[apparmor] [PATCH 31/36] apparmor: convert mount to label instead of profile

John Johansen john.johansen at canonical.com
Wed May 1 21:31:16 UTC 2013 

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 security/apparmor/include/mount.h | 16 ++++++++--------
 security/apparmor/lsm.c           | 32 ++++++++++++++++----------------
 security/apparmor/mount.c         | 25 ++++++++++++++++---------
 3 files changed, 40 insertions(+), 33 deletions(-)

diff --git a/security/apparmor/include/mount.h b/security/apparmor/include/mount.h
index bc17a53..7950c5a 100644
--- a/security/apparmor/include/mount.h
+++ b/security/apparmor/include/mount.h
@@ -29,26 +29,26 @@
 
 #define AA_MS_IGNORE_MASK (MS_KERNMOUNT | MS_NOSEC | MS_ACTIVE | MS_BORN)
 
-int aa_remount(struct aa_profile *profile, struct path *path,
-	       unsigned long flags, void *data);
+int aa_remount(struct aa_label *label, struct path *path, unsigned long flags,
+	       void *data);
 
-int aa_bind_mount(struct aa_profile *profile, struct path *path,
+int aa_bind_mount(struct aa_label *label, struct path *path,
 		  const char *old_name, unsigned long flags);
 
 
-int aa_mount_change_type(struct aa_profile *profile, struct path *path,
+int aa_mount_change_type(struct aa_label *label, struct path *path,
 			 unsigned long flags);
 
-int aa_move_mount(struct aa_profile *profile, struct path *path,
+int aa_move_mount(struct aa_label *label, struct path *path,
 		  const char *old_name);
 
-int aa_new_mount(struct aa_profile *profile, const char *dev_name,
+int aa_new_mount(struct aa_label *label, const char *dev_name,
 		 struct path *path, const char *type, unsigned long flags,
 		 void *data);
 
-int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags);
+int aa_umount(struct aa_label *label, struct vfsmount *mnt, int flags);
 
-int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
+int aa_pivotroot(struct aa_label *label, struct path *old_path,
 		  struct path *new_path);
 
 #endif /* __AA_MOUNT_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index a17dd80..ae9dad6 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -534,7 +534,7 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma,
 static int apparmor_sb_mount(const char *dev_name, struct path *path,
 			     const char *type, unsigned long flags, void *data)
 {
-	struct aa_profile *profile;
+	struct aa_label *label;
 	int error = 0;
 
 	/* Discard magic */
@@ -543,19 +543,19 @@ static int apparmor_sb_mount(const char *dev_name, struct path *path,
 
 	flags &= ~AA_MS_IGNORE_MASK;
 
-	profile = __aa_current_profile();
-	if (!unconfined(profile)) {
+	label = __aa_current_label();
+	if (!unconfined(label)) {
 		if (flags & MS_REMOUNT)
-			error = aa_remount(profile, path, flags, data);
+			error = aa_remount(label, path, flags, data);
 		else if (flags & MS_BIND)
-			error = aa_bind_mount(profile, path, dev_name, flags);
+			error = aa_bind_mount(label, path, dev_name, flags);
 		else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE |
 				  MS_UNBINDABLE))
-			error = aa_mount_change_type(profile, path, flags);
+			error = aa_mount_change_type(label, path, flags);
 		else if (flags & MS_MOVE)
-			error = aa_move_mount(profile, path, dev_name);
+			error = aa_move_mount(label, path, dev_name);
 		else
-			error = aa_new_mount(profile, dev_name, path, type,
+			error = aa_new_mount(label, dev_name, path, type,
 					     flags, data);
 	}
 	return error;
@@ -563,24 +563,24 @@ static int apparmor_sb_mount(const char *dev_name, struct path *path,
 
 static int apparmor_sb_umount(struct vfsmount *mnt, int flags)
 {
-	struct aa_profile *profile;
+	struct aa_label *label;
 	int error = 0;
 
-	profile = __aa_current_profile();
-	if (!unconfined(profile))
-		error = aa_umount(profile, mnt, flags);
+	label = __aa_current_label();
+	if (!unconfined(label))
+		error = aa_umount(label, mnt, flags);
 
 	return error;
 }
 
 static int apparmor_sb_pivotroot(struct path *old_path, struct path *new_path)
 {
-	struct aa_profile *profile;
+	struct aa_label *label;
 	int error = 0;
 
-	profile = __aa_current_profile();
-	if (!unconfined(profile))
-		error = aa_pivotroot(profile, old_path, new_path);
+	label = __aa_current_label();
+	if (!unconfined(label))
+		error = aa_pivotroot(label, old_path, new_path);
 
 	return error;
 }
diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
index 478aa4d..b3e019b 100644
--- a/security/apparmor/mount.c
+++ b/security/apparmor/mount.c
@@ -336,9 +336,10 @@ static int path_flags(struct aa_profile *profile, struct path *path)
 		S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0;
 }
 
-int aa_remount(struct aa_profile *profile, struct path *path,
-	       unsigned long flags, void *data)
+int aa_remount(struct aa_label *label, struct path *path, unsigned long flags,
+	       void *data)
 {
+	struct aa_profile *profile = labels_profile(label);
 	struct file_perms perms = { };
 	const char *name, *info = NULL;
 	char *buffer = NULL;
@@ -363,9 +364,10 @@ audit:
 	return error;
 }
 
-int aa_bind_mount(struct aa_profile *profile, struct path *path,
+int aa_bind_mount(struct aa_label *label, struct path *path,
 		  const char *dev_name, unsigned long flags)
 {
+	struct aa_profile *profile = labels_profile(label);
 	struct file_perms perms = { };
 	char *buffer = NULL, *old_buffer = NULL;
 	const char *name, *old_name = NULL, *info = NULL;
@@ -405,9 +407,10 @@ audit:
 	return error;
 }
 
-int aa_mount_change_type(struct aa_profile *profile, struct path *path,
+int aa_mount_change_type(struct aa_label *label, struct path *path,
 			 unsigned long flags)
 {
+	struct aa_profile *profile = labels_profile(label);
 	struct file_perms perms = { };
 	char *buffer = NULL;
 	const char *name, *info = NULL;
@@ -434,9 +437,10 @@ audit:
 	return error;
 }
 
-int aa_move_mount(struct aa_profile *profile, struct path *path,
+int aa_move_mount(struct aa_label *label, struct path *path,
 		  const char *orig_name)
 {
+	struct aa_profile *profile = labels_profile(label);
 	struct file_perms perms = { };
 	char *buffer = NULL, *old_buffer = NULL;
 	const char *name, *old_name = NULL, *info = NULL;
@@ -474,10 +478,11 @@ audit:
 	return error;
 }
 
-int aa_new_mount(struct aa_profile *profile, const char *orig_dev_name,
+int aa_new_mount(struct aa_label *label, const char *orig_dev_name,
 		 struct path *path, const char *type, unsigned long flags,
 		 void *data)
 {
+	struct aa_profile *profile = labels_profile(label);
 	struct file_perms perms = { };
 	char *buffer = NULL, *dev_buffer = NULL;
 	const char *name = NULL, *dev_name = NULL, *info = NULL;
@@ -536,8 +541,9 @@ out:
 
 }
 
-int aa_umount(struct aa_profile *profile, struct vfsmount *mnt, int flags)
+int aa_umount(struct aa_label *label, struct vfsmount *mnt, int flags)
 {
+	struct aa_profile *profile = labels_profile(label);
 	struct file_perms perms = { };
 	char *buffer = NULL;
 	const char *name, *info = NULL;
@@ -568,9 +574,10 @@ audit:
 	return error;
 }
 
-int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
+int aa_pivotroot(struct aa_label *label, struct path *old_path,
 		  struct path *new_path)
 {
+	struct aa_profile *profile = labels_profile(label);
 	struct file_perms perms = { };
 	struct aa_profile *target = NULL;
 	char *old_buffer = NULL, *new_buffer = NULL;
@@ -603,7 +610,7 @@ int aa_pivotroot(struct aa_profile *profile, struct path *old_path,
 			if (!target)
 				error = -ENOENT;
 			else
-				error = aa_replace_current_profile(target);
+				error = aa_replace_current_label(&target->label);
 		}
 	} else
 		error = -EACCES;
-- 
1.8.1.2

More information about the AppArmor mailing list