security/apparmor/apparmorfs.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * AppArmor security module
0004  *
0005  * This file contains AppArmor /sys/kernel/security/apparmor interface functions
0006  *
0007  * Copyright (C) 1998-2008 Novell/SUSE
0008  * Copyright 2009-2010 Canonical Ltd.
0009  */
0010
0011 #include <linux/ctype.h>
0012 #include <linux/security.h>
0013 #include <linux/vmalloc.h>
0014 #include <linux/init.h>
0015 #include <linux/seq_file.h>
0016 #include <linux/uaccess.h>
0017 #include <linux/mount.h>
0018 #include <linux/namei.h>
0019 #include <linux/capability.h>
0020 #include <linux/rcupdate.h>
0021 #include <linux/fs.h>
0022 #include <linux/fs_context.h>
0023 #include <linux/poll.h>
0024 #include <linux/zlib.h>
0025 #include <uapi/linux/major.h>
0026 #include <uapi/linux/magic.h>
0027
0028 #include "include/apparmor.h"
0029 #include "include/apparmorfs.h"
0030 #include "include/audit.h"
0031 #include "include/cred.h"
0032 #include "include/crypto.h"
0033 #include "include/ipc.h"
0034 #include "include/label.h"
0035 #include "include/policy.h"
0036 #include "include/policy_ns.h"
0037 #include "include/resource.h"
0038 #include "include/policy_unpack.h"
0039 #include "include/task.h"
0040
0041 /*
0042  * The apparmor filesystem interface used for policy load and introspection
0043  * The interface is split into two main components based on their function
0044  * a securityfs component:
0045  *   used for static files that are always available, and which allows
0046  *   userspace to specificy the location of the security filesystem.
0047  *
0048  *   fns and data are prefixed with
0049  *      aa_sfs_
0050  *
0051  * an apparmorfs component:
0052  *   used loaded policy content and introspection. It is not part of  a
0053  *   regular mounted filesystem and is available only through the magic
0054  *   policy symlink in the root of the securityfs apparmor/ directory.
0055  *   Tasks queries will be magically redirected to the correct portion
0056  *   of the policy tree based on their confinement.
0057  *
0058  *   fns and data are prefixed with
0059  *      aafs_
0060  *
0061  * The aa_fs_ prefix is used to indicate the fn is used by both the
0062  * securityfs and apparmorfs filesystems.
0063  */
0064
0065
0066 /*
0067  * support fns
0068  */
0069
0070 struct rawdata_f_data {
0071     struct aa_loaddata *loaddata;
0072 };
0073
0074 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
0075 #define RAWDATA_F_DATA_BUF(p) (char *)(p + 1)
0076
0077 static void rawdata_f_data_free(struct rawdata_f_data *private)
0078 {
0079     if (!private)
0080         return;
0081
0082     aa_put_loaddata(private->loaddata);
0083     kvfree(private);
0084 }
0085
0086 static struct rawdata_f_data *rawdata_f_data_alloc(size_t size)
0087 {
0088     struct rawdata_f_data *ret;
0089
0090     if (size > SIZE_MAX - sizeof(*ret))
0091         return ERR_PTR(-EINVAL);
0092
0093     ret = kvzalloc(sizeof(*ret) + size, GFP_KERNEL);
0094     if (!ret)
0095         return ERR_PTR(-ENOMEM);
0096
0097     return ret;
0098 }
0099 #endif
0100
0101 /**
0102  * mangle_name - mangle a profile name to std profile layout form
0103  * @name: profile name to mangle  (NOT NULL)
0104  * @target: buffer to store mangled name, same length as @name (MAYBE NULL)
0105  *
0106  * Returns: length of mangled name
0107  */
0108 static int mangle_name(const char *name, char *target)
0109 {
0110     char *t = target;
0111
0112     while (*name == '/' || *name == '.')
0113         name++;
0114
0115     if (target) {
0116         for (; *name; name++) {
0117             if (*name == '/')
0118                 *(t)++ = '.';
0119             else if (isspace(*name))
0120                 *(t)++ = '_';
0121             else if (isalnum(*name) || strchr("._-", *name))
0122                 *(t)++ = *name;
0123         }
0124
0125         *t = 0;
0126     } else {
0127         int len = 0;
0128         for (; *name; name++) {
0129             if (isalnum(*name) || isspace(*name) ||
0130                 strchr("/._-", *name))
0131                 len++;
0132         }
0133
0134         return len;
0135     }
0136
0137     return t - target;
0138 }
0139
0140
0141 /*
0142  * aafs - core fns and data for the policy tree
0143  */
0144
0145 #define AAFS_NAME       "apparmorfs"
0146 static struct vfsmount *aafs_mnt;
0147 static int aafs_count;
0148
0149
0150 static int aafs_show_path(struct seq_file *seq, struct dentry *dentry)
0151 {
0152     seq_printf(seq, "%s:[%lu]", AAFS_NAME, d_inode(dentry)->i_ino);
0153     return 0;
0154 }
0155
0156 static void aafs_free_inode(struct inode *inode)
0157 {
0158     if (S_ISLNK(inode->i_mode))
0159         kfree(inode->i_link);
0160     free_inode_nonrcu(inode);
0161 }
0162
0163 static const struct super_operations aafs_super_ops = {
0164     .statfs = simple_statfs,
0165     .free_inode = aafs_free_inode,
0166     .show_path = aafs_show_path,
0167 };
0168
0169 static int apparmorfs_fill_super(struct super_block *sb, struct fs_context *fc)
0170 {
0171     static struct tree_descr files[] = { {""} };
0172     int error;
0173
0174     error = simple_fill_super(sb, AAFS_MAGIC, files);
0175     if (error)
0176         return error;
0177     sb->s_op = &aafs_super_ops;
0178
0179     return 0;
0180 }
0181
0182 static int apparmorfs_get_tree(struct fs_context *fc)
0183 {
0184     return get_tree_single(fc, apparmorfs_fill_super);
0185 }
0186
