Lines Matching +full:container +full:- +full:rules
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
15 * AppArmor policy is based around profiles, which contain the rules a
18 * visible set of profiles or by following a profiles attachment rules.
20 * Each profile exists in a profile namespace which is a container of
26 * :namespace:profile - used by kernel interfaces for easy detection
27 * namespace://profile - used by policy
32 * unconfined - special automatically generated unconfined profile
33 * inherit - special name to indicate profile inheritance
34 * null-XXXX-YYYY - special automatically generated learning profiles
38 * user-XXXX - user defined profiles
49 * - it allows for sub profiles or hats, which allows an application to run
55 * - it allows for binary hierarchy of profiles, so that execution history
71 * - locking of profile lists is currently fairly coarse. All profile
103 * hname_tail - find the last component of an hname
119 * policy_init - initialize a policy structure
133 policy->hname = kmalloc(strlen(prefix) + strlen(name) + 3, in policy_init()
135 if (policy->hname) in policy_init()
136 sprintf(policy->hname, "%s//%s", prefix, name); in policy_init()
138 policy->hname = kstrdup(name, GFP_KERNEL); in policy_init()
139 if (!policy->hname) in policy_init()
142 policy->name = (char *)hname_tail(policy->hname); in policy_init()
143 INIT_LIST_HEAD(&policy->list); in policy_init()
144 INIT_LIST_HEAD(&policy->profiles); in policy_init()
145 kref_init(&policy->count); in policy_init()
151 * policy_destroy - free the elements referenced by @policy
156 /* still contains profiles -- invalid */ in policy_destroy()
157 if (!list_empty(&policy->profiles)) { in policy_destroy()
160 __func__, policy->name); in policy_destroy()
163 if (!list_empty(&policy->list)) { in policy_destroy()
165 __func__, policy->name); in policy_destroy()
170 kzfree(policy->hname); in policy_destroy()
174 * __policy_find - find a policy by @name on a policy list
187 if (!strcmp(policy->name, name)) in __policy_find()
194 * __policy_strn_find - find a policy that's name matches @len chars of @str
212 if (aa_strneq(policy->name, str, len)) in __policy_strn_find()
223 static const char *hidden_ns_name = "---";
225 * aa_ns_visible - test if @view is visible from @curr
236 for ( ; view; view = view->parent) { in aa_ns_visible()
237 if (view->parent == curr) in aa_ns_visible()
244 * aa_na_name - Find the ns name to display for @view from @curr
245 * @curr - current namespace (NOT NULL)
246 * @view - namespace attempting to view (NOT NULL)
263 return view->base.hname + strlen(curr->base.hname) + 2; in aa_ns_name()
269 * alloc_namespace - allocate, initialize and return a new namespace
284 if (!policy_init(&ns->base, prefix, name)) in alloc_namespace()
287 INIT_LIST_HEAD(&ns->sub_ns); in alloc_namespace()
288 rwlock_init(&ns->lock); in alloc_namespace()
291 ns->unconfined = aa_alloc_profile("unconfined"); in alloc_namespace()
292 if (!ns->unconfined) in alloc_namespace()
295 ns->unconfined->sid = aa_alloc_sid(); in alloc_namespace()
296 ns->unconfined->flags = PFLAG_UNCONFINED | PFLAG_IX_ON_NAME_ERROR | in alloc_namespace()
301 * the cyclic references (ns->unconfined, and unconfined->ns) and in alloc_namespace()
304 ns->unconfined->ns = aa_get_namespace(ns); in alloc_namespace()
309 kzfree(ns->base.hname); in alloc_namespace()
316 * free_namespace - free a profile namespace
327 policy_destroy(&ns->base); in free_namespace()
328 aa_put_namespace(ns->parent); in free_namespace()
330 if (ns->unconfined && ns->unconfined->ns == ns) in free_namespace()
331 ns->unconfined->ns = NULL; in free_namespace()
333 aa_put_profile(ns->unconfined); in free_namespace()
338 * aa_free_namespace_kref - free aa_namespace by kref (see aa_put_namespace)
347 * __aa_find_namespace - find a namespace on a list by @name
362 * aa_find_namespace - look up a profile namespace on the namespace list
376 read_lock(&root->lock); in aa_find_namespace()
377 ns = aa_get_namespace(__aa_find_namespace(&root->sub_ns, name)); in aa_find_namespace()
