"); |
626 | 655 | break; |
627 | - case AA_FS_TYPE_STRING: | |
656 | + case AA_SFS_TYPE_STRING: | |
628 | 657 | seq_printf(seq, "%s\n", fs_file->v.string); |
629 | 658 | break; |
630 | - case AA_FS_TYPE_U64: | |
659 | + case AA_SFS_TYPE_U64: | |
631 | 660 | seq_printf(seq, "%#08lx\n", fs_file->v.u64); |
632 | 661 | break; |
633 | 662 | default: |
634 | 663 | |
635 | 664 | |
636 | 665 | |
... | ... | @@ -638,14 +667,14 @@ |
638 | 667 | return 0; |
639 | 668 | } |
640 | 669 | |
641 | -static int aa_fs_seq_open(struct inode *inode, struct file *file) | |
670 | +static int aa_sfs_seq_open(struct inode *inode, struct file *file) | |
642 | 671 | { |
643 | - return single_open(file, aa_fs_seq_show, inode->i_private); | |
672 | + return single_open(file, aa_sfs_seq_show, inode->i_private); | |
644 | 673 | } |
645 | 674 | |
646 | -const struct file_operations aa_fs_seq_file_ops = { | |
675 | +const struct file_operations aa_sfs_seq_file_ops = { | |
647 | 676 | .owner = THIS_MODULE, |
648 | - .open = aa_fs_seq_open, | |
677 | + .open = aa_sfs_seq_open, | |
649 | 678 | .read = seq_read, |
650 | 679 | .llseek = seq_lseek, |
651 | 680 | .release = single_release, |
... | ... | @@ -996,7 +1025,12 @@ |
996 | 1025 | } |
997 | 1026 | |
998 | 1027 | /** fns to setup dynamic per profile/namespace files **/ |
999 | -void __aa_fs_profile_rmdir(struct aa_profile *profile) | |
1028 | + | |
1029 | +/** | |
1030 | + * | |
1031 | + * Requires: @profile->ns->lock held | |
1032 | + */ | |
1033 | +void __aafs_profile_rmdir(struct aa_profile *profile) | |
1000 | 1034 | { |
1001 | 1035 | struct aa_profile *child; |
1002 | 1036 | int i; |
... | ... | @@ -1005,7 +1039,7 @@ |
1005 | 1039 | return; |
1006 | 1040 | |
1007 | 1041 | list_for_each_entry(child, &profile->base.profiles, base.list) |
1008 | - __aa_fs_profile_rmdir(child); | |
1042 | + __aafs_profile_rmdir(child); | |
1009 | 1043 | |
1010 | 1044 | for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) { |
1011 | 1045 | struct aa_proxy *proxy; |
... | ... | @@ -1019,8 +1053,12 @@ |
1019 | 1053 | } |
1020 | 1054 | } |
1021 | 1055 | |
1022 | -void __aa_fs_profile_migrate_dents(struct aa_profile *old, | |
1023 | - struct aa_profile *new) | |
1056 | +/** | |
1057 | + * | |
1058 | + * Requires: @old->ns->lock held | |
1059 | + */ | |
1060 | +void __aafs_profile_migrate_dents(struct aa_profile *old, | |
1061 | + struct aa_profile *new) | |
1024 | 1062 | { |
1025 | 1063 | int i; |
1026 | 1064 | |
... | ... | @@ -1081,7 +1119,7 @@ |
1081 | 1119 | /* |
1082 | 1120 | * Requires: @profile->ns->lock held |
1083 | 1121 | */ |
1084 | -int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) | |
1122 | +int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) | |
1085 | 1123 | { |
1086 | 1124 | struct aa_profile *child; |
1087 | 1125 | struct dentry *dent = NULL, *dir; |
... | ... | @@ -1177,7 +1215,7 @@ |
1177 | 1215 | } |
1178 | 1216 | |
1179 | 1217 | list_for_each_entry(child, &profile->base.profiles, base.list) { |
1180 | - error = __aa_fs_profile_mkdir(child, prof_child_dir(profile)); | |
