[apparmor] [PATCH 15/24] apparmor: reuse name string from previous profile

John Johansen john.johansen at canonical.com
Wed Feb 27 18:14:14 UTC 2013


For profiles that have been replaced reuse the name string so the
old and new version of the profile share the same string.  This will
make some checks/comparisons in labeling quicker.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 security/apparmor/apparmorfs.c       |    2 +-
 security/apparmor/include/apparmor.h |   30 +++++++++++++++++++++++++++++
 security/apparmor/include/policy.h   |    6 +++---
 security/apparmor/lib.c              |   17 +++++++++++++++++
 security/apparmor/policy.c           |   35 ++++++++++++++++++++++++----------
 5 files changed, 76 insertions(+), 14 deletions(-)

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index f798922..4493fdd 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -35,7 +35,7 @@
  *
  * Returns: length of mangled name
  */
-static int mangle_name(char *name, char *target)
+static int mangle_name(const char *name, char *target)
 {
 	char *t = target;
 
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
index 3172801..acdd923 100644
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
@@ -119,4 +119,34 @@ static inline bool mediated_filesystem(struct inode *inode)
 	return !(inode->i_sb->s_flags & MS_NOUSER);
 }
 
+
+struct counted_str {
+	struct kref count;
+	char name[];
+};
+
+#define str_to_counted(str) \
+	((struct counted_str *)(str - offsetof(struct counted_str,name)))
+
+#define __counted	/* atm just a notation */
+
+void aa_str_kref(struct kref *kref);
+char *aa_str_alloc(int size, gfp_t gfp);
+
+
+static inline __counted char *aa_get_str(__counted char *str)
+{
+	if (str)
+		kref_get(&(str_to_counted(str)->count));
+
+	return str;
+}
+
+static inline void aa_put_str(__counted char *str)
+{
+	if (str)
+		kref_put(&str_to_counted(str)->count, aa_str_kref);
+}
+
+
 #endif /* __APPARMOR_H */
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 4dd5e63..0b247b3 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -77,13 +77,13 @@ struct aa_profile;
 
 /* struct aa_policy - common part of both namespaces and profiles
  * @name: name of the object
- * @hname - The hierarchical name
+ * @hname - The hierarchical name, NOTE: is .name of struct counted_str
  * @list: list policy object is on
  * @profiles: head of the profiles list contained in the object
  */
 struct aa_policy {
-	char *name;
-	char *hname;
+	const char *name;
+	__counted char *hname;
 	struct list_head list;
 	struct list_head profiles;
 };
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index d40bc59..31fb900 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -141,3 +141,20 @@ void kvfree(void *buffer)
 	} else
 		kfree(buffer);
 }
+
+
+__counted char *aa_str_alloc(int size, gfp_t gfp)
+{
+	struct counted_str *str;
+	str = kmalloc(sizeof(struct counted_str) + size, gfp);
+	if (!str)
+		return NULL;
+
+	kref_init(&str->count);
+	return str->name;
+}
+
+void aa_str_kref(struct kref *kref)
+{
+	kfree(container_of(kref, struct counted_str, count));
+}
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index c320afc..3982052 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -129,16 +129,22 @@ static const char *hname_tail(const char *hname)
 static bool policy_init(struct aa_policy *policy, const char *prefix,
 			const char *name)
 {
+	char *hname;
+
 	/* freed by policy_free */
 	if (prefix) {
-		policy->hname = kmalloc(strlen(prefix) + strlen(name) + 3,
-					GFP_KERNEL);
-		if (policy->hname)
-			sprintf(policy->hname, "%s//%s", prefix, name);
-	} else
-		policy->hname = kstrdup(name, GFP_KERNEL);
-	if (!policy->hname)
+		hname = aa_str_alloc(strlen(prefix) + strlen(name) + 3,
+				     GFP_KERNEL);
+		if (hname)
+			sprintf(hname, "%s//%s", prefix, name);
+	} else {
+		hname = aa_str_alloc(strlen(name) + 1, GFP_KERNEL);
+		if (hname)
+			strcpy(hname, name);
+	}
+	if (!hname)
 		return 0;
+	policy->hname = hname;
 	/* base.name is a substring of fqname */
 	policy->name = (char *)hname_tail(policy->hname);
 	INIT_LIST_HEAD(&policy->list);
@@ -167,7 +173,7 @@ static void policy_destroy(struct aa_policy *policy)
 	}
 
 	/* don't free name as its a subset of hname */
-	kzfree(policy->hname);
+	aa_put_str(policy->hname);
 }
 
 /**
@@ -749,7 +755,7 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat)
 		goto fail;
 
 	profile->mode = APPARMOR_COMPLAIN;
-	profile->flags = PFLAG_NULL;
+	profile->flags |= PFLAG_NULL;
 	if (hat)
 		profile->flags |= PFLAG_HAT;
 
@@ -778,7 +784,7 @@ struct aa_profile *aa_setup_default_profile(void)
 		return NULL;
 
 	/* the default profile pretends to be unconfined until it is replaced */
-	profile->flags = PFLAG_IX_ON_NAME_ERROR;
+	profile->flags |= PFLAG_IX_ON_NAME_ERROR;
 	profile->mode = APPARMOR_UNCONFINED;
 
 	profile->ns = aa_get_namespace(root_ns);
@@ -1065,6 +1071,14 @@ static struct aa_policy *__lookup_replace(struct aa_namespace *ns,
 	return policy;
 }
 
+static void share_name(struct aa_profile *old, struct aa_profile *new)
+{
+	aa_put_str(new->base.hname);
+	aa_get_str(old->base.hname);
+	new->base.hname = old->base.hname;
+	new->base.name = old->base.name;
+}
+
 /**
  * aa_replace_profiles - replace profile(s) on the profile list
  * @udata: serialized data stream  (NOT NULL)
@@ -1180,6 +1194,7 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
 		audit_policy(op, GFP_ATOMIC, new->base.name, NULL, error);
 
 		if (old) {
+			share_name(old, new);
 			__replace_profile(old, new);
 			if (rename) {
 				/* TODO:
-- 
1.7.10.4




More information about the AppArmor mailing list