0187 static const struct fs_context_operations apparmorfs_context_ops = {
0188     .get_tree   = apparmorfs_get_tree,
0189 };
0190
0191 static int apparmorfs_init_fs_context(struct fs_context *fc)
0192 {
0193     fc->ops = &apparmorfs_context_ops;
0194     return 0;
0195 }
0196
0197 static struct file_system_type aafs_ops = {
0198     .owner = THIS_MODULE,
0199     .name = AAFS_NAME,
0200     .init_fs_context = apparmorfs_init_fs_context,
0201     .kill_sb = kill_anon_super,
0202 };
0203
0204 /**
0205  * __aafs_setup_d_inode - basic inode setup for apparmorfs
0206  * @dir: parent directory for the dentry
0207  * @dentry: dentry we are seting the inode up for
0208  * @mode: permissions the file should have
0209  * @data: data to store on inode.i_private, available in open()
0210  * @link: if symlink, symlink target string
0211  * @fops: struct file_operations that should be used
0212  * @iops: struct of inode_operations that should be used
0213  */
0214 static int __aafs_setup_d_inode(struct inode *dir, struct dentry *dentry,
0215                    umode_t mode, void *data, char *link,
0216                    const struct file_operations *fops,
0217                    const struct inode_operations *iops)
0218 {
0219     struct inode *inode = new_inode(dir->i_sb);
0220
0221     AA_BUG(!dir);
0222     AA_BUG(!dentry);
0223
0224     if (!inode)
0225         return -ENOMEM;
0226
0227     inode->i_ino = get_next_ino();
0228     inode->i_mode = mode;
0229     inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
0230     inode->i_private = data;
0231     if (S_ISDIR(mode)) {
0232         inode->i_op = iops ? iops : &simple_dir_inode_operations;
0233         inode->i_fop = &simple_dir_operations;
0234         inc_nlink(inode);
0235         inc_nlink(dir);
0236     } else if (S_ISLNK(mode)) {
0237         inode->i_op = iops ? iops : &simple_symlink_inode_operations;
0238         inode->i_link = link;
0239     } else {
0240         inode->i_fop = fops;
0241     }
0242     d_instantiate(dentry, inode);
0243     dget(dentry);
0244
0245     return 0;
0246 }
0247
0248 /**
0249  * aafs_create - create a dentry in the apparmorfs filesystem
0250  *
0251  * @name: name of dentry to create
0252  * @mode: permissions the file should have
0253  * @parent: parent directory for this dentry
0254  * @data: data to store on inode.i_private, available in open()
0255  * @link: if symlink, symlink target string
0256  * @fops: struct file_operations that should be used for
0257  * @iops: struct of inode_operations that should be used
0258  *
0259  * This is the basic "create a xxx" function for apparmorfs.
0260  *
0261  * Returns a pointer to a dentry if it succeeds, that must be free with
0262  * aafs_remove(). Will return ERR_PTR on failure.
0263  */
0264 static struct dentry *aafs_create(const char *name, umode_t mode,
0265                   struct dentry *parent, void *data, void *link,
0266                   const struct file_operations *fops,
0267                   const struct inode_operations *iops)
0268 {
0269     struct dentry *dentry;
0270     struct inode *dir;
0271     int error;
0272
0273     AA_BUG(!name);
0274     AA_BUG(!parent);
0275
0276     if (!(mode & S_IFMT))
0277         mode = (mode & S_IALLUGO) | S_IFREG;
0278
0279     error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count);
0280     if (error)
0281         return ERR_PTR(error);
0282
0283     dir = d_inode(parent);
0284
0285     inode_lock(dir);
0286     dentry = lookup_one_len(name, parent, strlen(name));
0287     if (IS_ERR(dentry)) {
0288         error = PTR_ERR(dentry);
0289         goto fail_lock;
0290     }
0291
0292     if (d_really_is_positive(dentry)) {
0293         error = -EEXIST;
0294         goto fail_dentry;
0295     }
0296
0297     error = __aafs_setup_d_inode(dir, dentry, mode, data, link, fops, iops);
0298     if (error)
0299         goto fail_dentry;
0300     inode_unlock(dir);
0301
0302     return dentry;
0303
0304 fail_dentry:
0305     dput(dentry);
0306
0307 fail_lock:
0308     inode_unlock(dir);
0309     simple_release_fs(&aafs_mnt, &aafs_count);
0310
0311     return ERR_PTR(error);
0312 }
0313
0314 /**
0315  * aafs_create_file - create a file in the apparmorfs filesystem
0316  *
0317  * @name: name of dentry to create
0318  * @mode: permissions the file should have
0319  * @parent: parent directory for this dentry
0320  * @data: data to store on inode.i_private, available in open()
0321  * @fops: struct file_operations that should be used for
0322  *
0323  * see aafs_create
0324  */
0325 static struct dentry *aafs_create_file(const char *name, umode_t mode,
0326                        struct dentry *parent, void *data,
0327                        const struct file_operations *fops)
0328 {
0329     return aafs_create(name, mode, parent, data, NULL, fops, NULL);
0330 }
0331
0332 /**
0333  * aafs_create_dir - create a directory in the apparmorfs filesystem
0334  *
0335  * @name: name of dentry to create
0336  * @parent: parent directory for this dentry
0337  *
0338  * see aafs_create
0339  */
0340 static struct dentry *aafs_create_dir(const char *name, struct dentry *parent)
0341 {
0342     return aafs_create(name, S_IFDIR | 0755, parent, NULL, NULL, NULL,
0343                NULL);
0344 }
0345
0346 /**
0347  * aafs_remove - removes a file or directory from the apparmorfs filesystem
0348  *
0349  * @dentry: dentry of the file/directory/symlink to removed.
