mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-05 17:01:00 +01:00
404 lines
12 KiB
Diff
404 lines
12 KiB
Diff
Don't call task structs differnt all over the code (p, tsk, target).
|
|
|
|
Index: b/security/apparmor/apparmor.h
|
|
===================================================================
|
|
--- a/security/apparmor/apparmor.h
|
|
+++ b/security/apparmor/apparmor.h
|
|
@@ -230,9 +230,9 @@ extern int aa_perm_dir(struct aa_profile
|
|
extern int aa_link(struct aa_profile *profile,
|
|
struct dentry *link, struct vfsmount *link_mnt,
|
|
struct dentry *target, struct vfsmount *target_mnt);
|
|
-extern int aa_fork(struct task_struct *p);
|
|
+extern int aa_fork(struct task_struct *task);
|
|
extern int aa_register(struct linux_binprm *bprm);
|
|
-extern void aa_release(struct task_struct *p);
|
|
+extern void aa_release(struct task_struct *task);
|
|
extern int aa_change_hat(const char *id, u32 hat_magic);
|
|
extern int aa_associate_filp(struct file *filp);
|
|
|
|
@@ -260,7 +260,8 @@ extern void free_aa_profile_kref(struct
|
|
/* procattr.c */
|
|
extern size_t aa_getprocattr(struct aa_profile *profile, char *str, size_t size);
|
|
extern int aa_setprocattr_changehat(char *hatinfo, size_t infosize);
|
|
-extern int aa_setprocattr_setprofile(struct task_struct *p, char *profilename,
|
|
+extern int aa_setprocattr_setprofile(struct task_struct *task,
|
|
+ char *profilename,
|
|
size_t profilesize);
|
|
|
|
/* apparmorfs.c */
|
|
Index: b/security/apparmor/inline.h
|
|
===================================================================
|
|
--- a/security/apparmor/inline.h
|
|
+++ b/security/apparmor/inline.h
|
|
@@ -77,12 +77,12 @@ static inline void aa_switch_to_profile(
|
|
|
|
/**
|
|
* alloc_aa_task_context - allocate a new aa_task_context
|
|
- * @tsk: task struct
|
|
+ * @task: task struct
|
|
*
|
|
* Allocate a new aa_task_context including a backpointer to it's referring
|
|
* task.
|
|
*/
|
|
-static inline struct aa_task_context *alloc_aa_task_context(struct task_struct *tsk)
|
|
+static inline struct aa_task_context *alloc_aa_task_context(struct task_struct *task)
|
|
{
|
|
struct aa_task_context *cxt;
|
|
|
|
@@ -91,7 +91,7 @@ static inline struct aa_task_context *al
|
|
goto out;
|
|
|
|
/* back pointer to task */
|
|
- cxt->task = tsk;
|
|
+ cxt->task = task;
|
|
|
|
/* any readers of the list must make sure that they can handle
|
|
* case where cxt->profile is not yet set (null)
|
|
Index: b/security/apparmor/lsm.c
|
|
===================================================================
|
|
--- a/security/apparmor/lsm.c
|
|
+++ b/security/apparmor/lsm.c
|
|
@@ -109,41 +109,41 @@ static int apparmor_ptrace(struct task_s
|
|
return error;
|
|
}
|
|
|
|
-static int apparmor_capget(struct task_struct *target,
|
|
+static int apparmor_capget(struct task_struct *task,
|
|
kernel_cap_t *effective,
|
|
kernel_cap_t *inheritable,
|
|
kernel_cap_t *permitted)
|
|
{
|
|
- return cap_capget(target, effective, inheritable, permitted);
|
|
+ return cap_capget(task, effective, inheritable, permitted);
|
|
}
|
|
|
|
-static int apparmor_capset_check(struct task_struct *target,
|
|
+static int apparmor_capset_check(struct task_struct *task,
|
|
kernel_cap_t *effective,
|
|
kernel_cap_t *inheritable,
|
|
kernel_cap_t *permitted)
|
|
{
|
|
- return cap_capset_check(target, effective, inheritable, permitted);
|
|
