[apparmor] [PATCH 21/36] apparmor: baby step - now add labels to the labelset trees
John Johansen
john.johansen at canonical.com
Wed May 1 21:31:06 UTC 2013
Just add the labels to the tree to make sure insertions and deletions
into the rb tree are working.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
security/apparmor/policy.c | 53 +++++++++++++++++++++++++++++++---------------
1 file changed, 36 insertions(+), 17 deletions(-)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 1d80595..9d946ce 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1100,6 +1100,26 @@ static void share_name(struct aa_profile *old, struct aa_profile *new)
new->base.name = old->base.name;
}
+/* Update to newest version of parent after previous replacements
+ * Returns: unrefcount newest version of parent
+ */
+static struct aa_profile *update_to_newest_parent(struct aa_profile *new)
+{
+ struct aa_profile *parent, *newest;
+ parent = rcu_dereference_protected(new->parent,
+ mutex_is_locked(&new->ns->lock));
+ newest = aa_get_newest_profile(parent);
+
+ /* parent replaced in this atomic set? */
+ if (newest != parent) {
+ aa_put_profile(parent);
+ rcu_assign_pointer(new->parent, newest);
+ } else
+ aa_put_profile(newest);
+
+ return newest;
+}
+
/**
* aa_replace_profiles - replace profile(s) on the profile list
* @udata: serialized data stream (NOT NULL)
@@ -1215,6 +1235,9 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
if (ent->old) {
share_name(ent->old, ent->new);
__replace_profile(ent->old, ent->new, 1);
+ aa_label_replace(&ns->labels, &ent->old->label,
+ &ent->new->label);
+ __aa_labelset_invalidate_all(ns, ent->old);
if (ent->rename) {
/* aafs interface uses replacedby */
rcu_assign_pointer(ent->new->replacedby->profile,
@@ -1226,28 +1249,22 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
rcu_assign_pointer(ent->new->replacedby->profile,
aa_get_profile(ent->new));
__replace_profile(ent->rename, ent->new, 0);
- } else if (ent->new->parent) {
- struct aa_profile *parent, *newest;
- parent = rcu_dereference_protected(ent->new->parent,
- mutex_is_locked(&ns->lock));
- newest = aa_get_newest_profile(parent);
+ } else {
+ struct aa_label *l;
+ struct list_head *lh;
- /* parent replaced in this atomic set? */
- if (newest != parent) {
- aa_get_profile(newest);
- aa_put_profile(parent);
- rcu_assign_pointer(ent->new->parent, newest);
+ if (rcu_access_pointer(ent->new->parent)) {
+ struct aa_profile *parent;
+ parent = update_to_newest_parent(ent->new);
+ lh = &parent->base.profiles;
} else
- aa_put_profile(newest);
- /* aafs interface uses replacedby */
- rcu_assign_pointer(ent->new->replacedby->profile,
- aa_get_profile(ent->new));
- __list_add_profile(&parent->base.profiles, ent->new);
- } else {
+ lh = &ns->base.profiles;
/* aafs interface uses replacedby */
rcu_assign_pointer(ent->new->replacedby->profile,
aa_get_profile(ent->new));
- __list_add_profile(&ns->base.profiles, ent->new);
+ __list_add_profile(lh, ent->new);
+ l = aa_label_insert(&ns->labels, &ent->new->label);
+ aa_put_label(l);
}
aa_load_ent_free(ent);
}
@@ -1330,6 +1347,8 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
}
name = profile->base.hname;
__remove_profile(profile);
+ aa_label_remove(&ns->labels, &profile->label);
+ __aa_labelset_invalidate_all(ns, profile);
mutex_unlock(&ns->lock);
}
--
1.8.1.2
More information about the AppArmor
mailing list