0350  */
0351 static void aafs_remove(struct dentry *dentry)
0352 {
0353     struct inode *dir;
0354
0355     if (!dentry || IS_ERR(dentry))
0356         return;
0357
0358     dir = d_inode(dentry->d_parent);
0359     inode_lock(dir);
0360     if (simple_positive(dentry)) {
0361         if (d_is_dir(dentry))
0362             simple_rmdir(dir, dentry);
0363         else
0364             simple_unlink(dir, dentry);
0365         d_delete(dentry);
0366         dput(dentry);
0367     }
0368     inode_unlock(dir);
0369     simple_release_fs(&aafs_mnt, &aafs_count);
0370 }
0371
0372
0373 /*
0374  * aa_fs - policy load/replace/remove
0375  */
0376
0377 /**
0378  * aa_simple_write_to_buffer - common routine for getting policy from user
0379  * @userbuf: user buffer to copy data from  (NOT NULL)
0380  * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size)
0381  * @copy_size: size of data to copy from user buffer
0382  * @pos: position write is at in the file (NOT NULL)
0383  *
0384  * Returns: kernel buffer containing copy of user buffer data or an
0385  *          ERR_PTR on failure.
0386  */
0387 static struct aa_loaddata *aa_simple_write_to_buffer(const char __user *userbuf,
0388                              size_t alloc_size,
0389                              size_t copy_size,
0390                              loff_t *pos)
0391 {
0392     struct aa_loaddata *data;
0393
0394     AA_BUG(copy_size > alloc_size);
0395
0396     if (*pos != 0)
0397         /* only writes from pos 0, that is complete writes */
0398         return ERR_PTR(-ESPIPE);
0399
0400     /* freed by caller to simple_write_to_buffer */
0401     data = aa_loaddata_alloc(alloc_size);
0402     if (IS_ERR(data))
0403         return data;
0404
0405     data->size = copy_size;
0406     if (copy_from_user(data->data, userbuf, copy_size)) {
0407         aa_put_loaddata(data);
0408         return ERR_PTR(-EFAULT);
0409     }
0410
0411     return data;
0412 }
0413
0414 static ssize_t policy_update(u32 mask, const char __user *buf, size_t size,
0415                  loff_t *pos, struct aa_ns *ns)
0416 {
0417     struct aa_loaddata *data;
0418     struct aa_label *label;
0419     ssize_t error;
0420
0421     label = begin_current_label_crit_section();
0422
0423     /* high level check about policy management - fine grained in
0424      * below after unpack
0425      */
0426     error = aa_may_manage_policy(label, ns, mask);
0427     if (error)
0428         goto end_section;
0429
0430     data = aa_simple_write_to_buffer(buf, size, size, pos);
0431     error = PTR_ERR(data);
0432     if (!IS_ERR(data)) {
0433         error = aa_replace_profiles(ns, label, mask, data);
0434         aa_put_loaddata(data);
0435     }
0436 end_section:
0437     end_current_label_crit_section(label);
0438
0439     return error;
0440 }
0441
0442 /* .load file hook fn to load policy */
0443 static ssize_t profile_load(struct file *f, const char __user *buf, size_t size,
0444                 loff_t *pos)
0445 {
0446     struct aa_ns *ns = aa_get_ns(f->f_inode->i_private);
0447     int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns);
0448
0449     aa_put_ns(ns);
0450
0451     return error;
0452 }
0453
0454 static const struct file_operations aa_fs_profile_load = {
0455     .write = profile_load,
0456     .llseek = default_llseek,
0457 };
0458
0459 /* .replace file hook fn to load and/or replace policy */
0460 static ssize_t profile_replace(struct file *f, const char __user *buf,
0461                    size_t size, loff_t *pos)
0462 {
0463     struct aa_ns *ns = aa_get_ns(f->f_inode->i_private);
0464     int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY,
0465                   buf, size, pos, ns);
0466     aa_put_ns(ns);
0467
0468     return error;
0469 }
0470
0471 static const struct file_operations aa_fs_profile_replace = {
0472     .write = profile_replace,
0473     .llseek = default_llseek,
0474 };
0475
0476 /* .remove file hook fn to remove loaded policy */
0477 static ssize_t profile_remove(struct file *f, const char __user *buf,
0478                   size_t size, loff_t *pos)
0479 {
0480     struct aa_loaddata *data;
0481     struct aa_label *label;
0482     ssize_t error;
0483     struct aa_ns *ns = aa_get_ns(f->f_inode->i_private);
0484
0485     label = begin_current_label_crit_section();
0486     /* high level check about policy management - fine grained in
0487      * below after unpack
0488      */
0489     error = aa_may_manage_policy(label, ns, AA_MAY_REMOVE_POLICY);
0490     if (error)
0491         goto out;
0492
0493     /*
0494      * aa_remove_profile needs a null terminated string so 1 extra
0495      * byte is allocated and the copied data is null terminated.
