Commit 5d5182ca authored by John Johansen's avatar John Johansen

apparmor: move to per loaddata files, instead of replicating in profiles

The loaddata sets cover more than just a single profile and should
be tracked at the ns level. Move the load data files under the namespace
and reference the files from the profiles via a symlink.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Reviewed-by: default avatarSeth Arnold <seth.arnold@canonical.com>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
parent 6623ec7c
This diff is collapsed.
...@@ -106,6 +106,7 @@ enum aafs_prof_type { ...@@ -106,6 +106,7 @@ enum aafs_prof_type {
#define prof_dir(X) ((X)->dents[AAFS_PROF_DIR]) #define prof_dir(X) ((X)->dents[AAFS_PROF_DIR])
#define prof_child_dir(X) ((X)->dents[AAFS_PROF_PROFS]) #define prof_child_dir(X) ((X)->dents[AAFS_PROF_PROFS])
void __aa_bump_ns_revision(struct aa_ns *ns);
void __aa_fs_profile_rmdir(struct aa_profile *profile); void __aa_fs_profile_rmdir(struct aa_profile *profile);
void __aa_fs_profile_migrate_dents(struct aa_profile *old, void __aa_fs_profile_migrate_dents(struct aa_profile *old,
struct aa_profile *new); struct aa_profile *new);
...@@ -114,4 +115,8 @@ void __aa_fs_ns_rmdir(struct aa_ns *ns); ...@@ -114,4 +115,8 @@ void __aa_fs_ns_rmdir(struct aa_ns *ns);
int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent,
const char *name); const char *name);
struct aa_loaddata;
void __aa_fs_remove_rawdata(struct aa_loaddata *rawdata);
int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata);
#endif /* __AA_APPARMORFS_H */ #endif /* __AA_APPARMORFS_H */
...@@ -68,6 +68,9 @@ struct aa_ns { ...@@ -68,6 +68,9 @@ struct aa_ns {
atomic_t uniq_null; atomic_t uniq_null;
long uniq_id; long uniq_id;
int level; int level;
long revision;
struct list_head rawdata_list;
struct dentry *dents[AAFS_NS_SIZEOF]; struct dentry *dents[AAFS_NS_SIZEOF];
}; };
......
...@@ -17,6 +17,8 @@ ...@@ -17,6 +17,8 @@
#include <linux/list.h> #include <linux/list.h>
#include <linux/kref.h> #include <linux/kref.h>
#include <linux/dcache.h>
#include <linux/workqueue.h>
struct aa_load_ent { struct aa_load_ent {
struct list_head list; struct list_head list;
...@@ -36,26 +38,84 @@ struct aa_load_ent *aa_load_ent_alloc(void); ...@@ -36,26 +38,84 @@ struct aa_load_ent *aa_load_ent_alloc(void);
#define PACKED_MODE_KILL 2 #define PACKED_MODE_KILL 2
#define PACKED_MODE_UNCONFINED 3 #define PACKED_MODE_UNCONFINED 3
/* struct aa_loaddata - buffer of policy load data set */ struct aa_ns;
enum {
AAFS_LOADDATA_ABI = 0,
AAFS_LOADDATA_REVISION,
AAFS_LOADDATA_HASH,
AAFS_LOADDATA_DATA,
AAFS_LOADDATA_DIR, /* must be last actual entry */
AAFS_LOADDATA_NDENTS /* count of entries */
};
/*
* struct aa_loaddata - buffer of policy raw_data set
*
* there is no loaddata ref for being on ns list, nor a ref from
* d_inode(@dentry) when grab a ref from these, @ns->lock must be held
* && __aa_get_loaddata() needs to be used, and the return value
* checked, if NULL the loaddata is already being reaped and should be
* considered dead.
*/
struct aa_loaddata { struct aa_loaddata {
struct kref count; struct kref count;
struct list_head list;
struct work_struct work;
struct dentry *dents[AAFS_LOADDATA_NDENTS];
struct aa_ns *ns;
char *name;
size_t size; size_t size;
long revision; /* the ns policy revision this caused */
int abi; int abi;
unsigned char *hash; unsigned char *hash;
char data[]; char data[];
}; };
int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, const char **ns); int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, const char **ns);
/**
* __aa_get_loaddata - get a reference count to uncounted data reference
* @data: reference to get a count on
*
* Returns: pointer to reference OR NULL if race is lost and reference is
* being repeated.
* Requires: @data->ns->lock held, and the return code MUST be checked
*
* Use only from inode->i_private and @data->list found references
*/
static inline struct aa_loaddata *
__aa_get_loaddata(struct aa_loaddata *data)
{
if (data && kref_get_unless_zero(&(data->count)))
return data;
return NULL;
}
/**
* aa_get_loaddata - get a reference count from a counted data reference
* @data: reference to get a count on
*
* Returns: point to reference
* Requires: @data to have a valid reference count on it. It is a bug
* if the race to reap can be encountered when it is used.