1218 | + error = __aafs_profile_mkdir(child, prof_child_dir(profile)); | |
1181 | 1219 | if (error) |
1182 | 1220 | goto fail2; |
1183 | 1221 | } |
... | ... | @@ -1188,7 +1226,7 @@ |
1188 | 1226 | error = PTR_ERR(dent); |
1189 | 1227 | |
1190 | 1228 | fail2: |
1191 | - __aa_fs_profile_rmdir(profile); | |
1229 | + __aafs_profile_rmdir(profile); | |
1192 | 1230 | |
1193 | 1231 | return error; |
1194 | 1232 | } |
... | ... | @@ -1203,7 +1241,11 @@ |
1203 | 1241 | __aa_fs_remove_rawdata(ent); |
1204 | 1242 | } |
1205 | 1243 | |
1206 | -void __aa_fs_ns_rmdir(struct aa_ns *ns) | |
1244 | +/** | |
1245 | + * | |
1246 | + * Requires: @ns->lock held | |
1247 | + */ | |
1248 | +void __aafs_ns_rmdir(struct aa_ns *ns) | |
1207 | 1249 | { |
1208 | 1250 | struct aa_ns *sub; |
1209 | 1251 | struct aa_profile *child; |
1210 | 1252 | |
... | ... | @@ -1213,11 +1255,11 @@ |
1213 | 1255 | return; |
1214 | 1256 | |
1215 | 1257 | list_for_each_entry(child, &ns->base.profiles, base.list) |
1216 | - __aa_fs_profile_rmdir(child); | |
1258 | + __aafs_profile_rmdir(child); | |
1217 | 1259 | |
1218 | 1260 | list_for_each_entry(sub, &ns->sub_ns, base.list) { |
1219 | 1261 | mutex_lock(&sub->lock); |
1220 | - __aa_fs_ns_rmdir(sub); | |
1262 | + __aafs_ns_rmdir(sub); | |
1221 | 1263 | mutex_unlock(&sub->lock); |
1222 | 1264 | } |
1223 | 1265 | |
... | ... | @@ -1247,7 +1289,7 @@ |
1247 | 1289 | } |
1248 | 1290 | |
1249 | 1291 | /* assumes cleanup in caller */ |
1250 | -static int __aa_fs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) | |
1292 | +static int __aafs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) | |
1251 | 1293 | { |
1252 | 1294 | struct dentry *dent; |
1253 | 1295 | |
... | ... | @@ -1294,7 +1336,10 @@ |
1294 | 1336 | return 0; |
1295 | 1337 | } |
1296 | 1338 | |
1297 | -int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name) | |
1339 | +/* | |
1340 | + * Requires: @ns->lock held | |
1341 | + */ | |
1342 | +int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name) | |
1298 | 1343 | { |
1299 | 1344 | struct aa_ns *sub; |
1300 | 1345 | struct aa_profile *child; |
1301 | 1346 | |
... | ... | @@ -1314,13 +1359,13 @@ |
1314 | 1359 | goto fail; |
1315 | 1360 | |
1316 | 1361 | ns_dir(ns) = dir = dent; |
1317 | - error = __aa_fs_ns_mkdir_entries(ns, dir); | |
1362 | + error = __aafs_ns_mkdir_entries(ns, dir); | |
1318 | 1363 | if (error) |
1319 | 1364 | goto fail2; |
1320 | 1365 | |
1321 | 1366 | /* profiles */ |
1322 | 1367 | list_for_each_entry(child, &ns->base.profiles, base.list) { |
1323 | - error = __aa_fs_profile_mkdir(child, ns_subprofs_dir(ns)); | |
1368 | + error = __aafs_profile_mkdir(child, ns_subprofs_dir(ns)); | |
1324 | 1369 | if (error) |
1325 | 1370 | goto fail2; |
1326 | 1371 | } |
... | ... | @@ -1328,7 +1373,7 @@ |
1328 | 1373 | /* subnamespaces */ |
1329 | 1374 | list_for_each_entry(sub, &ns->sub_ns, base.list) { |
1330 | 1375 | mutex_lock(&sub->lock); |
1331 | - error = __aa_fs_ns_mkdir(sub, ns_subns_dir(ns), NULL); | |
1376 | + error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL); | |
1332 | 1377 | mutex_unlock(&sub->lock); |
