[apparmor] [PATCH 3/3] AppArmor: export known rlimit names/value mappings in securityfs

Seth Arnold seth.arnold at gmail.com
Sat Dec 31 09:37:03 UTC 2011 

I realize it's nitpicking of the annoyingest degree, but how much time does this initialization loop add to boot time? rlimits are added almost never but there must be thousands of machines rebooting daily. How feasible would it be to construct the entire table via the cmd_make-rlim script?

All three patches _look_ good but not tested.

Thanks!
-----Original Message-----
From: Kees Cook <kees at ubuntu.com>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Sat, 31 Dec 2011 01:07:15 
To: <apparmor at lists.ubuntu.com>
Subject: [apparmor] [PATCH 3/3] AppArmor: export known rlimit names/value
 mappings in securityfs

Since the parser needs to know which rlimits are known to the kernel,
export the name/value mappings via the "rlimit" subdirectory in the
securityfs "features" directory.

Signed-off-by: Kees Cook <kees at ubuntu.com>
---
 security/apparmor/Makefile           |    4 ++--
 security/apparmor/apparmorfs.c       |   19 ++++++++++++++++++-
 security/apparmor/include/resource.h |    2 ++
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
index 2dafe50..b877b4e 100644
--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
@@ -36,11 +36,11 @@ cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ;\
 # to
 # RLIMIT_STACK, 
 quiet_cmd_make-rlim = GEN     $@
-cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ;\
+cmd_make-rlim = echo "const char *rlim_names[RLIM_NLIMITS] = {" > $@ ;\
 	sed $< >> $@ -r -n \
 	    -e 's/^\# ?define[ \t]+(RLIMIT_([A-Z0-9_]+)).*/[\1] = "\L\2",/p';\
 	echo "};" >> $@ ;\
-	echo "static const int rlim_map[] = {" >> $@ ;\
+	echo "static const int rlim_map[RLIM_NLIMITS] = {" >> $@ ;\
 	sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\
 	echo "};" >> $@
 
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index e7ed75a..671f412 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -25,9 +25,11 @@
 #include "include/audit.h"
 #include "include/context.h"
 #include "include/policy.h"
+#include "include/resource.h"
 
 enum aa_fs_value {
 	AA_FS_TYPE_BOOLEAN,
+	AA_FS_TYPE_INTEGER,
 	AA_FS_TYPE_U64,
 	AA_FS_TYPE_FOPS,
 	AA_FS_TYPE_DIR,
@@ -42,6 +44,7 @@ struct aa_fs_entry {
 	enum aa_fs_value v_type;
 	union {
 		bool boolean;
+		int integer;
 		unsigned long u64;
 		struct aa_fs_entry *files;
 	} v;
@@ -177,6 +180,9 @@ static int aa_fs_seq_show(struct seq_file *seq, void *v)
 			seq_printf(seq, "%s\n", fs_file->v.boolean ?
 						"yes" : "no");
 			break;
+		case AA_FS_TYPE_INTEGER:
+			seq_printf(seq, "%d\n", fs_file->v.integer);
+			break;
 		case AA_FS_TYPE_U64:
 			seq_printf(seq, "%#08lx\n", fs_file->v.u64);
 			break;
@@ -217,6 +223,8 @@ static const struct file_operations aa_fs_seq_file_ops = {
 #define AA_FS_DIR(_name, _value) \
 	{ .name = (_name), .v_type = AA_FS_TYPE_DIR, .v.files = (_value) }
 
+static struct aa_fs_entry aa_fs_entry_rlimit[RLIM_NLIMITS + 1] = { };
+
 static struct aa_fs_entry aa_fs_entry_features[] = {
 	AA_FS_FILE_BOOLEAN("change_hat",	1),
 	AA_FS_FILE_BOOLEAN("change_hatv",	1),
@@ -224,6 +232,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = {
 	AA_FS_FILE_BOOLEAN("change_profile",	1),
 	AA_FS_FILE_BOOLEAN("namespaces",	1),
 	AA_FS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),
+	AA_FS_DIR("rlimit",			aa_fs_entry_rlimit),
 	{ }
 };
 
@@ -346,7 +355,7 @@ void __init aa_destroy_aafs(void)
  */
 int __init aa_create_aafs(void)
 {
-	int error;
+	int error, limit;
 
 	if (!apparmor_initialized)
 		return 0;
@@ -356,6 +365,14 @@ int __init aa_create_aafs(void)
 		return -EEXIST;
 	}
 
+	/* Populate rlimit name table. */
+	for (limit = 0; limit < RLIM_NLIMITS; ++limit) {
+		aa_fs_entry_rlimit[limit].name = rlim_names[limit];
+		aa_fs_entry_rlimit[limit].v_type = AA_FS_TYPE_INTEGER;
+		aa_fs_entry_rlimit[limit].v.integer = limit;
+		aa_fs_entry_rlimit[limit].file_ops = &aa_fs_seq_file_ops;
+	}
+
 	/* Populate fs tree. */
 	error = aafs_create_dir(&aa_fs_entry, NULL);
 	if (error)
diff --git a/security/apparmor/include/resource.h b/security/apparmor/include/resource.h
index 02baec7..665c413 100644
--- a/security/apparmor/include/resource.h
+++ b/security/apparmor/include/resource.h
@@ -32,6 +32,8 @@ struct aa_rlimit {
 	struct rlimit limits[RLIM_NLIMITS];
 };
 
+extern const char *rlim_names[RLIM_NLIMITS];
+
 int aa_map_resource(int resource);
 int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *,
 		      unsigned int resource, struct rlimit *new_rlim);
-- 
1.7.2.3


-- 
Kees Cook

-- 
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

More information about the AppArmor mailing list