+ return cap_capset_check(task, effective, inheritable, permitted);
|
|
}
|
|
|
|
-static void apparmor_capset_set(struct task_struct *target,
|
|
+static void apparmor_capset_set(struct task_struct *task,
|
|
kernel_cap_t *effective,
|
|
kernel_cap_t *inheritable,
|
|
kernel_cap_t *permitted)
|
|
{
|
|
- cap_capset_set(target, effective, inheritable, permitted);
|
|
+ cap_capset_set(task, effective, inheritable, permitted);
|
|
}
|
|
|
|
-static int apparmor_capable(struct task_struct *tsk, int cap)
|
|
+static int apparmor_capable(struct task_struct *task, int cap)
|
|
{
|
|
int error;
|
|
|
|
/* cap_capable returns 0 on success, else -EPERM */
|
|
- error = cap_capable(tsk, cap);
|
|
+ error = cap_capable(task, cap);
|
|
|
|
if (!error) {
|
|
struct aa_profile *profile;
|
|
|
|
- profile = aa_get_profile(tsk);
|
|
+ profile = aa_get_profile(task);
|
|
|
|
if (profile)
|
|
error = aa_capability(profile, cap);
|
|
@@ -480,14 +480,14 @@ static int apparmor_file_mprotect(struct
|
|
!(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
|
|
}
|
|
|
|
-static int apparmor_task_alloc_security(struct task_struct *p)
|
|
+static int apparmor_task_alloc_security(struct task_struct *task)
|
|
{
|
|
- return aa_fork(p);
|
|
+ return aa_fork(task);
|
|
}
|
|
|
|
-static void apparmor_task_free_security(struct task_struct *p)
|
|
+static void apparmor_task_free_security(struct task_struct *task)
|
|
{
|
|
- aa_release(p);
|
|
+ aa_release(task);
|
|
}
|
|
|
|
static int apparmor_task_post_setuid(uid_t id0, uid_t id1, uid_t id2,
|
|
@@ -496,13 +496,13 @@ static int apparmor_task_post_setuid(uid
|
|
return cap_task_post_setuid(id0, id1, id2, flags);
|
|
}
|
|
|
|
-static void apparmor_task_reparent_to_init(struct task_struct *p)
|
|
+static void apparmor_task_reparent_to_init(struct task_struct *task)
|
|
{
|
|
- cap_task_reparent_to_init(p);
|
|
+ cap_task_reparent_to_init(task);
|
|
}
|
|
|
|
-static int apparmor_getprocattr(struct task_struct *p, char *name, void *value,
|
|
- size_t size)
|
|
+static int apparmor_getprocattr(struct task_struct *task, char *name,
|
|
+ void *value, size_t size)
|
|
{
|
|
int error;
|
|
struct aa_profile *profile;
|
|
@@ -515,12 +515,12 @@ static int apparmor_getprocattr(struct t
|
|
}
|
|
|
|
/* must be task querying itself or admin */
|
|
- if (current != p && !capable(CAP_SYS_ADMIN)) {
|
|
+ if (current != task && !capable(CAP_SYS_ADMIN)) {
|
|
error = -EPERM;
|
|
goto out;
|
|
}
|
|
|
|
- profile = aa_get_profile(p);
|
|
+ profile = aa_get_profile(task);
|
|
error = aa_getprocattr(profile, str, size);
|
|
aa_put_profile(profile);
|
|
|
|
@@ -528,8 +528,8 @@ out:
|
|
return error;
|
|
}
|
|
|
|
-static int apparmor_setprocattr(struct task_struct *p, char *name, void *value,
|
|
- size_t size)
|
|
+static int apparmor_setprocattr(struct task_struct *task, char *name,
|
|
+ void *value, size_t size)
|
|
{
|
|
const char *cmd_changehat = "changehat ",
|
|
*cmd_setprofile = "setprofile ";
|
|
@@ -551,15 +551,15 @@ static int apparmor_setprocattr(struct t
|
|
size_t infosize = size - strlen(cmd_changehat);
|
|
|
|
/* Only the current process may change it's hat */
|
|
- if (current != p) {
|
|
+ if (current != task) {
|
|
AA_WARN("%s: Attempt by foreign task %s(%d) "
|
|
"[user %d] to changehat of task %s(%d)\n",
|
|
__FUNCTION__,
|
|
current->comm,
|
|
current->pid,
|
|
current->uid,
|
|
- p->comm,
|
|
- p->pid);
|
|
+ task->comm,
|
|
+ task->pid);