1333 | 1378 | if (error) |
1334 | 1379 | goto fail2; |
... | ... | @@ -1340,7 +1385,7 @@ |
1340 | 1385 | error = PTR_ERR(dent); |
1341 | 1386 | |
1342 | 1387 | fail2: |
1343 | - __aa_fs_ns_rmdir(ns); | |
1388 | + __aafs_ns_rmdir(ns); | |
1344 | 1389 | |
1345 | 1390 | return error; |
1346 | 1391 | } |
... | ... | @@ -1550,7 +1595,7 @@ |
1550 | 1595 | return 0; |
1551 | 1596 | } |
1552 | 1597 | |
1553 | -static const struct seq_operations aa_fs_profiles_op = { | |
1598 | +static const struct seq_operations aa_sfs_profiles_op = { | |
1554 | 1599 | .start = p_start, |
1555 | 1600 | .next = p_next, |
1556 | 1601 | .stop = p_stop, |
... | ... | @@ -1562,7 +1607,7 @@ |
1562 | 1607 | if (!policy_view_capable(NULL)) |
1563 | 1608 | return -EACCES; |
1564 | 1609 | |
1565 | - return seq_open(file, &aa_fs_profiles_op); | |
1610 | + return seq_open(file, &aa_sfs_profiles_op); | |
1566 | 1611 | } |
1567 | 1612 | |
1568 | 1613 | static int profiles_release(struct inode *inode, struct file *file) |
... | ... | @@ -1570,7 +1615,7 @@ |
1570 | 1615 | return seq_release(inode, file); |
1571 | 1616 | } |
1572 | 1617 | |
1573 | -static const struct file_operations aa_fs_profiles_fops = { | |
1618 | +static const struct file_operations aa_sfs_profiles_fops = { | |
1574 | 1619 | .open = profiles_open, |
1575 | 1620 | .read = seq_read, |
1576 | 1621 | .llseek = seq_lseek, |
1577 | 1622 | |
1578 | 1623 | |
1579 | 1624 | |
1580 | 1625 | |
1581 | 1626 | |
1582 | 1627 | |
1583 | 1628 | |
1584 | 1629 | |
... | ... | @@ -1579,63 +1624,63 @@ |
1579 | 1624 | |
1580 | 1625 | |
1581 | 1626 | /** Base file system setup **/ |
1582 | -static struct aa_fs_entry aa_fs_entry_file[] = { | |
1583 | - AA_FS_FILE_STRING("mask", "create read write exec append mmap_exec " \ | |
1584 | - "link lock"), | |
1627 | +static struct aa_sfs_entry aa_sfs_entry_file[] = { | |
1628 | + AA_SFS_FILE_STRING("mask", | |
1629 | + "create read write exec append mmap_exec link lock"), | |
1585 | 1630 | { } |
1586 | 1631 | }; |
1587 | 1632 | |
1588 | -static struct aa_fs_entry aa_fs_entry_domain[] = { | |
1589 | - AA_FS_FILE_BOOLEAN("change_hat", 1), | |
1590 | - AA_FS_FILE_BOOLEAN("change_hatv", 1), | |
1591 | - AA_FS_FILE_BOOLEAN("change_onexec", 1), | |
1592 | - AA_FS_FILE_BOOLEAN("change_profile", 1), | |
1593 | - AA_FS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1), | |
1594 | - AA_FS_FILE_STRING("version", "1.2"), | |
1633 | +static struct aa_sfs_entry aa_sfs_entry_domain[] = { | |
1634 | + AA_SFS_FILE_BOOLEAN("change_hat", 1), | |
1635 | + AA_SFS_FILE_BOOLEAN("change_hatv", 1), | |
1636 | + AA_SFS_FILE_BOOLEAN("change_onexec", 1), | |
1637 | + AA_SFS_FILE_BOOLEAN("change_profile", 1), | |
1638 | + AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1), | |
1639 | + AA_SFS_FILE_STRING("version", "1.2"), | |
1595 | 1640 | { } |
1596 | 1641 | }; |
1597 | 1642 | |
1598 | -static struct aa_fs_entry aa_fs_entry_versions[] = { | |
1599 | - AA_FS_FILE_BOOLEAN("v5", 1), | |
1643 | +static struct aa_sfs_entry aa_sfs_entry_versions[] = { | |
1644 | + AA_SFS_FILE_BOOLEAN("v5", 1), | |
1600 | 1645 | { } |