0496      */
0497     data = aa_simple_write_to_buffer(buf, size + 1, size, pos);
0498
0499     error = PTR_ERR(data);
0500     if (!IS_ERR(data)) {
0501         data->data[size] = 0;
0502         error = aa_remove_profiles(ns, label, data->data, size);
0503         aa_put_loaddata(data);
0504     }
0505  out:
0506     end_current_label_crit_section(label);
0507     aa_put_ns(ns);
0508     return error;
0509 }
0510
0511 static const struct file_operations aa_fs_profile_remove = {
0512     .write = profile_remove,
0513     .llseek = default_llseek,
0514 };
0515
0516 struct aa_revision {
0517     struct aa_ns *ns;
0518     long last_read;
0519 };
0520
0521 /* revision file hook fn for policy loads */
0522 static int ns_revision_release(struct inode *inode, struct file *file)
0523 {
0524     struct aa_revision *rev = file->private_data;
0525
0526     if (rev) {
0527         aa_put_ns(rev->ns);
0528         kfree(rev);
0529     }
0530
0531     return 0;
0532 }
0533
0534 static ssize_t ns_revision_read(struct file *file, char __user *buf,
0535                 size_t size, loff_t *ppos)
0536 {
0537     struct aa_revision *rev = file->private_data;
0538     char buffer[32];
0539     long last_read;
0540     int avail;
0541
0542     mutex_lock_nested(&rev->ns->lock, rev->ns->level);
0543     last_read = rev->last_read;
0544     if (last_read == rev->ns->revision) {
0545         mutex_unlock(&rev->ns->lock);
0546         if (file->f_flags & O_NONBLOCK)
0547             return -EAGAIN;
0548         if (wait_event_interruptible(rev->ns->wait,
0549                          last_read !=
0550                          READ_ONCE(rev->ns->revision)))
0551             return -ERESTARTSYS;
0552         mutex_lock_nested(&rev->ns->lock, rev->ns->level);
0553     }
0554
0555     avail = sprintf(buffer, "%ld\n", rev->ns->revision);
0556     if (*ppos + size > avail) {
0557         rev->last_read = rev->ns->revision;
0558         *ppos = 0;
0559     }
0560     mutex_unlock(&rev->ns->lock);
0561
0562     return simple_read_from_buffer(buf, size, ppos, buffer, avail);
0563 }
0564
0565 static int ns_revision_open(struct inode *inode, struct file *file)
0566 {
0567     struct aa_revision *rev = kzalloc(sizeof(*rev), GFP_KERNEL);
0568
0569     if (!rev)
0570         return -ENOMEM;
0571
0572     rev->ns = aa_get_ns(inode->i_private);
0573     if (!rev->ns)
0574         rev->ns = aa_get_current_ns();
0575     file->private_data = rev;
0576
0577     return 0;
0578 }
0579
0580 static __poll_t ns_revision_poll(struct file *file, poll_table *pt)
0581 {
0582     struct aa_revision *rev = file->private_data;
0583     __poll_t mask = 0;
0584
0585     if (rev) {
0586         mutex_lock_nested(&rev->ns->lock, rev->ns->level);
0587         poll_wait(file, &rev->ns->wait, pt);
0588         if (rev->last_read < rev->ns->revision)
0589             mask |= EPOLLIN | EPOLLRDNORM;
0590         mutex_unlock(&rev->ns->lock);
0591     }
0592
0593     return mask;
0594 }
0595
0596 void __aa_bump_ns_revision(struct aa_ns *ns)
0597 {
0598     WRITE_ONCE(ns->revision, READ_ONCE(ns->revision) + 1);
0599     wake_up_interruptible(&ns->wait);
0600 }
0601
0602 static const struct file_operations aa_fs_ns_revision_fops = {
0603     .owner      = THIS_MODULE,
0604     .open       = ns_revision_open,
0605     .poll       = ns_revision_poll,
0606     .read       = ns_revision_read,
0607     .llseek     = generic_file_llseek,
0608     .release    = ns_revision_release,
0609 };
0610
0611 static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
0612                  const char *match_str, size_t match_len)
0613 {
0614     struct aa_perms tmp = { };
0615     struct aa_dfa *dfa;
0616     unsigned int state = 0;
0617
0618     if (profile_unconfined(profile))
0619         return;
0620     if (profile->file.dfa && *match_str == AA_CLASS_FILE) {
0621         dfa = profile->file.dfa;
0622         state = aa_dfa_match_len(dfa, profile->file.start,
0623                      match_str + 1, match_len - 1);
0624         if (state) {
0625             struct path_cond cond = { };
0626
0627             tmp = aa_compute_fperms(dfa, state, &cond);
0628         }
0629     } else if (profile->policy.dfa) {
0630         if (!PROFILE_MEDIATES(profile, *match_str))
0631             return; /* no change to current perms */
0632         dfa = profile->policy.dfa;
0633         state = aa_dfa_match_len(dfa, profile->policy.start[0],
0634                      match_str, match_len);
0635         if (state)
0636             aa_compute_perms(dfa, state, &tmp);
0637     }
0638     aa_apply_modes_to_perms(profile, &tmp);
0639     aa_perms_accum_raw(perms, &tmp);
0640 }
0641
0642
0643 /**
0644  * query_data - queries a policy and writes its data to buf
0645  * @buf: the resulting data is stored here (NOT NULL)
0646  * @buf_len: size of buf
0647  * @query: query string used to retrieve data
0648  * @query_len: size of query including second NUL byte
0649  *
0650  * The buffers pointed to by buf and query may overlap. The query buffer is
0651  * parsed before buf is written to.
0652  *
0653  * The query should look like "<LABEL>\0<KEY>\0", where <LABEL> is the name of
0654  * the security confinement context and <KEY> is the name of the data to
0655  * retrieve. <LABEL> and <KEY> must not be NUL-terminated.
0656  *
0657  * Don't expect the contents of buf to be preserved on failure.
