From patchwork Fri Jul 30 07:02:58 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 60336 X-Patchwork-Delegate: leann.ogasawara@canonical.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 3D615B70AA for ; Fri, 30 Jul 2010 17:03:31 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.69) (envelope-from ) id 1OejcW-0000Ox-7m; Fri, 30 Jul 2010 08:03:04 +0100 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.69) (envelope-from ) id 1OejcT-0000Os-Rc for kernel-team@lists.ubuntu.com; Fri, 30 Jul 2010 08:03:01 +0100 Received: from hutte.canonical.com ([91.189.90.181]) by adelie.canonical.com with esmtp (Exim 4.69 #1 (Debian)) id 1OejcT-0000kE-PI for ; Fri, 30 Jul 2010 08:03:01 +0100 Received: from pool-96-225-211-211.ptldor.fios.verizon.net ([96.225.211.211] helo=[192.168.1.4]) by hutte.canonical.com with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1OejcT-0007NI-31 for kernel-team@lists.ubuntu.com; Fri, 30 Jul 2010 08:03:01 +0100 Message-ID: <4C527922.7090404@canonical.com> Date: Fri, 30 Jul 2010 00:02:58 -0700 From: John Johansen Organization: Canonical User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.2.7) Gecko/20100713 Thunderbird/3.1.1 MIME-Version: 1.0 To: Kernel team list Subject: [Maverick][PATCH][pull request] sync to AppArmor mainline 2010-07-29 X-Enigmail-Version: 1.1.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com This is a pull-request to sync apparmor with the mainline version In doing this tree I did a rebase popping off the 2 compatibility patches. And apply commit a0cd75e19f450e7f231ac05c53ff471eb24541b9 immediately after the previous sync c4fa4d12e4f8cbbd142e617214244b6f9c59baf0 and then pushed the 2 compatibility patches back on top. This keeps the base clean (matching what is upstream) without having to fixup the compatibility patches that are on top. The attached patch is the sync commit a0cd75 that I slipped in, so the sync can be pulled from the tree or patch. The following changes since commit a0cd75e19f450e7f231ac05c53ff471eb24541b9: John Johansen (1): UBUNTU: SAUCE: AppArmor: -- sync to AppArmor mainline 2010-07-29 are available in the git repository at: git://kernel.ubuntu.com/jj/ubuntu-maverick apparmor John Johansen (2): UBUNTU: SAUCE: AppArmor 2.4 compatibility patch UBUNTU: SAUCE: AppArmor: Allow dfa backward compatibility with broken userspace include/linux/lsm_audit.h | 4 + security/apparmor/Kconfig | 9 +++ security/apparmor/Makefile | 8 ++- security/apparmor/apparmorfs-24.c | 2 +- security/apparmor/apparmorfs.c | 18 +++++- security/apparmor/include/apparmorfs.h | 6 ++ security/apparmor/include/policy.h | 3 + security/apparmor/lsm.c | 112 ++++++++++++++++++++++++++++++++ security/apparmor/match.c | 17 +++++ security/apparmor/net.c | 8 ++- security/apparmor/policy.c | 1 + security/apparmor/policy_unpack.c | 39 +++++++++++- 12 files changed, 219 insertions(+), 8 deletions(-) 0001-UBUNTU-SAUCE-AppArmor-sync-to-AppArmor-mainline-2010.patch From a0cd75e19f450e7f231ac05c53ff471eb24541b9 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 29 Jul 2010 17:11:12 -0700 Subject: [PATCH] UBUNTU: SAUCE: AppArmor: -- sync to AppArmor mainline 2010-07-29 Sync to version of AppArmor in security-next tree as of 2010-07-29 Signed-off-by: John Johansen --- Documentation/apparmor.txt | 40 ++++++++++++++++++++++++++++++++ Documentation/kernel-parameters.txt | 12 ++++++++- MAINTAINERS | 8 ++++++ security/apparmor/Kconfig | 6 ++-- security/apparmor/apparmorfs.c | 12 ++++---- security/apparmor/audit.c | 4 +- security/apparmor/capability.c | 2 +- security/apparmor/context.c | 2 +- security/apparmor/domain.c | 22 ++++++++++------- security/apparmor/file.c | 2 +- security/apparmor/include/apparmor.h | 9 +++---- security/apparmor/include/apparmorfs.h | 2 +- security/apparmor/include/file.h | 6 ++-- security/apparmor/include/match.h | 2 +- security/apparmor/include/policy.h | 32 ++++++++++++------------- security/apparmor/include/procattr.h | 2 +- security/apparmor/include/resource.h | 4 +- security/apparmor/lib.c | 11 +++++--- security/apparmor/lsm.c | 2 +- security/apparmor/match.c | 4 +- security/apparmor/path.c | 6 ++-- security/apparmor/policy.c | 24 +++++++++--------- security/apparmor/policy_unpack.c | 17 +++++++++---- security/apparmor/procattr.c | 6 ++-- security/apparmor/resource.c | 2 +- 25 files changed, 153 insertions(+), 86 deletions(-) create mode 100644 Documentation/apparmor.txt -- 1.7.0.4 diff --git a/Documentation/apparmor.txt b/Documentation/apparmor.txt new file mode 100644 index 0000000..6240438 --- /dev/null +++ b/Documentation/apparmor.txt @@ -0,0 +1,40 @@ +--- What is AppArmor? --- + +AppArmor is MAC style security extension for the Linux kernel. It implements +a task centered policy, with task "profiles" being created and loaded +from user space. Tasks on the system that do not have a profile defined for +them run in an unconfined state which is equivalent to standard Linux DAC +permissions. + +--- How to enable/disable --- + +set CONFIG_SECURITY_APPARMOR=y + +If AppArmor should be selected as the default security module then + set CONFIG_DEFAULT_SECURITY="apparmor" + and CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 + +Build the kernel + +If AppArmor is not the default security module it can be enabled by passing +security=apparmor on the kernel's command line. + +If AppArmor is the default security module it can be disabled by passing +apparmor=0, security=XXXX (where XXX is valid security module), on the +kernel's command line + +For AppArmor to enforce any restrictions beyond standard Linux DAC permissions +policy must be loaded into the kernel from user space (see the Documentation +and tools links). + +--- Documentation --- + +Documentation can be found on the wiki. + +--- Links --- + +Mailing List - apparmor@lists.ubuntu.com +Wiki - http://apparmor.wiki.kernel.org/ +User space tools - https://launchpad.net/apparmor +Kernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git + diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 4ddb58d..b61f89f 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -93,6 +93,7 @@ parameter is applicable: Documentation/scsi/. SECURITY Different security models are enabled. SELINUX SELinux support is enabled. + APPARMOR AppArmor support is enabled. SERIAL Serial support is enabled. SH SuperH architecture is enabled. SMP The kernel is an SMP kernel. @@ -254,8 +255,8 @@ and is between 256 and 4096 characters. It is defined in the file control method, with respect to putting devices into low power states, to be enforced (the ACPI 2.0 ordering of _PTS is used by default). - s4_nonvs prevents the kernel from saving/restoring the - ACPI NVS memory during hibernation. + nonvs prevents the kernel from saving/restoring the + ACPI NVS memory during suspend/hibernation and resume. sci_force_enable causes the kernel to set SCI_EN directly on resume from S1/S3 (which is against the ACPI spec, but some broken systems don't work without it). @@ -2312,6 +2313,13 @@ and is between 256 and 4096 characters. It is defined in the file If enabled at boot time, /selinux/disable can be used later to disable prior to initial policy load. + apparmor= [APPARMOR] Disable or enable AppArmor at boot time + Format: { "0" | "1" } + See security/apparmor/Kconfig help text + 0 -- disable. + 1 -- enable. + Default value is set via kernel config option. + serialnumber [BUGS=X86-32] shapers= [NET] diff --git a/MAINTAINERS b/MAINTAINERS index db3d0f5..b4e8b7d 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -5061,6 +5061,14 @@ S: Supported F: include/linux/selinux* F: security/selinux/ +APPARMOR SECURITY MODULE +M: John Johansen +L: apparmor@lists.ubuntu.com (subscribers-only, general discussion) +W: apparmor.wiki.kernel.org +T: git git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git +S: Supported +F: security/apparmor/ + SENSABLE PHANTOM M: Jiri Slaby S: Maintained diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig index c054cf7..72555b9 100644 --- a/security/apparmor/Kconfig +++ b/security/apparmor/Kconfig @@ -10,7 +10,7 @@ config SECURITY_APPARMOR This enables the AppArmor security module. Required userspace tools (if they are not included in your distribution) and further information may be found at - + http://apparmor.wiki.kernel.org If you are unsure how to answer this question, answer N. @@ -24,8 +24,8 @@ config SECURITY_APPARMOR_BOOTPARAM_VALUE 'apparmor', which allows AppArmor to be enabled or disabled at boot. If this option is set to 0 (zero), the AppArmor kernel parameter will default to 0, disabling AppArmor at - bootup. If this option is set to 1 (one), the AppArmor + boot. If this option is set to 1 (one), the AppArmor kernel parameter will default to 1, enabling AppArmor at - bootup. + boot. If you are unsure how to answer this question, answer 1. diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index d8a27a4..7320331 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -139,9 +139,9 @@ static const struct file_operations aa_fs_profile_remove = { /** Base file system setup **/ -static struct dentry *aa_fs_dentry; +static struct dentry *aa_fs_dentry __initdata; -static void aafs_remove(const char *name) +static void __init aafs_remove(const char *name) { struct dentry *dentry; @@ -160,8 +160,8 @@ static void aafs_remove(const char *name) * * Used aafs_remove to remove entries created with this fn. */ -static int aafs_create(const char *name, int mask, - const struct file_operations *fops) +static int __init aafs_create(const char *name, int mask, + const struct file_operations *fops) { struct dentry *dentry; @@ -176,7 +176,7 @@ static int aafs_create(const char *name, int mask, * * releases dentries allocated by aa_create_aafs */ -void aa_destroy_aafs(void) +void __init aa_destroy_aafs(void) { if (aa_fs_dentry) { aafs_remove(".remove"); @@ -195,7 +195,7 @@ void aa_destroy_aafs(void) * * Returns: error on failure */ -int aa_create_aafs(void) +int __init aa_create_aafs(void) { int error; diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c index d0311eb..96502b2 100644 --- a/security/apparmor/audit.c +++ b/security/apparmor/audit.c @@ -197,10 +197,10 @@ int aa_audit(int type, struct aa_profile *profile, gfp_t gfp, AUDIT_MODE(profile) == AUDIT_QUIET)) return sa->aad.error; - if (profile && KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED) + if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED) type = AUDIT_APPARMOR_KILL; - if (profile && !unconfined(profile)) + if (!unconfined(profile)) sa->aad.profile = profile; aa_audit_msg(type, sa, cb); diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c index 80f710f..9982c48 100644 --- a/security/apparmor/capability.c +++ b/security/apparmor/capability.c @@ -56,7 +56,7 @@ static void audit_cb(struct audit_buffer *ab, void *va) * Do auditing of capability and handle, audit/complain/kill modes switching * and duplicate message elimination. * - * Returns: 0 or sa->error on succes, error code on failure + * Returns: 0 or sa->error on success, error code on failure */ static int audit_caps(struct aa_profile *profile, struct task_struct *task, int cap, int error) diff --git a/security/apparmor/context.c b/security/apparmor/context.c index deb4a30..8a9b502 100644 --- a/security/apparmor/context.c +++ b/security/apparmor/context.c @@ -30,7 +30,7 @@ #include "include/policy.h" /** - * aa_alloc_task_context - allocat a new task_cxt + * aa_alloc_task_context - allocate a new task_cxt * @flags: gfp flags for allocation * * Returns: allocated buffer or NULL on failure diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 9efb5d9..08bbe63 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -114,7 +114,7 @@ static struct file_perms change_profile_perms(struct aa_profile *profile, } else if (!profile->file.dfa) { return nullperms; } else if ((ns == profile->ns)) { - /* try matching against rules with out namespace prependend */ + /* try matching against rules with out namespace prepended */ aa_str_perms(profile->file.dfa, start, name, &cond, &perms); if (COMBINED_PERM_MASK(perms) & request) return perms; @@ -134,9 +134,9 @@ static struct file_perms change_profile_perms(struct aa_profile *profile, * @head - profile list to walk (NOT NULL) * * Do a linear search on the profiles in the list. There is a matching - * preference where an exact match is prefered over a name which uses + * preference where an exact match is preferred over a name which uses * expressions to match, and matching expressions with the greatest - * xmatch_len are prefered. + * xmatch_len are preferred. * * Requires: @head not be shared or have appropriate locks held * @@ -196,7 +196,7 @@ static struct aa_profile *find_attach(struct aa_namespace *ns, * This is the xtable equivalent routine of aa_split_fqname. It finds the * split in an xtable fqname which contains an embedded \0 instead of a : * if a namespace is specified. This is done so the xtable is constant and - * isn't resplit on every lookup. + * isn't re-split on every lookup. * * Either the profile or namespace name may be optional but if the namespace * is specified the profile name termination must be present. This results @@ -205,7 +205,7 @@ static struct aa_profile *find_attach(struct aa_namespace *ns, * :ns_name\0profile_name\0 * :ns_name\0\0 * - * NOTE: the xtable fqname is prevalidated at load time in unpack_trans_table + * NOTE: the xtable fqname is pre-validated at load time in unpack_trans_table * * Returns: profile name if it is specified else NULL */ @@ -214,6 +214,10 @@ static const char *separate_fqname(const char *fqname, const char **ns_name) const char *name; if (fqname[0] == ':') { + /* In this case there is guaranteed to be two \0 terminators + * in the string. They are verified at load time by + * by unpack_trans_table + */ *ns_name = fqname + 1; /* skip : */ name = *ns_name + strlen(*ns_name) + 1; if (!*name) @@ -246,7 +250,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) int index = xindex & AA_X_INDEX_MASK; const char *name; - /* index is guarenteed to be in range, validated at load time */ + /* index is guaranteed to be in range, validated at load time */ for (name = profile->file.trans.table[index]; !new_profile && name; name = next_name(xtype, name)) { struct aa_namespace *new_ns; @@ -292,7 +296,7 @@ static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) /** * x_to_profile - get target profile for a given xindex * @profile: current profile (NOT NULL) - * @name: to to lookup (NOT NULL) + * @name: name to lookup (NOT NULL) * @xindex: index into x transition table * * find profile for a transition index @@ -673,7 +677,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) if (!permtest) { error = aa_set_current_hat(hat, token); if (error == -EACCES) - /* kill task incase of brute force attacks */ + /* kill task in case of brute force attacks */ perms.kill = AA_MAY_CHANGEHAT; else if (name && !error) /* reset error for learning of new hats */ @@ -782,7 +786,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, error = -ENOENT; if (permtest || !COMPLAIN_MODE(profile)) goto audit; - /* release below */ + /* released below */ target = aa_new_null_profile(profile, 0); if (!target) { info = "failed null profile create"; diff --git a/security/apparmor/file.c b/security/apparmor/file.c index 1b3c0a9..7312db7 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -23,7 +23,7 @@ struct file_perms nullperms; /** - * audit_file_mask - convert mask to owner::other string + * audit_file_mask - convert mask to permission string * @buffer: buffer to write string to (NOT NULL) * @mask: permission mask to convert */ diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h index c51e551..38ccaea 100644 --- a/security/apparmor/include/apparmor.h +++ b/security/apparmor/include/apparmor.h @@ -19,8 +19,7 @@ #include "match.h" -/* Control parameters settable thru module/boot flags or - * via /sys/kernel/security/apparmor/control */ +/* Control parameters settable through module/boot flags */ extern enum audit_mode aa_g_audit; extern int aa_g_audit_header; extern int aa_g_debug; @@ -47,7 +46,7 @@ extern unsigned int aa_g_path_max; } while (0) /* Flag indicating whether initialization completed */ -extern int apparmor_initialized; +extern int apparmor_initialized __initdata; /* fn's in lib */ char *aa_split_fqname(char *args, char **ns_name); @@ -76,12 +75,12 @@ static inline bool aa_strneq(const char *str, const char *sub, int len) * * aa_dfa_null_transition transitions to the next state after a null * character which is not used in standard matching and is only - * used to seperate pairs. + * used to separate pairs. */ static inline unsigned int aa_dfa_null_transition(struct aa_dfa *dfa, unsigned int start) { - /* the null transition only needs a single null byte of the string */ + /* the null transition only needs the string's null terminator byte */ return aa_dfa_match_len(dfa, start, "", 1); } diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h index cfbae70..cb1e93a 100644 --- a/security/apparmor/include/apparmorfs.h +++ b/security/apparmor/include/apparmorfs.h @@ -15,6 +15,6 @@ #ifndef __AA_APPARMORFS_H #define __AA_APPARMORFS_H -extern void aa_destroy_aafs(void); +extern void __init aa_destroy_aafs(void); #endif /* __AA_APPARMORFS_H */ diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h index bba5ced..be36fea 100644 --- a/security/apparmor/include/file.h +++ b/security/apparmor/include/file.h @@ -37,7 +37,7 @@ struct aa_profile; #define AA_EXEC_MMAP 0x0800 #define AA_MAY_LINK 0x1000 -#define AA_LINK_SUBSET AA_MAY_LOCK /* overlayed */ +#define AA_LINK_SUBSET AA_MAY_LOCK /* overlaid */ #define AA_MAY_ONEXEC 0x40000000 /* exec allows onexec */ #define AA_MAY_CHANGE_PROFILE 0x80000000 #define AA_MAY_CHANGEHAT 0x80000000 /* ctrl auditing only */ @@ -70,13 +70,13 @@ struct aa_profile; /* AA_SECURE_X_NEEDED - is passed in the bprm->unsafe field */ #define AA_SECURE_X_NEEDED 0x8000 -/* need to conditionalize which ones are being set */ +/* need to make conditional which ones are being set */ struct path_cond { uid_t uid; umode_t mode; }; -/* struct file_perms - file permission fo +/* struct file_perms - file permission * @allow: mask of permissions that are allowed * @audit: mask of permissions to force an audit message for * @quiet: mask of permissions to quiet audit messages for diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h index 3cd089f..734a6d3 100644 --- a/security/apparmor/include/match.h +++ b/security/apparmor/include/match.h @@ -121,7 +121,7 @@ void aa_dfa_free_kref(struct kref *kref); * aa_put_dfa - put a dfa refcount * @dfa: dfa to put refcount (MAYBE NULL) * - * Requires: if @dfa != NULL that valid refcount be held + * Requires: if @dfa != NULL that a valid refcount be held */ static inline void aa_put_dfa(struct aa_dfa *dfa) { diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index 7d757b8..aeda5cf 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -56,20 +56,18 @@ enum profile_mode { enum profile_flags { PFLAG_HAT = 1, /* profile is a hat */ - PFLAG_UNCONFINED = 2, /* profile is the unconfined profile */ + PFLAG_UNCONFINED = 2, /* profile is an unconfined profile */ PFLAG_NULL = 4, /* profile is null learning profile */ PFLAG_IX_ON_NAME_ERROR = 8, /* fallback to ix on name lookup fail */ PFLAG_IMMUTABLE = 0x10, /* don't allow changes/replacement */ - PFLAG_USER_DEFINED = 0x20, /* user based profile */ + PFLAG_USER_DEFINED = 0x20, /* user based profile - lower privs */ PFLAG_NO_LIST_REF = 0x40, /* list doesn't keep profile ref */ PFLAG_OLD_NULL_TRANS = 0x100, /* use // as the null transition */ - /* These flags must coorespond with PATH_flags */ + /* These flags must correspond with PATH_flags */ PFLAG_MEDIATE_DELETED = 0x10000, /* mediate instead delegate deleted */ }; -#define AA_NEW_SID 0 - struct aa_profile; /* struct aa_policy - common part of both namespaces and profiles @@ -110,8 +108,8 @@ struct aa_ns_acct { * * An aa_namespace defines the set profiles that are searched to determine * which profile to attach to a task. Profiles can not be shared between - * aa_namespaces and profile names within a namespace are guarenteed to be - * unique. When profiles in seperate namespaces have the same name they + * aa_namespaces and profile names within a namespace are guaranteed to be + * unique. When profiles in separate namespaces have the same name they * are NOT considered to be equivalent. * * Namespaces are hierarchical and only namespaces and profiles below the @@ -119,7 +117,8 @@ struct aa_ns_acct { * * Namespace names must be unique and can not contain the characters :/\0 * - * FIXME TODO: add vserver support so a vserer (can it all be done in userspace) + * FIXME TODO: add vserver support of namespaces (can it all be done in + * userspace?) */ struct aa_namespace { struct aa_policy base; @@ -131,10 +130,10 @@ struct aa_namespace { }; /* struct aa_profile - basic confinement data - * @base - base componets of the profile (name, refcount, lists, lock ...) + * @base - base components of the profile (name, refcount, lists, lock ...) * @parent: parent of profile * @ns: namespace the profile is in - * @replacedby: is set profile that replaced this profile + * @replacedby: is set to the profile that replaced this profile * @rename: optional profile name that this profile renamed * @xmatch: optional extended matching for unconfined executables names * @xmatch_len: xmatch prefix len, used to determine xmatch priority @@ -156,7 +155,7 @@ struct aa_namespace { * The @replacedby field is write protected by the profile lock. Reads * are assumed to be atomic, and are done without locking. * - * Profiles have a hierachy where hats and children profiles keep + * Profiles have a hierarchy where hats and children profiles keep * a reference to their parent. * * Profile names can not begin with a : and can not contain the \0 @@ -211,7 +210,7 @@ static inline struct aa_policy *aa_get_common(struct aa_policy *c) * aa_get_namespace - increment references count on @ns * @ns: namespace to increment reference count of (MAYBE NULL) * - * Returns: pointer to @ns if @ns is NULL returns NULL + * Returns: pointer to @ns, if @ns is NULL returns NULL * Requires: @ns must be held with valid refcount when called */ static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns) @@ -224,9 +223,9 @@ static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns) /** * aa_put_namespace - decrement refcount on @ns - * @ns: namespace to put reference to + * @ns: namespace to put reference of * - * Decrement reference count to @ns and if no longer in use free it + * Decrement reference count of @ns and if no longer in use free it */ static inline void aa_put_namespace(struct aa_namespace *ns) { @@ -262,9 +261,8 @@ ssize_t aa_remove_profiles(char *name, size_t size); */ static inline struct aa_profile *aa_newest_version(struct aa_profile *profile) { - if (unlikely(profile && profile->replacedby)) - for (; profile->replacedby; profile = profile->replacedby) - ; + while (profile->replacedby) + profile = profile->replacedby; return profile; } diff --git a/security/apparmor/include/procattr.h b/security/apparmor/include/procattr.h index 8802522..544aa6b 100644 --- a/security/apparmor/include/procattr.h +++ b/security/apparmor/include/procattr.h @@ -1,7 +1,7 @@ /* * AppArmor security module * - * This file contains AppArmor /proc//attr/ interface function defintions. + * This file contains AppArmor /proc//attr/ interface function definitions. * * Copyright (C) 1998-2008 Novell/SUSE * Copyright 2009-2010 Canonical Ltd. diff --git a/security/apparmor/include/resource.h b/security/apparmor/include/resource.h index 1e009ce..3c88be9 100644 --- a/security/apparmor/include/resource.h +++ b/security/apparmor/include/resource.h @@ -1,7 +1,7 @@ /* * AppArmor security module * - * This file contains AppArmor resource limits function defintions. + * This file contains AppArmor resource limits function definitions. * * Copyright (C) 1998-2008 Novell/SUSE * Copyright 2009-2010 Canonical Ltd. @@ -20,7 +20,7 @@ struct aa_profile; -/* struct aa_rlimit - rlimits settings for the profile +/* struct aa_rlimit - rlimit settings for the profile * @mask: which hard limits to set * @limits: rlimit values that override task limits * diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c index 51837b5..6e85cdb 100644 --- a/security/apparmor/lib.c +++ b/security/apparmor/lib.c @@ -30,7 +30,7 @@ * description). If a portion of the name is missing it returns NULL for * that portion. * - * NOTE: may modifiy the @fqname string. The pointers returned point + * NOTE: may modify the @fqname string. The pointers returned point * into the @fqname string. */ char *aa_split_fqname(char *fqname, char **ns_name) @@ -65,13 +65,13 @@ void aa_info_message(const char *str) struct common_audit_data sa; COMMON_AUDIT_DATA_INIT(&sa, NONE); sa.aad.info = str; - printk(KERN_INFO "AppArmor: %s\n", str); aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL); } + printk(KERN_INFO "AppArmor: %s\n", str); } /** - * kvmalloc - do allocation prefering kmalloc but falling back to vmalloc + * kvmalloc - do allocation preferring kmalloc but falling back to vmalloc * @size: size of allocation * * Return: allocated buffer or NULL if failed @@ -90,6 +90,9 @@ void *kvmalloc(size_t size) if (size <= (16*PAGE_SIZE)) buffer = kmalloc(size, GFP_NOIO | __GFP_NOWARN); if (!buffer) { + /* see kvfree for why size must be at least work_struct size + * when allocated via vmalloc + */ if (size < sizeof(struct work_struct)) size = sizeof(struct work_struct); buffer = vmalloc(size); @@ -101,7 +104,7 @@ void *kvmalloc(size_t size) * do_vfree - workqueue routine for freeing vmalloced memory * @work: data to be freed * - * The work_struct is overlayed to the data being freed, as at the point + * The work_struct is overlaid to the data being freed, as at the point * the work is scheduled the data is no longer valid, be its freeing * needs to be delayed until safe. */ diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index b4828d7..7daf0d5 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -36,7 +36,7 @@ #include "include/procattr.h" /* Flag indicating whether initialization completed */ -int apparmor_initialized; +int apparmor_initialized __initdata; /* * LSM hook functions diff --git a/security/apparmor/match.c b/security/apparmor/match.c index 8e7523a..5cb4dc1 100644 --- a/security/apparmor/match.c +++ b/security/apparmor/match.c @@ -193,8 +193,8 @@ void aa_dfa_free_kref(struct kref *kref) * @size: size of data to unpack * @flags: flags controlling what type of accept tables are acceptable * - * Unpack a dfa that has been serialized. Dfa format and information in - * Documentation/AppArmor/dfa.txt + * Unpack a dfa that has been serialized. To find information on the dfa + * format look in Documentation/apparmor.txt * Assumes the dfa @blob stream has been aligned on a 8 byte boundry * * Returns: an unpacked dfa ready for matching or ERR_PTR on failure diff --git a/security/apparmor/path.c b/security/apparmor/path.c index a19ba05..96bab94 100644 --- a/security/apparmor/path.c +++ b/security/apparmor/path.c @@ -46,7 +46,7 @@ static int prepend(char **buffer, int buflen, const char *str, int namelen) * @buf: buffer to store path to (NOT NULL) * @buflen: length of @buf * @name: Returns - pointer for start of path name with in @buf (NOT NULL) - * @flags: flags controling path lookup + * @flags: flags controlling path lookup * * Handle path name lookup. * @@ -110,7 +110,7 @@ static int d_namespace_path(struct path *path, char *buf, int buflen, * * Remove the appended deleted text and return as string for * normal mediation, or auditing. The (deleted) string is - * guarenteed to be added in this case, so just strip it. + * guaranteed to be added in this case, so just strip it. */ buf[buflen - 11] = 0; /* - (len(" (deleted)") +\0) */ @@ -190,7 +190,7 @@ static int get_name_to_buffer(struct path *path, int flags, char *buffer, /** * aa_get_name - compute the pathname of a file * @path: path the file (NOT NULL) - * @flags: flags controling path name generation + * @flags: flags controlling path name generation * @buffer: buffer that aa_get_name() allocated (NOT NULL) * @name: Returns - the generated path name if !error (NOT NULL) * diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index 7fecdf2..3cdc1ad 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -13,7 +13,7 @@ * * * AppArmor policy is based around profiles, which contain the rules a - * task is confined by. Every task in the sytem has a profile attached + * task is confined by. Every task in the system has a profile attached * to it determined either by matching "unconfined" tasks against the * visible set of profiles or by following a profiles attachment rules. * @@ -31,21 +31,21 @@ * Reserved profile names * unconfined - special automatically generated unconfined profile * inherit - special name to indicate profile inheritance - * null-XXXX-YYYY - special automically generated learning profiles + * null-XXXX-YYYY - special automatically generated learning profiles * * Namespace names may not start with / or @ and may not contain \0 or : - * Reserved namespace namespace + * Reserved namespace names * user-XXXX - user defined profiles * - * a // in a profile or namespace name indicates a hierarcical name with the + * a // in a profile or namespace name indicates a hierarchical name with the * name before the // being the parent and the name after the child. * - * Profile and namespace hierachies serve two different but similar purposes. + * Profile and namespace hierarchies serve two different but similar purposes. * The namespace contains the set of visible profiles that are considered * for attachment. The hierarchy of namespaces allows for virtualizing * the namespace so that for example a chroot can have its own set of profiles * which may define some local user namespaces. - * The profile hierachy severs two distinct purposes, + * The profile hierarchy severs two distinct purposes, * - it allows for sub profiles or hats, which allows an application to run * subprograms under its own profile with different restriction than it * self, and not have it use the system profile. @@ -60,8 +60,8 @@ * eg. /bin/bash///bin/ls as a name would indicate /bin/ls was started * from /bin/bash * - * A profile or namespace name that can contain one or more // seperators - * is refered to as an hname (hierarchical). + * A profile or namespace name that can contain one or more // separators + * is referred to as an hname (hierarchical). * eg. /bin/bash//bin/ls * * An fqname is a name that may contain both namespace and profile hnames. @@ -191,7 +191,7 @@ static struct aa_policy *__policy_find(struct list_head *head, const char *name) } /** - * __policy_strn_find - find a policy thats name matches @len chars of @str + * __policy_strn_find - find a policy that's name matches @len chars of @str * @head: list to search (NOT NULL) * @str: string to search for (NOT NULL) * @len: length of match required @@ -257,7 +257,7 @@ const char *aa_ns_name(struct aa_namespace *curr, struct aa_namespace *view) /* at this point if a ns is visible it is in a view ns * thus the curr ns.hname is a prefix of its name. * Only output the virtualized portion of the name - * Add + 2 to skip over // seperating curr hname prefix + * Add + 2 to skip over // separating curr hname prefix * from the visible tail of the views hname */ return view->base.hname + strlen(curr->base.hname) + 2; @@ -477,7 +477,7 @@ static void __list_remove_profile(struct aa_profile *profile) * @old: profile to be replaced (NOT NULL) * @new: profile to replace @old with (NOT NULL) * - * Will duplicaticate and refcount elements that @new inherits from @old + * Will duplicate and refcount elements that @new inherits from @old * and will inherit @old children. * * refcount @new for list, put @old list refcount @@ -503,7 +503,7 @@ static void __replace_profile(struct aa_profile *old, struct aa_profile *new) list_for_each_entry_safe(child, tmp, &old->base.profiles, base.list) { aa_put_profile(child->parent); child->parent = aa_get_profile(new); - /* list refcount transfered to @new*/ + /* list refcount transferred to @new*/ list_move(&child->base.list, &new->base.profiles); } diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 5b5dacb..eb3700e 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -13,7 +13,7 @@ * License. * * AppArmor uses a serialized binary format for loading policy. - * The policy format is documented in Documentation/??? + * To find policy format documentation look in Documentation/apparmor.txt * All policy is validated before it is used. */ @@ -35,7 +35,7 @@ * which has a name (AA_NAME typecode followed by name string) followed by * the entries typecode and data. Named types allow for optional * elements and extensions to be added and tested for without breaking - * backwards compatability. + * backwards compatibility. */ enum aa_code { @@ -154,10 +154,11 @@ static bool unpack_X(struct aa_ext *e, enum aa_code code) * name @name. If @name is specified then there must be a matching * name element in the stream. If @name is NULL any name element will be * skipped and only the typecode will be tested. - * returns 1 on success (both type code and name tests match) and the read + * + * Returns 1 on success (both type code and name tests match) and the read * head is advanced past the headers * - * Returns: 0 if either match failes, the read head does not move + * Returns: 0 if either match fails, the read head does not move */ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) { @@ -381,6 +382,9 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) for (i = 0; i < size; i++) { char *str; int c, j, size = unpack_strdup(e, &str, NULL); + /* unpack_strdup verifies that the last character is + * null termination byte. + */ if (!size) goto fail; profile->file.trans.table[i] = str; @@ -394,7 +398,10 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) c++; } if (*str == ':') { - /* beginning with : requires an embedded \0 */ + /* beginning with : requires an embedded \0, + * verify that exactly 1 internal \0 exists + * trailing \0 already verified by unpack_strdup + */ if (c != 1) goto fail; /* first character after : must be valid */ diff --git a/security/apparmor/procattr.c b/security/apparmor/procattr.c index 8a2d22c..04a2cf8 100644 --- a/security/apparmor/procattr.c +++ b/security/apparmor/procattr.c @@ -57,13 +57,13 @@ int aa_getprocattr(struct aa_profile *profile, char **string) mode_len = strlen(mode_str) + 3; /* + 3 for _() */ name_len = strlen(profile->base.hname); - len = mode_len + ns_len + name_len + 1; /*+ 1 for \n */ + len = mode_len + ns_len + name_len + 1; /* + 1 for \n */ s = str = kmalloc(len + 1, GFP_KERNEL); /* + 1 \0 */ if (!str) return -ENOMEM; if (ns_len) { - /* skip over prefix current_ns->base.hname and seperating // */ + /* skip over prefix current_ns->base.hname and separating // */ sprintf(s, ":%s://", ns_name); s += ns_len; } @@ -127,7 +127,7 @@ int aa_setprocattr_changehat(char *args, size_t size, int test) } if (hat) { - /* set up hat name vector, args guarenteed null terminated + /* set up hat name vector, args guaranteed null terminated * at args[size] by setprocattr. * * If there are multiple hat names in the buffer each is diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c index ad69bf3..4a368f1 100644 --- a/security/apparmor/resource.c +++ b/security/apparmor/resource.c @@ -61,7 +61,7 @@ static int audit_resource(struct aa_profile *profile, unsigned int resource, * * Returns: resource # for the current architecture. * - * rlimit resource can vary based on architecture map the compiled policy + * rlimit resource can vary based on architecture, map the compiled policy * resource # to the internal representation for the architecture. */ int aa_map_resource(int resource)