1601 | 1646 | }; |
1602 | 1647 | |
1603 | -static struct aa_fs_entry aa_fs_entry_policy[] = { | |
1604 | - AA_FS_DIR("versions", aa_fs_entry_versions), | |
1605 | - AA_FS_FILE_BOOLEAN("set_load", 1), | |
1648 | +static struct aa_sfs_entry aa_sfs_entry_policy[] = { | |
1649 | + AA_SFS_DIR("versions", aa_sfs_entry_versions), | |
1650 | + AA_SFS_FILE_BOOLEAN("set_load", 1), | |
1606 | 1651 | { } |
1607 | 1652 | }; |
1608 | 1653 | |
1609 | -static struct aa_fs_entry aa_fs_entry_features[] = { | |
1610 | - AA_FS_DIR("policy", aa_fs_entry_policy), | |
1611 | - AA_FS_DIR("domain", aa_fs_entry_domain), | |
1612 | - AA_FS_DIR("file", aa_fs_entry_file), | |
1613 | - AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), | |
1614 | - AA_FS_DIR("rlimit", aa_fs_entry_rlimit), | |
1615 | - AA_FS_DIR("caps", aa_fs_entry_caps), | |
1654 | +static struct aa_sfs_entry aa_sfs_entry_features[] = { | |
1655 | + AA_SFS_DIR("policy", aa_sfs_entry_policy), | |
1656 | + AA_SFS_DIR("domain", aa_sfs_entry_domain), | |
1657 | + AA_SFS_DIR("file", aa_sfs_entry_file), | |
1658 | + AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), | |
1659 | + AA_SFS_DIR("rlimit", aa_sfs_entry_rlimit), | |
1660 | + AA_SFS_DIR("caps", aa_sfs_entry_caps), | |
1616 | 1661 | { } |
1617 | 1662 | }; |
1618 | 1663 | |
1619 | -static struct aa_fs_entry aa_fs_entry_apparmor[] = { | |
1620 | - AA_FS_FILE_FOPS(".access", 0640, &aa_fs_access), | |
1621 | - AA_FS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops), | |
1622 | - AA_FS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops), | |
1623 | - AA_FS_FILE_FOPS("profiles", 0440, &aa_fs_profiles_fops), | |
1624 | - AA_FS_DIR("features", aa_fs_entry_features), | |
1664 | +static struct aa_sfs_entry aa_sfs_entry_apparmor[] = { | |
1665 | + AA_SFS_FILE_FOPS(".access", 0640, &aa_sfs_access), | |
1666 | + AA_SFS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops), | |
1667 | + AA_SFS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops), | |
1668 | + AA_SFS_FILE_FOPS("profiles", 0440, &aa_sfs_profiles_fops), | |
1669 | + AA_SFS_DIR("features", aa_sfs_entry_features), | |
1625 | 1670 | { } |
1626 | 1671 | }; |
1627 | 1672 | |
1628 | -static struct aa_fs_entry aa_fs_entry = | |
1629 | - AA_FS_DIR("apparmor", aa_fs_entry_apparmor); | |
1673 | +static struct aa_sfs_entry aa_sfs_entry = | |
1674 | + AA_SFS_DIR("apparmor", aa_sfs_entry_apparmor); | |
1630 | 1675 | |
1631 | 1676 | /** |
1632 | 1677 | * entry_create_file - create a file entry in the apparmor securityfs |
1633 | - * @fs_file: aa_fs_entry to build an entry for (NOT NULL) | |
1678 | + * @fs_file: aa_sfs_entry to build an entry for (NOT NULL) | |
1634 | 1679 | * @parent: the parent dentry in the securityfs |
1635 | 1680 | * |
1636 | 1681 | * Use entry_remove_file to remove entries created with this fn. |
1637 | 1682 | */ |
1638 | -static int __init entry_create_file(struct aa_fs_entry *fs_file, | |
1683 | +static int __init entry_create_file(struct aa_sfs_entry *fs_file, | |
1639 | 1684 | struct dentry *parent) |
1640 | 1685 | { |
1641 | 1686 | int error = 0; |
