From 92de220a7f336367127351da58cff691da5bb17b Mon Sep 17 00:00:00 2001 From: John Johansen Date: Tue, 30 Jun 2020 17:00:11 -0700 Subject: apparmor: update policy capable checks to use a label Previously the policy capable checks assumed they were using the current task. Make them take the task label so the query can be made against an arbitrary task. Signed-off-by: John Johansen --- security/apparmor/apparmorfs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'security/apparmor/apparmorfs.c') diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index d65324415980..3275e074e5f8 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -1357,7 +1357,7 @@ static int rawdata_open(struct inode *inode, struct file *file) struct aa_loaddata *loaddata; struct rawdata_f_data *private; - if (!policy_view_capable(NULL)) + if (!aa_current_policy_view_capable(NULL)) return -EACCES; loaddata = __aa_get_loaddata(inode->i_private); @@ -2266,7 +2266,7 @@ static const struct seq_operations aa_sfs_profiles_op = { static int profiles_open(struct inode *inode, struct file *file) { - if (!policy_view_capable(NULL)) + if (!aa_current_policy_view_capable(NULL)) return -EACCES; return seq_open(file, &aa_sfs_profiles_op); -- cgit From aa4ceed7c3276852031a3e3d6fa767ff1858831f Mon Sep 17 00:00:00 2001 From: ChenXiaoSong Date: Mon, 7 Jun 2021 14:30:22 +0800 Subject: apparmor: fix doc warning Fix gcc W=1 warning: security/apparmor/apparmorfs.c:2125: warning: Function parameter or member 'p' not described in '__next_profile' Signed-off-by: ChenXiaoSong Signed-off-by: John Johansen --- security/apparmor/apparmorfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/apparmor/apparmorfs.c') diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 3275e074e5f8..a515d1f6d951 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -2115,7 +2115,7 @@ static struct aa_profile *__first_profile(struct aa_ns *root, /** * __next_profile - step to the next profile in a profile tree - * @profile: current profile in tree (NOT NULL) + * @p: current profile in tree (NOT NULL) * * Perform a depth first traversal on the profile tree in a namespace * -- cgit From d0d845a790d31adb0c90f1f8364de199b23128c8 Mon Sep 17 00:00:00 2001 From: Hamza Mahfooz Date: Fri, 30 Jul 2021 01:23:55 -0400 Subject: apparmor: use per file locks for transactional queries As made mention of in commit 1dea3b41e84c5 ("apparmor: speed up transactional queries"), a single lock is currently used to synchronize transactional queries. We can, use the lock allocated for each file by VFS instead. Signed-off-by: Hamza Mahfooz Signed-off-by: John Johansen --- security/apparmor/apparmorfs.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'security/apparmor/apparmorfs.c') diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index a515d1f6d951..0920f5188631 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -811,8 +811,6 @@ struct multi_transaction { }; #define MULTI_TRANSACTION_LIMIT (PAGE_SIZE - sizeof(struct multi_transaction)) -/* TODO: replace with per file lock */ -static DEFINE_SPINLOCK(multi_transaction_lock); static void multi_transaction_kref(struct kref *kref) { @@ -846,10 +844,10 @@ static void multi_transaction_set(struct file *file, AA_BUG(n > MULTI_TRANSACTION_LIMIT); new->size = n; - spin_lock(&multi_transaction_lock); + spin_lock(&file->f_lock); old = (struct multi_transaction *) file->private_data; file->private_data = new; - spin_unlock(&multi_transaction_lock); + spin_unlock(&file->f_lock); put_multi_transaction(old); } @@ -878,9 +876,10 @@ static ssize_t multi_transaction_read(struct file *file, char __user *buf, struct multi_transaction *t; ssize_t ret; - spin_lock(&multi_transaction_lock); + spin_lock(&file->f_lock); t = get_multi_transaction(file->private_data); - spin_unlock(&multi_transaction_lock); + spin_unlock(&file->f_lock); + if (!t) return 0; -- cgit