0658  *
0659  * Returns: number of characters written to buf or -errno on failure
0660  */
0661 static ssize_t query_data(char *buf, size_t buf_len,
0662               char *query, size_t query_len)
0663 {
0664     char *out;
0665     const char *key;
0666     struct label_it i;
0667     struct aa_label *label, *curr;
0668     struct aa_profile *profile;
0669     struct aa_data *data;
0670     u32 bytes, blocks;
0671     __le32 outle32;
0672
0673     if (!query_len)
0674         return -EINVAL; /* need a query */
0675
0676     key = query + strnlen(query, query_len) + 1;
0677     if (key + 1 >= query + query_len)
0678         return -EINVAL; /* not enough space for a non-empty key */
0679     if (key + strnlen(key, query + query_len - key) >= query + query_len)
0680         return -EINVAL; /* must end with NUL */
0681
0682     if (buf_len < sizeof(bytes) + sizeof(blocks))
0683         return -EINVAL; /* not enough space */
0684
0685     curr = begin_current_label_crit_section();
0686     label = aa_label_parse(curr, query, GFP_KERNEL, false, false);
0687     end_current_label_crit_section(curr);
0688     if (IS_ERR(label))
0689         return PTR_ERR(label);
0690
0691     /* We are going to leave space for two numbers. The first is the total
0692      * number of bytes we are writing after the first number. This is so
0693      * users can read the full output without reallocation.
0694      *
0695      * The second number is the number of data blocks we're writing. An
0696      * application might be confined by multiple policies having data in
0697      * the same key.
0698      */
0699     memset(buf, 0, sizeof(bytes) + sizeof(blocks));
0700     out = buf + sizeof(bytes) + sizeof(blocks);
0701
0702     blocks = 0;
0703     label_for_each_confined(i, label, profile) {
0704         if (!profile->data)
0705             continue;
0706
0707         data = rhashtable_lookup_fast(profile->data, &key,
0708                           profile->data->p);
0709
0710         if (data) {
0711             if (out + sizeof(outle32) + data->size > buf +
0712                 buf_len) {
0713                 aa_put_label(label);
0714                 return -EINVAL; /* not enough space */
0715             }
0716             outle32 = __cpu_to_le32(data->size);
0717             memcpy(out, &outle32, sizeof(outle32));
0718             out += sizeof(outle32);
0719             memcpy(out, data->data, data->size);
0720             out += data->size;
0721             blocks++;
0722         }
0723     }
0724     aa_put_label(label);
0725
0726     outle32 = __cpu_to_le32(out - buf - sizeof(bytes));
0727     memcpy(buf, &outle32, sizeof(outle32));
0728     outle32 = __cpu_to_le32(blocks);
0729     memcpy(buf + sizeof(bytes), &outle32, sizeof(outle32));
0730
0731     return out - buf;
0732 }
0733
0734 /**
0735  * query_label - queries a label and writes permissions to buf
0736  * @buf: the resulting permissions string is stored here (NOT NULL)
0737  * @buf_len: size of buf
0738  * @query: binary query string to match against the dfa
0739  * @query_len: size of query
0740  * @view_only: only compute for querier's view
0741  *
0742  * The buffers pointed to by buf and query may overlap. The query buffer is
0743  * parsed before buf is written to.
0744  *
0745  * The query should look like "LABEL_NAME\0DFA_STRING" where LABEL_NAME is
0746  * the name of the label, in the current namespace, that is to be queried and
0747  * DFA_STRING is a binary string to match against the label(s)'s DFA.
0748  *
0749  * LABEL_NAME must be NUL terminated. DFA_STRING may contain NUL characters
0750  * but must *not* be NUL terminated.
0751  *
0752  * Returns: number of characters written to buf or -errno on failure
0753  */
0754 static ssize_t query_label(char *buf, size_t buf_len,
0755                char *query, size_t query_len, bool view_only)
0756 {
0757     struct aa_profile *profile;
0758     struct aa_label *label, *curr;
0759     char *label_name, *match_str;
0760     size_t label_name_len, match_len;
0761     struct aa_perms perms;
0762     struct label_it i;
0763
0764     if (!query_len)
0765         return -EINVAL;
0766
0767     label_name = query;
0768     label_name_len = strnlen(query, query_len);
0769     if (!label_name_len || label_name_len == query_len)
0770         return -EINVAL;
0771
0772     /**
0773      * The extra byte is to account for the null byte between the
0774      * profile name and dfa string. profile_name_len is greater
0775      * than zero and less than query_len, so a byte can be safely
0776      * added or subtracted.
0777      */
0778     match_str = label_name + label_name_len + 1;
0779     match_len = query_len - label_name_len - 1;
0780
0781     curr = begin_current_label_crit_section();
0782     label = aa_label_parse(curr, label_name, GFP_KERNEL, false, false);
0783     end_current_label_crit_section(curr);
0784     if (IS_ERR(label))
0785         return PTR_ERR(label);
0786
0787     perms = allperms;
0788     if (view_only) {
0789         label_for_each_in_ns(i, labels_ns(label), label, profile) {
0790             profile_query_cb(profile, &perms, match_str, match_len);
0791         }
0792     } else {
0793         label_for_each(i, label, profile) {
0794             profile_query_cb(profile, &perms, match_str, match_len);
0795         }
0796     }
0797     aa_put_label(label);
0798
0799     return scnprintf(buf, buf_len,
0800               "allow 0x%08x\ndeny 0x%08x\naudit 0x%08x\nquiet 0x%08x\n",
0801               perms.allow, perms.deny, perms.audit, perms.quiet);
0802 }
0803
0804 /*
0805  * Transaction based IO.
0806  * The file expects a write which triggers the transaction, and then
0807  * possibly a read(s) which collects the result - which is stored in a
0808  * file-local buffer. Once a new write is performed, a new set of results
0809  * are stored in the file-local buffer.
