summaryrefslogtreecommitdiffstats
path: root/security/apparmor
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-01-16 09:42:47 +0100
committerJohn Johansen <john.johansen@canonical.com>2017-01-16 10:18:37 +0100
commitb79473f2de3eb3320e2a145da8a2ea03c7331784 (patch)
treee02004ebe5b7e02d900c603d988126fb0ece719a /security/apparmor
parentapparmor: track ns level so it can be used to help in view checks (diff)
downloadlinux-b79473f2de3eb3320e2a145da8a2ea03c7331784.tar.xz
linux-b79473f2de3eb3320e2a145da8a2ea03c7331784.zip
apparmor: Make aa_remove_profile() callable from a different view
This is prep work for fs operations being able to remove namespaces. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor')
-rw-r--r--security/apparmor/apparmorfs.c3
-rw-r--r--security/apparmor/include/policy.h2
-rw-r--r--security/apparmor/policy.c7
3 files changed, 7 insertions, 5 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 2501a65fe7d3..14b96a44a3f5 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -180,7 +180,8 @@ static ssize_t profile_remove(struct file *f, const char __user *buf,
error = PTR_ERR(data);
if (!IS_ERR(data)) {
data[size] = 0;
- error = aa_remove_profiles(data, size);
+ error = aa_remove_profiles(__aa_current_profile()->ns, data,
+ size);
kvfree(data);
}
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 3527e3f5a099..8fcfb3c78d21 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -187,7 +187,7 @@ struct aa_profile *aa_match_profile(struct aa_ns *ns, const char *name);
ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
bool noreplace);
-ssize_t aa_remove_profiles(char *name, size_t size);
+ssize_t aa_remove_profiles(struct aa_ns *view, char *name, size_t size);
void __aa_profile_list_release(struct list_head *head);
#define PROF_ADD 1
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 046edecc4c8a..0314faeacccd 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -944,6 +944,7 @@ free:
/**
* aa_remove_profiles - remove profile(s) from the system
+ * @view: namespace the remove is being done from
* @fqname: name of the profile or namespace to remove (NOT NULL)
* @size: size of the name
*
@@ -954,9 +955,9 @@ free:
*
* Returns: size of data consume else error code if fails
*/
-ssize_t aa_remove_profiles(char *fqname, size_t size)
+ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
{
- struct aa_ns *root, *ns = NULL;
+ struct aa_ns *root = NULL, *ns = NULL;
struct aa_profile *profile = NULL;
const char *name = fqname, *info = NULL;
ssize_t error = 0;
@@ -967,7 +968,7 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
goto fail;
}
- root = aa_current_profile()->ns;
+ root = view;
if (fqname[0] == ':') {
char *ns_name;