|
|
|
|
error = -EACCES;
|
|
goto out;
|
|
@@ -585,8 +585,8 @@ static int apparmor_setprocattr(struct t
|
|
current->comm,
|
|
current->pid,
|
|
current->uid,
|
|
- p->comm,
|
|
- p->pid);
|
|
+ task->comm,
|
|
+ task->pid);
|
|
error = -EACCES;
|
|
goto out;
|
|
}
|
|
@@ -596,7 +596,7 @@ static int apparmor_setprocattr(struct t
|
|
char *profile = cmd + strlen(cmd_setprofile);
|
|
size_t profilesize = size - strlen(cmd_setprofile);
|
|
|
|
- error = aa_setprocattr_setprofile(p, profile, profilesize);
|
|
+ error = aa_setprocattr_setprofile(task, profile, profilesize);
|
|
if (!error)
|
|
/* success,
|
|
* set return to #bytes in orig request
|
|
@@ -609,8 +609,8 @@ static int apparmor_setprocattr(struct t
|
|
current->comm,
|
|
current->pid,
|
|
current->uid,
|
|
- p->comm,
|
|
- p->pid);
|
|
+ task->comm,
|
|
+ task->pid);
|
|
|
|
error = -EACCES;
|
|
}
|
|
@@ -625,8 +625,8 @@ static int apparmor_setprocattr(struct t
|
|
current->comm,
|
|
current->pid,
|
|
current->uid,
|
|
- p->comm,
|
|
- p->pid);
|
|
+ task->comm,
|
|
+ task->pid);
|
|
|
|
error = -EINVAL;
|
|
}
|
|
Index: b/security/apparmor/main.c
|
|
===================================================================
|
|
--- a/security/apparmor/main.c
|
|
+++ b/security/apparmor/main.c
|
|
@@ -725,9 +725,9 @@ int aa_link(struct aa_profile *profile,
|
|
|
|
/**
|
|
* aa_fork - create a new aa_task_context
|
|
- * @p: new process
|
|
+ * @task: new process
|
|
*
|
|
- * Create a new aa_task_context for newly created process @p if it's parent
|
|
+ * Create a new aa_task_context for newly created process @task if it's parent
|
|
* is already confined. Otherwise a aa_task_context will be lazily allocated
|
|
* will get one with NULL values. Return 0 on sucess.
|
|
* for the child if it subsequently execs (in aa_register).
|
|
@@ -737,7 +737,7 @@ int aa_link(struct aa_profile *profile,
|
|
* replacement/removal.
|
|
*/
|
|
|
|
-int aa_fork(struct task_struct *p)
|
|
+int aa_fork(struct task_struct *task)
|
|
{
|
|
struct aa_task_context *cxt = aa_task_context(current);
|
|
struct aa_task_context *newcxt = NULL;
|
|
@@ -747,7 +747,7 @@ int aa_fork(struct task_struct *p)
|
|
if (cxt && cxt->profile) {
|
|
unsigned long flags;
|
|
|
|
- newcxt = alloc_aa_task_context(p);
|
|
+ newcxt = alloc_aa_task_context(task);
|
|
|
|
/* FIXME: The alloc above is a blocking operation, so
|
|
* cxt->profile may have vanished by now.
|
|
@@ -773,9 +773,9 @@ int aa_fork(struct task_struct *p)
|
|
cxt->profile == null_complain_profile)
|
|
LOG_HINT(cxt->profile, GFP_KERNEL, HINT_FORK,
|
|
"pid=%d child=%d\n",
|
|
- current->pid, p->pid);
|
|
+ current->pid, task->pid);
|
|
}
|
|
- p->security = newcxt;
|
|
+ task->security = newcxt;
|
|
return 0;
|
|
}
|
|
|
|
@@ -1063,10 +1063,10 @@ out:
|
|
|
|
/**
|
|
* aa_release - release the task's aa_task_context
|
|
- * @p: task being released
|
|
+ * @task: task being released
|
|
*
|
|
* This is called after a task has exited and the parent has reaped it.
|
|
- * @p->security blob is freed.
|
|
+ * @task->security blob is freed.
|
|
*
|
|
* This is the one case where we don't need to hold the cxt_lock before
|
|
* removing a profile from a aa_task_context. Once the aa_task_context has
|
|
@@ -1074,11 +1074,11 @@ out:
|
|
* writers. There may still be other readers so we must still use
|
|
* aa_switch_to_profile to put the aa_task_context's reference safely.