1642 | 1687 | |
1643 | 1688 | |
1644 | 1689 | |
... | ... | @@ -1651,18 +1696,18 @@ |
1651 | 1696 | return error; |
1652 | 1697 | } |
1653 | 1698 | |
1654 | -static void __init entry_remove_dir(struct aa_fs_entry *fs_dir); | |
1699 | +static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir); | |
1655 | 1700 | /** |
1656 | 1701 | * entry_create_dir - recursively create a directory entry in the securityfs |
1657 | - * @fs_dir: aa_fs_entry (and all child entries) to build (NOT NULL) | |
1702 | + * @fs_dir: aa_sfs_entry (and all child entries) to build (NOT NULL) | |
1658 | 1703 | * @parent: the parent dentry in the securityfs |
1659 | 1704 | * |
1660 | 1705 | * Use entry_remove_dir to remove entries created with this fn. |
1661 | 1706 | */ |
1662 | -static int __init entry_create_dir(struct aa_fs_entry *fs_dir, | |
1663 | - struct dentry *parent) | |
1707 | +static int __init entry_create_dir(struct aa_sfs_entry *fs_dir, | |
1708 | + struct dentry *parent) | |
1664 | 1709 | { |
1665 | - struct aa_fs_entry *fs_file; | |
1710 | + struct aa_sfs_entry *fs_file; | |
1666 | 1711 | struct dentry *dir; |
1667 | 1712 | int error; |
1668 | 1713 | |
... | ... | @@ -1672,7 +1717,7 @@ |
1672 | 1717 | fs_dir->dentry = dir; |
1673 | 1718 | |
1674 | 1719 | for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { |
1675 | - if (fs_file->v_type == AA_FS_TYPE_DIR) | |
1720 | + if (fs_file->v_type == AA_SFS_TYPE_DIR) | |
1676 | 1721 | error = entry_create_dir(fs_file, fs_dir->dentry); |
1677 | 1722 | else |
1678 | 1723 | error = entry_create_file(fs_file, fs_dir->dentry); |
1679 | 1724 | |
... | ... | @@ -1689,10 +1734,10 @@ |
1689 | 1734 | } |
1690 | 1735 | |
1691 | 1736 | /** |
1692 | - * aafs_remove_file - drop a single file entry in the apparmor securityfs | |
1693 | - * @fs_file: aa_fs_entry to detach from the securityfs (NOT NULL) | |
1737 | + * entry_remove_file - drop a single file entry in the apparmor securityfs | |
1738 | + * @fs_file: aa_sfs_entry to detach from the securityfs (NOT NULL) | |
1694 | 1739 | */ |
1695 | -static void __init aafs_remove_file(struct aa_fs_entry *fs_file) | |
1740 | +static void __init entry_remove_file(struct aa_sfs_entry *fs_file) | |
1696 | 1741 | { |
1697 | 1742 | if (!fs_file->dentry) |
1698 | 1743 | return; |
1699 | 1744 | |
1700 | 1745 | |
1701 | 1746 | |
1702 | 1747 | |
1703 | 1748 | |
... | ... | @@ -1703,20 +1748,20 @@ |
1703 | 1748 | |
1704 | 1749 | /** |
1705 | 1750 | * entry_remove_dir - recursively drop a directory entry from the securityfs |
1706 | - * @fs_dir: aa_fs_entry (and all child entries) to detach (NOT NULL) | |
1751 | + * @fs_dir: aa_sfs_entry (and all child entries) to detach (NOT NULL) | |
1707 | 1752 | */ |
1708 | -static void __init entry_remove_dir(struct aa_fs_entry *fs_dir) | |
1753 | +static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir) | |
1709 | 1754 | { |
1710 | - struct aa_fs_entry *fs_file; | |
1755 | + struct aa_sfs_entry *fs_file; | |
1711 | 1756 | |
1712 | 1757 | for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { |
1713 | - if (fs_file->v_type == AA_FS_TYPE_DIR) | |