*/
static inline struct aa_loaddata * static inline struct aa_loaddata *
aa_get_loaddata(struct aa_loaddata *data) aa_get_loaddata(struct aa_loaddata *data)
{ {
if (data) struct aa_loaddata *tmp = __aa_get_loaddata(data);
kref_get(&(data->count));
return data; AA_BUG(data && !tmp);
return tmp;
} }
void __aa_loaddata_update(struct aa_loaddata *data, long revision);
bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r);
void aa_loaddata_kref(struct kref *kref); void aa_loaddata_kref(struct kref *kref);
struct aa_loaddata *aa_loaddata_alloc(size_t size);
static inline void aa_put_loaddata(struct aa_loaddata *data) static inline void aa_put_loaddata(struct aa_loaddata *data)
{ {
if (data) if (data)
......
...@@ -840,10 +840,13 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile, ...@@ -840,10 +840,13 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
const char *ns_name, *info = NULL; const char *ns_name, *info = NULL;
struct aa_ns *ns = NULL; struct aa_ns *ns = NULL;
struct aa_load_ent *ent, *tmp; struct aa_load_ent *ent, *tmp;
struct aa_loaddata *rawdata_ent;
const char *op = OP_PROF_REPL; const char *op = OP_PROF_REPL;
ssize_t count, error; ssize_t count, error;
LIST_HEAD(lh); LIST_HEAD(lh);
aa_get_loaddata(udata);
/* released below */ /* released below */
error = aa_unpack(udata, &lh, &ns_name); error = aa_unpack(udata, &lh, &ns_name);
if (error) if (error)
...@@ -887,9 +890,24 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile, ...@@ -887,9 +890,24 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
ns = aa_get_ns(view); ns = aa_get_ns(view);
mutex_lock(&ns->lock); mutex_lock(&ns->lock);
/* check for duplicate rawdata blobs: space and file dedup */
list_for_each_entry(rawdata_ent, &ns->rawdata_list, list) {
if (aa_rawdata_eq(rawdata_ent, udata)) {
struct aa_loaddata *tmp;
tmp = __aa_get_loaddata(rawdata_ent);
/* check we didn't fail the race */
if (tmp) {
aa_put_loaddata(udata);
udata = tmp;
break;
}
}
}
/* setup parent and ns info */ /* setup parent and ns info */
list_for_each_entry(ent, &lh, list) { list_for_each_entry(ent, &lh, list) {
struct aa_policy *policy; struct aa_policy *policy;
ent->new->rawdata = aa_get_loaddata(udata); ent->new->rawdata = aa_get_loaddata(udata);
error = __lookup_replace(ns, ent->new->base.hname, noreplace, error = __lookup_replace(ns, ent->new->base.hname, noreplace,
&ent->old, &info); &ent->old, &info);
...@@ -929,6 +947,14 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile, ...@@ -929,6 +947,14 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
} }
/* create new fs entries for introspection if needed */ /* create new fs entries for introspection if needed */
if (!udata->dents[AAFS_LOADDATA_DIR]) {
error = __aa_fs_create_rawdata(ns, udata);
if (error) {
info = "failed to create raw_data dir and files";
ent = NULL;
goto fail_lock;
}
}
list_for_each_entry(ent, &lh, list) { list_for_each_entry(ent, &lh, list) {
if (ent->old) { if (ent->old) {
/* inherit old interface files */ /* inherit old interface files */
...@@ -955,10 +981,24 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile, ...@@ -955,10 +981,24 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
} }
/* Done with checks that may fail - do actual replacement */ /* Done with checks that may fail - do actual replacement */
__aa_bump_ns_revision(ns);
__aa_loaddata_update(udata, ns->revision);
list_for_each_entry_safe(ent, tmp, &lh, list) { list_for_each_entry_safe(ent, tmp, &lh, list) {
list_del_init(&ent->list); list_del_init(&ent->list);
op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL; op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
if (ent->old && ent->old->rawdata == ent->new->rawdata) {
/* dedup actual profile replacement */
audit_policy(profile, op, ns_name, ent->new->base.hname,
"same as current profile, skipping",
error);
goto skip;
}
/*
* TODO: finer dedup based on profile range in data. Load set
* can differ but profile may remain unchanged
*/
audit_policy(profile, op, NULL, ent->new->base.hname, audit_policy(profile, op, NULL, ent->new->base.hname,
NULL, error); NULL, error);
...@@ -998,12 +1038,14 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile, ...@@ -998,12 +1038,14 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
aa_get_profile(ent->new)); aa_get_profile(ent->new));
__list_add_profile(&ns->base.profiles, ent->new); __list_add_profile(&ns->base.profiles, ent->new);
} }
skip:
