summaryrefslogtreecommitdiff
path: root/security/apparmor
diff options
context:
space:
mode:
Diffstat (limited to 'security/apparmor')
-rw-r--r--security/apparmor/crypto.c32
-rw-r--r--security/apparmor/include/lib.h2
-rw-r--r--security/apparmor/lib.c4
-rw-r--r--security/apparmor/lsm.c53
-rw-r--r--security/apparmor/policy.c6
5 files changed, 45 insertions, 52 deletions
diff --git a/security/apparmor/crypto.c b/security/apparmor/crypto.c
index de8dc78b6144..136f2a047836 100644
--- a/security/apparmor/crypto.c
+++ b/security/apparmor/crypto.c
@@ -31,10 +31,7 @@ unsigned int aa_hash_size(void)
char *aa_calc_hash(void *data, size_t len)
{
- struct {
- struct shash_desc shash;
- char ctx[crypto_shash_descsize(apparmor_tfm)];
- } desc;
+ SHASH_DESC_ON_STACK(desc, apparmor_tfm);
char *hash = NULL;
int error = -ENOMEM;
@@ -45,16 +42,16 @@ char *aa_calc_hash(void *data, size_t len)
if (!hash)
goto fail;
- desc.shash.tfm = apparmor_tfm;
- desc.shash.flags = 0;
+ desc->tfm = apparmor_tfm;
+ desc->flags = 0;
- error = crypto_shash_init(&desc.shash);
+ error = crypto_shash_init(desc);
if (error)
goto fail;
- error = crypto_shash_update(&desc.shash, (u8 *) data, len);
+ error = crypto_shash_update(desc, (u8 *) data, len);
if (error)
goto fail;
- error = crypto_shash_final(&desc.shash, hash);
+ error = crypto_shash_final(desc, hash);
if (error)
goto fail;
@@ -69,10 +66,7 @@ fail:
int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
size_t len)
{
- struct {
- struct shash_desc shash;
- char ctx[crypto_shash_descsize(apparmor_tfm)];
- } desc;
+ SHASH_DESC_ON_STACK(desc, apparmor_tfm);
int error = -ENOMEM;
__le32 le32_version = cpu_to_le32(version);
@@ -86,19 +80,19 @@ int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
if (!profile->hash)
goto fail;
- desc.shash.tfm = apparmor_tfm;
- desc.shash.flags = 0;
+ desc->tfm = apparmor_tfm;
+ desc->flags = 0;
- error = crypto_shash_init(&desc.shash);
+ error = crypto_shash_init(desc);
if (error)
goto fail;
- error = crypto_shash_update(&desc.shash, (u8 *) &le32_version, 4);
+ error = crypto_shash_update(desc, (u8 *) &le32_version, 4);
if (error)
goto fail;
- error = crypto_shash_update(&desc.shash, (u8 *) start, len);
+ error = crypto_shash_update(desc, (u8 *) start, len);
if (error)
goto fail;
- error = crypto_shash_final(&desc.shash, profile->hash);
+ error = crypto_shash_final(desc, profile->hash);
if (error)
goto fail;
diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
index 65ff492a9807..0291ff3902f9 100644
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -57,7 +57,7 @@
pr_err_ratelimited("AppArmor: " fmt, ##args)
/* Flag indicating whether initialization completed */
-extern int apparmor_initialized __initdata;
+extern int apparmor_initialized;
/* fn's in lib */
char *aa_split_fqname(char *args, char **ns_name);
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index 66475bda6f72..32cafc12593e 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -180,13 +180,13 @@ bool aa_policy_init(struct aa_policy *policy, const char *prefix,
} else
policy->hname = kstrdup(name, gfp);
if (!policy->hname)
- return 0;
+ return false;
/* base.name is a substring of fqname */
policy->name = basename(policy->hname);
INIT_LIST_HEAD(&policy->list);
INIT_LIST_HEAD(&policy->profiles);
- return 1;
+ return true;
}
/**
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 709eacd23909..8f3c0f7aca5a 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -39,7 +39,7 @@
#include "include/procattr.h"
/* Flag indicating whether initialization completed */
-int apparmor_initialized __initdata;
+int apparmor_initialized;
DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
@@ -587,7 +587,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
return error;
}
-static struct security_hook_list apparmor_hooks[] = {
+static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
LSM_HOOK_INIT(capget, apparmor_capget),
@@ -681,7 +681,7 @@ module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
#endif
/* Debug mode */
-bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_DEBUG_MESSAGES);
+bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
/* Audit mode */
@@ -710,7 +710,7 @@ module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
/* Maximum pathname length before accesses will start getting rejected */
unsigned int aa_g_path_max = 2 * PATH_MAX;
-module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR);
+module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
/* Determines how paranoid loading of policy is and how much verification
* on the loaded policy is done.