1758 | + if (fs_file->v_type == AA_SFS_TYPE_DIR) | |
1714 | 1759 | entry_remove_dir(fs_file); |
1715 | 1760 | else |
1716 | - aafs_remove_file(fs_file); | |
1761 | + entry_remove_file(fs_file); | |
1717 | 1762 | } |
1718 | 1763 | |
1719 | - aafs_remove_file(fs_dir); | |
1764 | + entry_remove_file(fs_dir); | |
1720 | 1765 | } |
1721 | 1766 | |
1722 | 1767 | /** |
... | ... | @@ -1726,7 +1771,7 @@ |
1726 | 1771 | */ |
1727 | 1772 | void __init aa_destroy_aafs(void) |
1728 | 1773 | { |
1729 | - entry_remove_dir(&aa_fs_entry); | |
1774 | + entry_remove_dir(&aa_sfs_entry); | |
1730 | 1775 | } |
1731 | 1776 | |
1732 | 1777 | |
... | ... | @@ -1843,7 +1888,7 @@ |
1843 | 1888 | if (!apparmor_initialized) |
1844 | 1889 | return 0; |
1845 | 1890 | |
1846 | - if (aa_fs_entry.dentry) { | |
1891 | + if (aa_sfs_entry.dentry) { | |
1847 | 1892 | AA_ERROR("%s: AppArmor securityfs already exists\n", __func__); |
1848 | 1893 | return -EEXIST; |
1849 | 1894 | } |
1850 | 1895 | |
... | ... | @@ -1855,11 +1900,11 @@ |
1855 | 1900 | aafs_mnt->mnt_sb->s_flags &= ~MS_NOUSER; |
1856 | 1901 | |
1857 | 1902 | /* Populate fs tree. */ |
1858 | - error = entry_create_dir(&aa_fs_entry, NULL); | |
1903 | + error = entry_create_dir(&aa_sfs_entry, NULL); | |
1859 | 1904 | if (error) |
1860 | 1905 | goto error; |
1861 | 1906 | |
1862 | - dent = securityfs_create_file(".load", 0666, aa_fs_entry.dentry, | |
1907 | + dent = securityfs_create_file(".load", 0666, aa_sfs_entry.dentry, | |
1863 | 1908 | NULL, &aa_fs_profile_load); |
1864 | 1909 | if (IS_ERR(dent)) { |
1865 | 1910 | error = PTR_ERR(dent); |
... | ... | @@ -1867,7 +1912,7 @@ |
1867 | 1912 | } |
1868 | 1913 | ns_subload(root_ns) = dent; |
1869 | 1914 | |
1870 | - dent = securityfs_create_file(".replace", 0666, aa_fs_entry.dentry, | |
1915 | + dent = securityfs_create_file(".replace", 0666, aa_sfs_entry.dentry, | |
1871 | 1916 | NULL, &aa_fs_profile_replace); |
1872 | 1917 | if (IS_ERR(dent)) { |
1873 | 1918 | error = PTR_ERR(dent); |
... | ... | @@ -1875,7 +1920,7 @@ |
1875 | 1920 | } |
1876 | 1921 | ns_subreplace(root_ns) = dent; |
1877 | 1922 | |
1878 | - dent = securityfs_create_file(".remove", 0666, aa_fs_entry.dentry, | |
1923 | + dent = securityfs_create_file(".remove", 0666, aa_sfs_entry.dentry, | |
1879 | 1924 | NULL, &aa_fs_profile_remove); |
1880 | 1925 | if (IS_ERR(dent)) { |
1881 | 1926 | error = PTR_ERR(dent); |
1882 | 1927 | |
... | ... | @@ -1884,13 +1929,13 @@ |
1884 | 1929 | ns_subremove(root_ns) = dent; |
1885 | 1930 | |
1886 | 1931 | mutex_lock(&root_ns->lock); |
1887 | - error = __aa_fs_ns_mkdir(root_ns, aa_fs_entry.dentry, "policy"); | |
1932 | + error = __aafs_ns_mkdir(root_ns, aa_sfs_entry.dentry, "policy"); | |
1888 | 1933 | mutex_unlock(&root_ns->lock); |
1889 | 1934 | |
1890 | 1935 | if (error) |
1891 | 1936 | goto error; |
1892 | 1937 | |
1893 | - error = aa_mk_null_file(aa_fs_entry.dentry); | |
1938 | + error = aa_mk_null_file(aa_sfs_entry.dentry); | |
1894 | 1939 | if (error) |
1895 | 1940 | goto error; |
1896 | 1941 |
security/apparmor/capability.c
security/apparmor/include/apparmorfs.h
... | ... | @@ -17,49 +17,49 @@ |
17 | 17 | |
18 | 18 | extern struct path aa_null; |
19 | 19 | |
20 | -enum aa_fs_type { | |
21 | - AA_FS_TYPE_BOOLEAN, | |
22 | - AA_FS_TYPE_STRING, | |
23 | - AA_FS_TYPE_U64, | |
24 | - AA_FS_TYPE_FOPS, | |
25 | - AA_FS_TYPE_DIR, | |
20 | +enum aa_sfs_type { | |
21 | + AA_SFS_TYPE_BOOLEAN, | |
22 | + AA_SFS_TYPE_STRING, | |
23 | + AA_SFS_TYPE_U64, | |
24 | + AA_SFS_TYPE_FOPS, | |
25 | + AA_SFS_TYPE_DIR, | |
26 | 26 | }; |
27 | 27 | |
28 | -struct aa_fs_entry; | |
28 | +struct aa_sfs_entry; | |
29 | 29 | |
30 | -struct aa_fs_entry { | |
30 | +struct aa_sfs_entry { | |
31 | 31 | const char *name; |
32 | 32 | struct dentry *dentry; |
33 | 33 | umode_t mode; |
34 | - enum aa_fs_type v_type; | |
34 | + enum aa_sfs_type v_type; | |
35 | 35 | union { |
36 | 36 | bool boolean; |
37 | 37 | char *string; |
38 | 38 | unsigned long u64; |
39 | - struct aa_fs_entry *files; | |
39 | + struct aa_sfs_entry *files; | |
40 | 40 | } v; |
41 | 41 | const struct file_operations *file_ops; |
42 | 42 | }; |
43 | 43 | |
44 | -extern const struct file_operations aa_fs_seq_file_ops; | |
44 | +extern const struct file_operations aa_sfs_seq_file_ops; | |
45 | 45 | |
46 | -#define AA_FS_FILE_BOOLEAN(_name, _value) \ | |
46 | +#define AA_SFS_FILE_BOOLEAN(_name, _value) \ | |
47 | 47 | { .name = (_name), .mode = 0444, \ |
48 | - .v_type = AA_FS_TYPE_BOOLEAN, .v.boolean = (_value), \ | |
49 | - .file_ops = &aa_fs_seq_file_ops } | |
50 | -#define AA_FS_FILE_STRING(_name, _value) \ | |
48 | + .v_type = AA_SFS_TYPE_BOOLEAN, .v.boolean = (_value), \ | |
49 | + .file_ops = &aa_sfs_seq_file_ops } | |
50 | +#define AA_SFS_FILE_STRING(_name, _value) \ | |
51 | 51 | { .name = (_name), .mode = 0444, \ |
52 | - .v_type = AA_FS_TYPE_STRING, .v.string = (_value), \ | |
53 | - .file_ops = &aa_fs_seq_file_ops } | |
54 | -#define AA_FS_FILE_U64(_name, _value) \ | |
52 | + .v_type = AA_SFS_TYPE_STRING, .v.string = (_value), \ | |
53 | + .file_ops = &aa_sfs_seq_file_ops } | |
54 | +#define AA_SFS_FILE_U64(_name, _value) \ | |
55 | 55 | { .name = (_name), .mode = 0444, \ |
56 | - .v_type = AA_FS_TYPE_U64, .v.u64 = (_value), \ | |
57 | - .file_ops = &aa_fs_seq_file_ops } | |
58 | -#define AA_FS_FILE_FOPS(_name, _mode, _fops) \ | |
59 | - { .name = (_name), .v_type = AA_FS_TYPE_FOPS, \ | |
56 | + .v_type = AA_SFS_TYPE_U64, .v.u64 = (_value), \ | |
57 | + .file_ops = &aa_sfs_seq_file_ops } | |
58 | +#define AA_SFS_FILE_FOPS(_name, _mode, _fops) \ | |
59 | + { .name = (_name), .v_type = AA_SFS_TYPE_FOPS, \ | |
60 | 60 | .mode = (_mode), .file_ops = (_fops) } |
61 | -#define AA_FS_DIR(_name, _value) \ | |
62 | - { .name = (_name), .v_type = AA_FS_TYPE_DIR, .v.files = (_value) } | |
61 | +#define AA_SFS_DIR(_name, _value) \ | |
62 | + { .name = (_name), .v_type = AA_SFS_TYPE_DIR, .v.files = (_value) } | |
63 | 63 | |
64 | 64 | extern void __init aa_destroy_aafs(void); |
65 | 65 | |
66 | 66 | |
... | ... | @@ -107,12 +107,12 @@ |
107 | 107 | #define prof_child_dir(X) ((X)->dents[AAFS_PROF_PROFS]) |
108 | 108 | |