378 read_unlock(&root->lock); in aa_find_namespace()
384 * aa_prepare_namespace - find an existing or create a new namespace of @name
393 root = aa_current_profile()->ns; in aa_prepare_namespace()
395 write_lock(&root->lock); in aa_prepare_namespace()
406 ns = aa_get_namespace(__aa_find_namespace(&root->sub_ns, name)); in aa_prepare_namespace()
410 write_unlock(&root->lock); in aa_prepare_namespace()
411 new_ns = alloc_namespace(root->base.hname, name); in aa_prepare_namespace()
414 write_lock(&root->lock); in aa_prepare_namespace()
416 ns = __aa_find_namespace(&root->sub_ns, name); in aa_prepare_namespace()
419 new_ns->parent = aa_get_namespace(root); in aa_prepare_namespace()
421 list_add(&new_ns->base.list, &root->sub_ns); in aa_prepare_namespace()
432 write_unlock(&root->lock); in aa_prepare_namespace()
439 * __list_add_profile - add a profile to a list
450 list_add(&profile->base.list, list); in __list_add_profile()
456 * __list_remove_profile - remove a profile from the list it is on
469 list_del_init(&profile->base.list); in __list_remove_profile()
470 if (!(profile->flags & PFLAG_NO_LIST_REF)) in __list_remove_profile()
476 * __replace_profile - replace @old with @new on a list
492 if (old->parent) in __replace_profile()
493 policy = &old->parent->base; in __replace_profile()
495 policy = &old->ns->base; in __replace_profile()
498 new->parent = aa_get_profile(old->parent); in __replace_profile()
499 new->ns = aa_get_namespace(old->ns); in __replace_profile()
500 new->sid = old->sid; in __replace_profile()
501 __list_add_profile(&policy->profiles, new); in __replace_profile()
503 list_for_each_entry_safe(child, tmp, &old->base.profiles, base.list) { in __replace_profile()
504 aa_put_profile(child->parent); in __replace_profile()
505 child->parent = aa_get_profile(new); in __replace_profile()
507 list_move(&child->base.list, &new->base.profiles); in __replace_profile()
511 old->replacedby = aa_get_profile(new); in __replace_profile()
518 * __remove_profile - remove old profile, and children
526 __profile_list_release(&profile->base.profiles); in __remove_profile()
528 profile->replacedby = aa_get_profile(profile->ns->unconfined); in __remove_profile()
533 * __profile_list_release - remove all profiles on the list and put refs
548 * destroy_namespace - remove everything contained by @ns
556 write_lock(&ns->lock); in destroy_namespace()
558 __profile_list_release(&ns->base.profiles); in destroy_namespace()
561 __ns_list_release(&ns->sub_ns); in destroy_namespace()
563 write_unlock(&ns->lock); in destroy_namespace()
567 * __remove_namespace - remove a namespace and all its children
570 * Requires: ns->parent->lock be held and ns removed from parent.
574 struct aa_profile *unconfined = ns->unconfined; in __remove_namespace()
577 list_del_init(&ns->base.list); in __remove_namespace()
583 * being removed, inheriting the parent->unconfined profile. in __remove_namespace()
585 if (ns->parent) in __remove_namespace()
586 ns->unconfined = aa_get_profile(ns->parent->unconfined); in __remove_namespace()
590 /* release original ns->unconfined ref */ in __remove_namespace()
592 /* release ns->base.list ref, from removal above */ in __remove_namespace()
597 * __ns_list_release - remove all profile namespaces on the list put refs
611 * aa_alloc_root_ns - allocate the root profile namespace
618 /* released by aa_free_root_ns - used as list ref*/ in aa_alloc_root_ns()
621 return -ENOMEM; in aa_alloc_root_ns()
627 * aa_free_root_ns - free the root profile namespace
639 * aa_alloc_profile - allocate, initialize and return a new profile
648 /* freed by free_profile - usually through aa_put_profile */ in aa_alloc_profile()
653 if (!policy_init(&profile->base, NULL, hname)) { in aa_alloc_profile()
663 * aa_new_null_profile - create a new null-X learning profile
665 * @hat: true if the null- learning profile is a hat
667 * Create a null- complain mode profile used in learning mode. The name of
668 * the profile is unique and follows the format of parent//null-sid.