@@ -738,78 +738,77 @@ __setup("apparmor=", apparmor_enabled_setup);
/* set global flag turning off the ability to load policy */
static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
{
- if (!policy_admin_capable(NULL))
+ if (!apparmor_enabled)
+ return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
return -EPERM;
return param_set_bool(val, kp);
}
static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return param_get_bool(buffer, kp);
}
static int param_set_aabool(const char *val, const struct kernel_param *kp)
{
- if (!policy_admin_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
+ return -EPERM;
return param_set_bool(val, kp);
}
static int param_get_aabool(char *buffer, const struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return param_get_bool(buffer, kp);
}
static int param_set_aauint(const char *val, const struct kernel_param *kp)
{
- if (!policy_admin_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
+ return -EPERM;
return param_set_uint(val, kp);
}
static int param_get_aauint(char *buffer, const struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return param_get_uint(buffer, kp);
}
static int param_get_audit(char *buffer, struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
-
if (!apparmor_enabled)
return -EINVAL;
-
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
}
static int param_set_audit(const char *val, struct kernel_param *kp)
{
int i;
- if (!policy_admin_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
-
if (!val)
return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
+ return -EPERM;
for (i = 0; i < AUDIT_MAX_INDEX; i++) {
if (strcmp(val, audit_mode_names[i]) == 0) {
@@ -823,11 +822,10 @@ static int param_set_audit(const char *val, struct kernel_param *kp)
static int param_get_mode(char *buffer, struct kernel_param *kp)
{
- if (!policy_view_capable(NULL))
- return -EPERM;
-
if (!apparmor_enabled)
return -EINVAL;
+ if (apparmor_initialized && !policy_view_capable(NULL))
+ return -EPERM;
return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
}
@@ -835,14 +833,13 @@ static int param_get_mode(char *buffer, struct kernel_param *kp)
static int param_set_mode(const char *val, struct kernel_param *kp)
{
int i;
- if (!policy_admin_capable(NULL))
- return -EPERM;
if (!apparmor_enabled)
return -EINVAL;
-
if (!val)
return -EINVAL;
+ if (apparmor_initialized && !policy_admin_capable(NULL))
+ return -EPERM;
for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
if (strcmp(val, aa_profile_mode_names[i]) == 0) {
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index def1fbd6bdfd..cf9d670dca94 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -876,9 +876,11 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
if (ns_name) {
ns = aa_prepare_ns(view, ns_name);
if (IS_ERR(ns)) {
+ op = OP_PROF_LOAD;
info = "failed to prepare namespace";
error = PTR_ERR(ns);
ns = NULL;
+ ent = NULL;
goto fail;
}
} else
@@ -1013,7 +1015,7 @@ fail_lock:
/* audit cause of failure */
op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
fail:
- audit_policy(profile, op, ns_name, ent->new->base.hname,
+ audit_policy(profile, op, ns_name, ent ? ent->new->base.hname : NULL,
info, error);
/* audit status that rest of profiles in the atomic set failed too */
info = "valid profile in failed atomic policy load";
@@ -1023,7 +1025,7 @@ fail:
/* skip entry that caused failure */
continue;
}
- op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
+ op = (!tmp->old) ? OP_PROF_LOAD : OP_PROF_REPL;
audit_policy(profile, op, ns_name,
tmp->new->base.hname, info, error);
}