109 | 109 | void __aa_bump_ns_revision(struct aa_ns *ns); |
110 | -void __aa_fs_profile_rmdir(struct aa_profile *profile); | |
111 | -void __aa_fs_profile_migrate_dents(struct aa_profile *old, | |
110 | +void __aafs_profile_rmdir(struct aa_profile *profile); | |
111 | +void __aafs_profile_migrate_dents(struct aa_profile *old, | |
112 | 112 | struct aa_profile *new); |
113 | -int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent); | |
114 | -void __aa_fs_ns_rmdir(struct aa_ns *ns); | |
115 | -int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, | |
113 | +int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent); | |
114 | +void __aafs_ns_rmdir(struct aa_ns *ns); | |
115 | +int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, | |
116 | 116 | const char *name); |
117 | 117 | |
118 | 118 | struct aa_loaddata; |
security/apparmor/include/capability.h
security/apparmor/include/resource.h
... | ... | @@ -34,7 +34,7 @@ |
34 | 34 | struct rlimit limits[RLIM_NLIMITS]; |
35 | 35 | }; |
36 | 36 | |
37 | -extern struct aa_fs_entry aa_fs_entry_rlimit[]; | |
37 | +extern struct aa_sfs_entry aa_sfs_entry_rlimit[]; | |
38 | 38 | |
39 | 39 | int aa_map_resource(int resource); |
40 | 40 | int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *, |
security/apparmor/policy.c
... | ... | @@ -160,7 +160,7 @@ |
160 | 160 | __aa_profile_list_release(&profile->base.profiles); |
161 | 161 | /* released by free_profile */ |
162 | 162 | __aa_update_proxy(profile, profile->ns->unconfined); |
163 | - __aa_fs_profile_rmdir(profile); | |
163 | + __aafs_profile_rmdir(profile); | |
164 | 164 | __list_remove_profile(profile); |
165 | 165 | } |
166 | 166 | |
... | ... | @@ -784,7 +784,7 @@ |
784 | 784 | /* aafs interface uses proxy */ |
785 | 785 | rcu_assign_pointer(new->proxy->profile, |
786 | 786 | aa_get_profile(new)); |
787 | - __aa_fs_profile_migrate_dents(old, new); | |
787 | + __aafs_profile_migrate_dents(old, new); | |
788 | 788 | |
789 | 789 | if (list_empty(&new->base.list)) { |
790 | 790 | /* new is not on a list already */ |
... | ... | @@ -971,7 +971,7 @@ |
971 | 971 | parent = prof_child_dir(p); |
972 | 972 | } else |
973 | 973 | parent = ns_subprofs_dir(ent->new->ns); |
974 | - error = __aa_fs_profile_mkdir(ent->new, parent); | |
974 | + error = __aafs_profile_mkdir(ent->new, parent); | |
975 | 975 | } |
976 | 976 | |
977 | 977 | if (error) { |
security/apparmor/policy_ns.c
... | ... | @@ -196,7 +196,7 @@ |
196 | 196 | if (!ns) |
197 | 197 | return NULL; |
198 | 198 | mutex_lock(&ns->lock); |
199 | - error = __aa_fs_ns_mkdir(ns, ns_subns_dir(parent), name); | |
199 | + error = __aafs_ns_mkdir(ns, ns_subns_dir(parent), name); | |
200 | 200 | if (error) { |
201 | 201 | AA_ERROR("Failed to create interface for ns %s\n", |
202 | 202 | ns->base.name); |
... | ... | @@ -284,7 +284,7 @@ |
284 | 284 | |
285 | 285 | if (ns->parent) |
286 | 286 | __aa_update_proxy(ns->unconfined, ns->parent->unconfined); |
287 | - __aa_fs_ns_rmdir(ns); | |
287 | + __aafs_ns_rmdir(ns); | |
288 | 288 | mutex_unlock(&ns->lock); |
289 | 289 | } |
290 | 290 |
security/apparmor/resource.c