|
|
*/
|
|
-void aa_release(struct task_struct *p)
|
|
+void aa_release(struct task_struct *task)
|
|
{
|
|
- struct aa_task_context *cxt = aa_task_context(p);
|
|
+ struct aa_task_context *cxt = aa_task_context(task);
|
|
if (cxt) {
|
|
- p->security = NULL;
|
|
+ task->security = NULL;
|
|
|
|
aa_task_context_list_remove(cxt);
|
|
aa_switch_to_profile(cxt, NULL, 0);
|
|
Index: b/security/apparmor/procattr.c
|
|
===================================================================
|
|
--- a/security/apparmor/procattr.c
|
|
+++ b/security/apparmor/procattr.c
|
|
@@ -171,7 +171,7 @@ out:
|
|
return error;
|
|
}
|
|
|
|
-int aa_setprocattr_setprofile(struct task_struct *p, char *profilename,
|
|
+int aa_setprocattr_setprofile(struct task_struct *task, char *profilename,
|
|
size_t profilesize)
|
|
{
|
|
int error = -EINVAL;
|
|
@@ -213,7 +213,7 @@ int aa_setprocattr_setprofile(struct tas
|
|
AA_WARN("%s: Unable to switch task %s(%d) to profile"
|
|
"'%s'. No such profile.\n",
|
|
__FUNCTION__,
|
|
- p->comm, p->pid,
|
|
+ task->comm, task->pid,
|
|
name);
|
|
|
|
error = -EINVAL;
|
|
@@ -223,7 +223,7 @@ int aa_setprocattr_setprofile(struct tas
|
|
|
|
spin_lock_irqsave(&cxt_lock, flags);
|
|
|
|
- cxt = aa_task_context(p);
|
|
+ cxt = aa_task_context(task);
|
|
|
|
/* switch to unconstrained */
|
|
if (!profile) {
|
|
@@ -231,7 +231,7 @@ int aa_setprocattr_setprofile(struct tas
|
|
AA_WARN("%s: Unconstraining task %s(%d) "
|
|
"profile %s active %s\n",
|
|
__FUNCTION__,
|
|
- p->comm, p->pid,
|
|
+ task->comm, task->pid,
|
|
BASE_PROFILE(cxt->profile)->name,
|
|
cxt->profile->name);
|
|
|
|
@@ -239,7 +239,7 @@ int aa_setprocattr_setprofile(struct tas
|
|
} else {
|
|
AA_WARN("%s: task %s(%d) "
|
|
"is already unconstrained\n",
|
|
- __FUNCTION__, p->comm, p->pid);
|
|
+ __FUNCTION__, task->comm, task->pid);
|
|
}
|
|
} else {
|
|
if (!cxt) {
|
|
@@ -247,18 +247,18 @@ int aa_setprocattr_setprofile(struct tas
|
|
* loaded, allocate a aa_task_context
|
|
*/
|
|
AA_WARN("%s: task %s(%d) has no aa_task_context\n",
|
|
- __FUNCTION__, p->comm, p->pid);
|
|
+ __FUNCTION__, task->comm, task->pid);
|
|
|
|
/* unlock so we can safely GFP_KERNEL */
|
|
spin_unlock_irqrestore(&cxt_lock, flags);
|
|
|
|
- cxt = alloc_aa_task_context(p);
|
|
+ cxt = alloc_aa_task_context(task);
|
|
if (!cxt) {
|
|
AA_WARN("%s: Unable to allocate "
|
|
"aa_task_context for task %s(%d). "
|
|
"Cannot confine task to profile %s\n",
|
|
__FUNCTION__,
|
|
- p->comm, p->pid,
|
|
+ task->comm, task->pid,
|
|
name);
|
|
|
|
error = -ENOMEM;
|
|
@@ -268,11 +268,11 @@ int aa_setprocattr_setprofile(struct tas
|
|
}
|
|
|
|
spin_lock_irqsave(&cxt_lock, flags);
|
|
- if (!aa_task_context(p)) {
|
|
- p->security = cxt;
|
|
+ if (!aa_task_context(task)) {
|
|
+ task->security = cxt;
|
|
} else { /* race */
|
|
free_aa_task_context(cxt);
|
|
- cxt = aa_task_context(p);
|
|
+ cxt = aa_task_context(task);
|
|
}
|
|
}
|
|
|
|
@@ -302,7 +302,7 @@ int aa_setprocattr_setprofile(struct tas
|
|
AA_WARN("%s: Switching task %s(%d) "
|
|
"profile %s active %s to new profile %s\n",
|
|
__FUNCTION__,
|
|
- p->comm, p->pid,
|
|
+ task->comm, task->pid,
|
|
cxt->profile ? BASE_PROFILE(cxt->profile)->name :
|
|
"unconstrained",
|
|
cxt->profile ? cxt->profile->name : "unconstrained",
|