0810  */
0811 struct multi_transaction {
0812     struct kref count;
0813     ssize_t size;
0814     char data[];
0815 };
0816
0817 #define MULTI_TRANSACTION_LIMIT (PAGE_SIZE - sizeof(struct multi_transaction))
0818
0819 static void multi_transaction_kref(struct kref *kref)
0820 {
0821     struct multi_transaction *t;
0822
0823     t = container_of(kref, struct multi_transaction, count);
0824     free_page((unsigned long) t);
0825 }
0826
0827 static struct multi_transaction *
0828 get_multi_transaction(struct multi_transaction *t)
0829 {
0830     if  (t)
0831         kref_get(&(t->count));
0832
0833     return t;
0834 }
0835
0836 static void put_multi_transaction(struct multi_transaction *t)
0837 {
0838     if (t)
0839         kref_put(&(t->count), multi_transaction_kref);
0840 }
0841
0842 /* does not increment @new's count */
0843 static void multi_transaction_set(struct file *file,
0844                   struct multi_transaction *new, size_t n)
0845 {
0846     struct multi_transaction *old;
0847
0848     AA_BUG(n > MULTI_TRANSACTION_LIMIT);
0849
0850     new->size = n;
0851     spin_lock(&file->f_lock);
0852     old = (struct multi_transaction *) file->private_data;
0853     file->private_data = new;
0854     spin_unlock(&file->f_lock);
0855     put_multi_transaction(old);
0856 }
0857
0858 static struct multi_transaction *multi_transaction_new(struct file *file,
0859                                const char __user *buf,
0860                                size_t size)
0861 {
0862     struct multi_transaction *t;
0863
0864     if (size > MULTI_TRANSACTION_LIMIT - 1)
0865         return ERR_PTR(-EFBIG);
0866
0867     t = (struct multi_transaction *)get_zeroed_page(GFP_KERNEL);
0868     if (!t)
0869         return ERR_PTR(-ENOMEM);
0870     kref_init(&t->count);
0871     if (copy_from_user(t->data, buf, size))
0872         return ERR_PTR(-EFAULT);
0873
0874     return t;
0875 }
0876
0877 static ssize_t multi_transaction_read(struct file *file, char __user *buf,
0878                        size_t size, loff_t *pos)
0879 {
0880     struct multi_transaction *t;
0881     ssize_t ret;
0882
0883     spin_lock(&file->f_lock);
0884     t = get_multi_transaction(file->private_data);
0885     spin_unlock(&file->f_lock);
0886
0887     if (!t)
0888         return 0;
0889
0890     ret = simple_read_from_buffer(buf, size, pos, t->data, t->size);
0891     put_multi_transaction(t);
0892
0893     return ret;
0894 }
0895
0896 static int multi_transaction_release(struct inode *inode, struct file *file)
0897 {
0898     put_multi_transaction(file->private_data);
0899
0900     return 0;
0901 }
0902
0903 #define QUERY_CMD_LABEL     "label\0"
0904 #define QUERY_CMD_LABEL_LEN 6
0905 #define QUERY_CMD_PROFILE   "profile\0"
0906 #define QUERY_CMD_PROFILE_LEN   8
0907 #define QUERY_CMD_LABELALL  "labelall\0"
0908 #define QUERY_CMD_LABELALL_LEN  9
0909 #define QUERY_CMD_DATA      "data\0"
0910 #define QUERY_CMD_DATA_LEN  5
0911
0912 /**
0913  * aa_write_access - generic permissions and data query
0914  * @file: pointer to open apparmorfs/access file
0915  * @ubuf: user buffer containing the complete query string (NOT NULL)
0916  * @count: size of ubuf
0917  * @ppos: position in the file (MUST BE ZERO)
0918  *
0919  * Allows for one permissions or data query per open(), write(), and read()
0920  * sequence. The only queries currently supported are label-based queries for
0921  * permissions or data.
0922  *
0923  * For permissions queries, ubuf must begin with "label\0", followed by the
0924  * profile query specific format described in the query_label() function
0925  * documentation.
0926  *
0927  * For data queries, ubuf must have the form "data\0<LABEL>\0<KEY>\0", where
0928  * <LABEL> is the name of the security confinement context and <KEY> is the
0929  * name of the data to retrieve.
0930  *
0931  * Returns: number of bytes written or -errno on failure
0932  */
0933 static ssize_t aa_write_access(struct file *file, const char __user *ubuf,
0934                    size_t count, loff_t *ppos)
0935 {
0936     struct multi_transaction *t;
0937     ssize_t len;
0938
0939     if (*ppos)
0940         return -ESPIPE;
0941
0942     t = multi_transaction_new(file, ubuf, count);
0943     if (IS_ERR(t))
0944         return PTR_ERR(t);
0945
0946     if (count > QUERY_CMD_PROFILE_LEN &&
0947         !memcmp(t->data, QUERY_CMD_PROFILE, QUERY_CMD_PROFILE_LEN)) {
0948         len = query_label(t->data, MULTI_TRANSACTION_LIMIT,
0949                   t->data + QUERY_CMD_PROFILE_LEN,
0950                   count - QUERY_CMD_PROFILE_LEN, true);
0951     } else if (count > QUERY_CMD_LABEL_LEN &&
0952            !memcmp(t->data, QUERY_CMD_LABEL, QUERY_CMD_LABEL_LEN)) {
0953         len = query_label(t->data, MULTI_TRANSACTION_LIMIT,
0954                   t->data + QUERY_CMD_LABEL_LEN,
0955                   count - QUERY_CMD_LABEL_LEN, true);
0956     } else if (count > QUERY_CMD_LABELALL_LEN &&
0957            !memcmp(t->data, QUERY_CMD_LABELALL,
0958                QUERY_CMD_LABELALL_LEN)) {
0959         len = query_label(t->data, MULTI_TRANSACTION_LIMIT,
0960                   t->data + QUERY_CMD_LABELALL_LEN,
0961                   count - QUERY_CMD_LABELALL_LEN, false);
0962     } else if (count > QUERY_CMD_DATA_LEN &&
0963            !memcmp(t->data, QUERY_CMD_DATA, QUERY_CMD_DATA_LEN)) {
0964         len = query_data(t->data, MULTI_TRANSACTION_LIMIT,
0965                  t->data + QUERY_CMD_DATA_LEN,
0966                  count - QUERY_CMD_DATA_LEN);
0967     } else
0968         len = -EINVAL;
0969
0970     if (len < 0) {
0971         put_multi_transaction(t);
0972         return len;
0973     }
0974
0975     multi_transaction_set(file, t, len);
0976
0977     return count;
0978 }
0979
0980 static const struct file_operations aa_sfs_access = {
0981     .write      = aa_write_access,
0982     .read       = multi_transaction_read,
0983     .release    = multi_transaction_release,
0984     .llseek     = generic_file_llseek,
0985 };
0986
0987 static int aa_sfs_seq_show(struct seq_file *seq, void *v)
0988 {
0989     struct aa_sfs_entry *fs_file = seq->private;
0990
0991     if (!fs_file)
0992         return 0;
0993
0994     switch (fs_file->v_type) {
0995     case AA_SFS_TYPE_BOOLEAN:
0996         seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no");
0997         break;
0998     case AA_SFS_TYPE_STRING:
0999         seq_printf(seq, "%s\n", fs_file->v.string);
1000         break;
1001     case AA_SFS_TYPE_U64:
1002         seq_printf(seq, "%#08lx\n", fs_file->v.u64);
1003         break;
1004     default:
1005         /* Ignore unpritable entry types. */
1006         break;
1007     }
1008
1009     return 0;
1010 }
1011
1012 static int aa_sfs_seq_open(struct inode *inode, struct file *file)
1013 {
1014     return single_open(file, aa_sfs_seq_show, inode->i_private);
1015 }
1016
1017 const struct file_operations aa_sfs_seq_file_ops = {
1018     .owner      = THIS_MODULE,
1019     .open       = aa_sfs_seq_open,
1020     .read       = seq_read,
1021     .llseek     = seq_lseek,
1022     .release    = single_release,
1023 };
1024
1025 /*
1026  * profile based file operations
1027  *     policy/profiles/XXXX/profiles/ *
1028  */
1029
1030 #define SEQ_PROFILE_FOPS(NAME)                            \
1031 static int seq_profile_ ##NAME ##_open(struct inode *inode, struct file *file)\
1032 {                                         \
1033     return seq_profile_open(inode, file, seq_profile_ ##NAME ##_show);    \
1034 }                                         \
1035                                           \
1036 static const struct file_operations seq_profile_ ##NAME ##_fops = {       \
1037     .owner      = THIS_MODULE,                        \
1038     .open       = seq_profile_ ##NAME ##_open,                \
1039     .read       = seq_read,                       \
1040     .llseek     = seq_lseek,                          \
1041     .release    = seq_profile_release,                    \
1042 }                                         \
1043
1044 static int seq_profile_open(struct inode *inode, struct file *file,
1045                 int (*show)(struct seq_file *, void *))
1046 {
1047     struct aa_proxy *proxy = aa_get_proxy(inode->i_private);
1048     int error = single_open(file, show, proxy);
1049
1050     if (error) {
1051         file->private_data = NULL;
1052         aa_put_proxy(proxy);
1053     }
1054
1055     return error;
1056 }
1057
1058 static int seq_profile_release(struct inode *inode, struct file *file)
1059 {
1060     struct seq_file *seq = (struct seq_file *) file->private_data;
1061     if (seq)
1062         aa_put_proxy(seq->private);
1063     return single_release(inode, file);
1064 }
1065
1066 static int seq_profile_name_show(struct seq_file *seq, void *v)
1067 {
1068     struct aa_proxy *proxy = seq->private;
1069     struct aa_label *label = aa_get_label_rcu(&proxy->label);
1070     struct aa_profile *profile = labels_profile(label);
1071     seq_printf(seq, "%s\n", profile->base.name);
1072     aa_put_label(label);
1073
1074     return 0;
1075 }
1076
1077 static int seq_profile_mode_show(struct seq_file *seq, void *v)
1078 {
1079     struct aa_proxy *proxy = seq->private;
1080     struct aa_label *label = aa_get_label_rcu(&proxy->label);
1081     struct aa_profile *profile = labels_profile(label);
1082     seq_printf(seq, "%s\n", aa_profile_mode_names[profile->mode]);
1083     aa_put_label(label);
1084
1085     return 0;
1086 }
1087
1088 static int seq_profile_attach_show(struct seq_file *seq, void *v)
1089 {
1090     struct aa_proxy *proxy = seq->private;
1091     struct aa_label *label = aa_get_label_rcu(&proxy->label);
1092     struct aa_profile *profile = labels_profile(label);
1093     if (profile->attach)
1094         seq_printf(seq, "%s\n", profile->attach);
1095     else if (profile->xmatch)