aa_load_ent_free(ent); aa_load_ent_free(ent);
} }
mutex_unlock(&ns->lock); mutex_unlock(&ns->lock);
out: out:
aa_put_ns(ns); aa_put_ns(ns);
aa_put_loaddata(udata);
if (error) if (error)
return error; return error;
...@@ -1013,7 +1055,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile, ...@@ -1013,7 +1055,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
mutex_unlock(&ns->lock); mutex_unlock(&ns->lock);
/* audit cause of failure */ /* audit cause of failure */
op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL; op = (ent && !ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
fail: fail:
audit_policy(profile, op, ns_name, ent ? ent->new->base.hname : NULL, audit_policy(profile, op, ns_name, ent ? ent->new->base.hname : NULL,
info, error); info, error);
...@@ -1085,6 +1127,7 @@ ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_profile *subj, ...@@ -1085,6 +1127,7 @@ ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_profile *subj,
/* remove namespace - can only happen if fqname[0] == ':' */ /* remove namespace - can only happen if fqname[0] == ':' */
mutex_lock(&ns->parent->lock); mutex_lock(&ns->parent->lock);
__aa_remove_ns(ns); __aa_remove_ns(ns);
__aa_bump_ns_revision(ns);
mutex_unlock(&ns->parent->lock); mutex_unlock(&ns->parent->lock);
} else { } else {
/* remove profile */ /* remove profile */
...@@ -1097,6 +1140,7 @@ ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_profile *subj, ...@@ -1097,6 +1140,7 @@ ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_profile *subj,
} }
name = profile->base.hname; name = profile->base.hname;
__remove_profile(profile); __remove_profile(profile);
__aa_bump_ns_revision(ns);
mutex_unlock(&ns->lock); mutex_unlock(&ns->lock);
} }
......
...@@ -99,6 +99,7 @@ static struct aa_ns *alloc_ns(const char *prefix, const char *name) ...@@ -99,6 +99,7 @@ static struct aa_ns *alloc_ns(const char *prefix, const char *name)
goto fail_ns; goto fail_ns;
INIT_LIST_HEAD(&ns->sub_ns); INIT_LIST_HEAD(&ns->sub_ns);
INIT_LIST_HEAD(&ns->rawdata_list);
mutex_init(&ns->lock); mutex_init(&ns->lock);
/* released by aa_free_ns() */ /* released by aa_free_ns() */
......
...@@ -122,16 +122,73 @@ static int audit_iface(struct aa_profile *new, const char *ns_name, ...@@ -122,16 +122,73 @@ static int audit_iface(struct aa_profile *new, const char *ns_name,
return aa_audit(AUDIT_APPARMOR_STATUS, profile, &sa, audit_cb); return aa_audit(AUDIT_APPARMOR_STATUS, profile, &sa, audit_cb);
} }
void __aa_loaddata_update(struct aa_loaddata *data, long revision)
{
AA_BUG(!data);
AA_BUG(!data->ns);
AA_BUG(!data->dents[AAFS_LOADDATA_REVISION]);
AA_BUG(!mutex_is_locked(&data->ns->lock));
AA_BUG(data->revision > revision);
data->revision = revision;
d_inode(data->dents[AAFS_LOADDATA_DIR])->i_mtime =
current_time(d_inode(data->dents[AAFS_LOADDATA_DIR]));
d_inode(data->dents[AAFS_LOADDATA_REVISION])->i_mtime =
current_time(d_inode(data->dents[AAFS_LOADDATA_REVISION]));
}
bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r)
{
if (l->size != r->size)
return false;
if (aa_g_hash_policy && memcmp(l->hash, r->hash, aa_hash_size()) != 0)
return false;
return memcmp(l->data, r->data, r->size) == 0;
}
/*
* need to take the ns mutex lock which is NOT safe most places that
* put_loaddata is called, so we have to delay freeing it
*/
static void do_loaddata_free(struct work_struct *work)
{
struct aa_loaddata *d = container_of(work, struct aa_loaddata, work);
struct aa_ns *ns = aa_get_ns(d->ns);
if (ns) {
mutex_lock(&ns->lock);
__aa_fs_remove_rawdata(d);
mutex_unlock(&ns->lock);
aa_put_ns(ns);
}
kzfree(d->hash);
kfree(d->name);
kvfree(d);
}
void aa_loaddata_kref(struct kref *kref) void aa_loaddata_kref(struct kref *kref)
{ {
struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count); struct aa_loaddata *d = container_of(kref, struct aa_loaddata, count);
if (d) { if (d) {
kzfree(d->hash); INIT_WORK(&d->work, do_loaddata_free);
kvfree(d); schedule_work(&d->work);
} }
} }
struct aa_loaddata *aa_loaddata_alloc(size_t size)
{
struct aa_loaddata *d = kvzalloc(sizeof(*d) + size, GFP_KERNEL);
if (d == NULL)
return ERR_PTR(-ENOMEM);
kref_init(&d->count);
INIT_LIST_HEAD(&d->list);
return d;
}
/* test if read will be in packed data bounds */ /* test if read will be in packed data bounds */
static bool inbounds(struct aa_ext *e, size_t size) static bool inbounds(struct aa_ext *e, size_t size)
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment