summaryrefslogtreecommitdiffstats
path: root/security/apparmor/policy.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch 'master' of git://git.infradead.org/users/eparis/selinux into nextJames Morris2012-05-221-1/+1
|\ | | | | | | Per pull request, for 3.5.
| * LSM: do not initialize common_audit_data to 0Eric Paris2012-04-091-1/+1
| | | | | | | | | | | | | | It isn't needed. If you don't set the type of the data associated with that type it is a pretty obvious programming bug. So why waste the cycles? Signed-off-by: Eric Paris <eparis@redhat.com>
| * LSM: remove the COMMON_AUDIT_DATA_INIT type expansionEric Paris2012-04-091-1/+1
| | | | | | | | | | | | Just open code it so grep on the source code works better. Signed-off-by: Eric Paris <eparis@redhat.com>
* | apparmor: fix profile lookup for unconfinedJohn Johansen2012-05-181-0/+4
|/ | | | | | | | | | | | | | BugLink: http://bugs.launchpad.net/bugs/978038 also affects apparmor portion of BugLink: http://bugs.launchpad.net/bugs/987371 The unconfined profile is not stored in the regular profile list, but change_profile and exec transitions may want access to it when setting up specialized transitions like switch to the unconfined profile of a new policy namespace. Signed-off-by: John Johansen <john.johansen@canonical.com>
* LSM: shrink sizeof LSM specific portion of common_audit_dataEric Paris2012-04-031-4/+6
| | | | | | | | | | | | Linus found that the gigantic size of the common audit data caused a big perf hit on something as simple as running stat() in a loop. This patch requires LSMs to declare the LSM specific portion separately rather than doing it in a union. Thus each LSM can be responsible for shrinking their portion and don't have to pay a penalty just because other LSMs have a bigger space requirement. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* AppArmor: add const qualifiers to string arraysJan Engelhardt2012-03-151-1/+1
| | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: John Johansen <john.johansen@canonical.com>
* AppArmor: Add ability to load extended policyJohn Johansen2012-03-151-0/+1
| | | | | | | | Add the base support for the new policy extensions. This does not bring any additional functionality, or change current semantics. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
* APPARMOR: Fix memory leak of alloc_namespace()wzt.wzt@gmail.com2010-11-101-1/+1
| | | | | | | | | | policy->name is a substring of policy->hname, if prefix is not NULL, it will allocted strlen(prefix) + strlen(name) + 3 bytes to policy->hname in policy_init(). use kzfree(ns->base.name) will casue memory leak if alloc_namespace() failed. Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
* AppArmor: Fix locking from removal of profile namespaceJohn Johansen2010-09-081-2/+4
| | | | | | | | | The locking for profile namespace removal is wrong, when removing a profile namespace, it needs to be removed from its parent's list. Lock the parent of namespace list instead of the namespace being removed. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
* AppArmor: core policy routinesJohn Johansen2010-08-021-0/+1184
The basic routines and defines for AppArmor policy. AppArmor policy is defined by a few basic components. profiles - the basic unit of confinement contain all the information to enforce policy on a task Profiles tend to be named after an executable that they will attach to but this is not required. namespaces - a container for a set of profiles that will be used during attachment and transitions between profiles. sids - which provide a unique id for each profile Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>