683 name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, GFP_KERNEL); in aa_new_null_profile()
686 sprintf(name, "%s//null-%x", parent->base.hname, sid); in aa_new_null_profile()
693 profile->sid = sid; in aa_new_null_profile()
694 profile->mode = APPARMOR_COMPLAIN; in aa_new_null_profile()
695 profile->flags = PFLAG_NULL; in aa_new_null_profile()
697 profile->flags |= PFLAG_HAT; in aa_new_null_profile()
700 profile->parent = aa_get_profile(parent); in aa_new_null_profile()
701 profile->ns = aa_get_namespace(parent->ns); in aa_new_null_profile()
703 write_lock(&profile->ns->lock); in aa_new_null_profile()
704 __list_add_profile(&parent->base.profiles, profile); in aa_new_null_profile()
705 write_unlock(&profile->ns->lock); in aa_new_null_profile()
716 * free_profile - free a profile
732 if (!list_empty(&profile->base.list)) { in free_profile()
735 __func__, profile->base.name); in free_profile()
740 policy_destroy(&profile->base); in free_profile()
741 aa_put_profile(profile->parent); in free_profile()
743 aa_put_namespace(profile->ns); in free_profile()
744 kzfree(profile->rename); in free_profile()
746 aa_free_file_rules(&profile->file); in free_profile()
747 aa_free_cap_rules(&profile->caps); in free_profile()
748 aa_free_rlimit_rules(&profile->rlimits); in free_profile()
750 aa_free_sid(profile->sid); in free_profile()
751 aa_put_dfa(profile->xmatch); in free_profile()
753 aa_put_profile(profile->replacedby); in free_profile()
759 * aa_free_profile_kref - free aa_profile by kref (called by aa_put_profile)
770 /* TODO: profile accounting - setup in remove */
773 * __find_child - find a profile on @head list with a name matching @name
787 * __strn_find_child - find a profile on @head list using substring of @name
803 * aa_find_child - find a profile by @name in @parent
813 read_lock(&parent->ns->lock); in aa_find_child()
814 profile = aa_get_profile(__find_child(&parent->base.profiles, name)); in aa_find_child()
815 read_unlock(&parent->ns->lock); in aa_find_child()
822 * __lookup_parent - lookup the parent of a profile of name @hname
830 * Requires: ns->lock be held
841 policy = &ns->base; in __lookup_parent()
844 profile = __strn_find_child(&policy->profiles, hname, in __lookup_parent()
845 split - hname); in __lookup_parent()
848 policy = &profile->base; in __lookup_parent()
853 return &ns->base; in __lookup_parent()
854 return &profile->base; in __lookup_parent()
858 * __lookup_profile - lookup the profile matching @hname
862 * Requires: ns->lock be held
875 profile = __strn_find_child(&base->profiles, hname, in __lookup_profile()
876 split - hname); in __lookup_profile()
880 base = &profile->base; in __lookup_profile()
885 profile = __find_child(&base->profiles, hname); in __lookup_profile()
891 * aa_lookup_profile - find a profile by its full or partial name
901 read_lock(&ns->lock); in aa_lookup_profile()
902 profile = aa_get_profile(__lookup_profile(&ns->base, hname)); in aa_lookup_profile()
903 read_unlock(&ns->lock); in aa_lookup_profile()
910 * replacement_allowed - test to see if replacement is allowed
913 * @info: Returns - info about why replacement failed (NOT NULL)
921 if (profile->flags & PFLAG_IMMUTABLE) { in replacement_allowed()
923 return -EPERM; in replacement_allowed()
926 return -EEXIST; in replacement_allowed()
933 * __add_new_profile - simple wrapper around __list_add_profile
935 * @policy: the policy container to add the profile to (NOT NULL)
943 if (policy != &ns->base) in __add_new_profile()
945 profile->parent = aa_get_profile((struct aa_profile *) policy); in __add_new_profile()
946 __list_add_profile(&policy->profiles, profile); in __add_new_profile()
948 profile->sid = aa_alloc_sid(); in __add_new_profile()
949 profile->ns = aa_get_namespace(ns); in __add_new_profile()
953 * aa_audit_policy - Do auditing of policy changes
977 * aa_may_manage_policy - can the current task manage policy
986 audit_policy(op, GFP_KERNEL, NULL, "policy_locked", -EACCES); in aa_may_manage_policy()
991 audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES); in aa_may_manage_policy()
999 * aa_replace_profiles - replace profile(s) on the profile list
1032 error = -ENOMEM; in aa_replace_profiles()
1037 name = new_profile->base.hname; in aa_replace_profiles()
1039 write_lock(&ns->lock); in aa_replace_profiles()
1041 policy = __lookup_parent(ns, new_profile->base.hname); in aa_replace_profiles()
1045 error = -ENOENT; in aa_replace_profiles()
1049 old_profile = __find_child(&policy->profiles, new_profile->base.name); in aa_replace_profiles()
1053 if (new_profile->rename) { in aa_replace_profiles()
1054 rename_profile = __lookup_profile(&ns->base, in aa_replace_profiles()
1055 new_profile->rename); in aa_replace_profiles()
1061 name = new_profile->rename; in aa_replace_profiles()
1062 error = -ENOENT; in aa_replace_profiles()
1089 aa_free_sid(new_profile->sid); in aa_replace_profiles()
1095 write_unlock(&ns->lock); in aa_replace_profiles()
1112 * aa_remove_profiles - remove profile(s) from the system
1132 error = -ENOENT; in aa_remove_profiles()
1136 root = aa_current_profile()->ns; in aa_remove_profiles()
1146 error = -ENOENT; in aa_remove_profiles()
1155 /* remove namespace - can only happen if fqname[0] == ':' */ in aa_remove_profiles()
1156 write_lock(&ns->parent->lock); in aa_remove_profiles()
1158 write_unlock(&ns->parent->lock); in aa_remove_profiles()
1161 write_lock(&ns->lock); in aa_remove_profiles()
1162 profile = aa_get_profile(__lookup_profile(&ns->base, name)); in aa_remove_profiles()
1164 error = -ENOENT; in aa_remove_profiles()
1168 name = profile->base.hname; in aa_remove_profiles()
1170 write_unlock(&ns->lock); in aa_remove_profiles()
1180 write_unlock(&ns->lock); in aa_remove_profiles()