1096         seq_puts(seq, "<unknown>\n");
1097     else
1098         seq_printf(seq, "%s\n", profile->base.name);
1099     aa_put_label(label);
1100
1101     return 0;
1102 }
1103
1104 static int seq_profile_hash_show(struct seq_file *seq, void *v)
1105 {
1106     struct aa_proxy *proxy = seq->private;
1107     struct aa_label *label = aa_get_label_rcu(&proxy->label);
1108     struct aa_profile *profile = labels_profile(label);
1109     unsigned int i, size = aa_hash_size();
1110
1111     if (profile->hash) {
1112         for (i = 0; i < size; i++)
1113             seq_printf(seq, "%.2x", profile->hash[i]);
1114         seq_putc(seq, '\n');
1115     }
1116     aa_put_label(label);
1117
1118     return 0;
1119 }
1120
1121 SEQ_PROFILE_FOPS(name);
1122 SEQ_PROFILE_FOPS(mode);
1123 SEQ_PROFILE_FOPS(attach);
1124 SEQ_PROFILE_FOPS(hash);
1125
1126 /*
1127  * namespace based files
1128  *     several root files and
1129  *     policy/ *
1130  */
1131
1132 #define SEQ_NS_FOPS(NAME)                             \
1133 static int seq_ns_ ##NAME ##_open(struct inode *inode, struct file *file)     \
1134 {                                         \
1135     return single_open(file, seq_ns_ ##NAME ##_show, inode->i_private);   \
1136 }                                         \
1137                                           \
1138 static const struct file_operations seq_ns_ ##NAME ##_fops = {        \
1139     .owner      = THIS_MODULE,                        \
1140     .open       = seq_ns_ ##NAME ##_open,                 \
1141     .read       = seq_read,                       \
1142     .llseek     = seq_lseek,                          \
1143     .release    = single_release,                     \
1144 }                                         \
1145
1146 static int seq_ns_stacked_show(struct seq_file *seq, void *v)
1147 {
1148     struct aa_label *label;
1149
1150     label = begin_current_label_crit_section();
1151     seq_printf(seq, "%s\n", label->size > 1 ? "yes" : "no");
1152     end_current_label_crit_section(label);
1153
1154     return 0;
1155 }
1156
1157 static int seq_ns_nsstacked_show(struct seq_file *seq, void *v)
1158 {
1159     struct aa_label *label;
1160     struct aa_profile *profile;
1161     struct label_it it;
1162     int count = 1;
1163
1164     label = begin_current_label_crit_section();
1165
1166     if (label->size > 1) {
1167         label_for_each(it, label, profile)
1168             if (profile->ns != labels_ns(label)) {
1169                 count++;
1170                 break;
1171             }
1172     }
1173
1174     seq_printf(seq, "%s\n", count > 1 ? "yes" : "no");
1175     end_current_label_crit_section(label);
1176
1177     return 0;
1178 }
1179
1180 static int seq_ns_level_show(struct seq_file *seq, void *v)
1181 {
1182     struct aa_label *label;
1183
1184     label = begin_current_label_crit_section();
1185     seq_printf(seq, "%d\n", labels_ns(label)->level);
1186     end_current_label_crit_section(label);
1187
1188     return 0;
1189 }
1190
1191 static int seq_ns_name_show(struct seq_file *seq, void *v)
1192 {
1193     struct aa_label *label = begin_current_label_crit_section();
1194     seq_printf(seq, "%s\n", labels_ns(label)->base.name);
1195     end_current_label_crit_section(label);
1196
1197     return 0;
1198 }
1199
1200 SEQ_NS_FOPS(stacked);
1201 SEQ_NS_FOPS(nsstacked);
1202 SEQ_NS_FOPS(level);
1203 SEQ_NS_FOPS(name);
1204
1205
1206 /* policy/raw_data/ * file ops */
1207 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
1208 #define SEQ_RAWDATA_FOPS(NAME)                            \
1209 static int seq_rawdata_ ##NAME ##_open(struct inode *inode, struct file *file)\
1210 {                                         \
1211     return seq_rawdata_open(inode, file, seq_rawdata_ ##NAME ##_show);    \
1212 }                                         \
1213                                           \
1214 static const struct file_operations seq_rawdata_ ##NAME ##_fops = {       \
1215     .owner      = THIS_MODULE,                        \
1216     .open       = seq_rawdata_ ##NAME ##_open,                \
1217     .read       = seq_read,                       \
1218     .llseek     = seq_lseek,                          \
1219     .release    = seq_rawdata_release,                    \
1220 }                                         \
1221
1222 static int seq_rawdata_open(struct inode *inode, struct file *file,
1223                 int (*show)(struct seq_file *, void *))
1224 {
1225     struct aa_loaddata *data = __aa_get_loaddata(inode->i_private);
1226     int error;
1227
1228     if (!data)
1229         /* lost race this ent is being reaped */
1230         return -ENOENT;
1231
1232     error = single_open(file, show, data);
1233     if (error) {
1234         AA_BUG(file->private_data &&
1235                ((struct seq_file *)file->private_data)->private);
1236         aa_put_loaddata(data);
1237     }
1238
1239     return error;
1240 }
1241
1242 static int seq_rawdata_release(struct inode *inode, struct file *file)
1243 {
1244     struct seq_file *seq = (struct seq_file *) file->private_data;
1245
1246     if (seq)
1247         aa_put_loaddata(seq->private);
1248
1249     return single_release(inode, file);
1250 }
1251
1252 static int seq_rawdata_abi_show(struct seq_file *seq, void *v)
1253 {
1254     struct aa_loaddata *data = seq->private;
1255
1256     seq_printf(seq, "v%d\n", data->abi);
1257
1258     return 0;
1259 }
1260
1261 static int seq_rawdata_revision_show(struct seq_file *seq, void *v)
1262 {
1263     struct aa_loaddata *data = seq->private;
1264
1265     seq_printf(seq, "%ld\n", data->revision);
1266
1267     return 0;
1268 }
1269
1270 static int seq_rawdata_hash_show(struct seq_file *seq, void *v)
1271 {
1272     struct aa_loaddata *data = seq->private;
1273     unsigned int i, size = aa_hash_size();
1274
1275     if (data->hash) {
1276         for (i = 0; i < size; i++)
1277             seq_printf(seq, "%.2x", data->hash[i]);
1278         seq_putc(seq, '\n');
1279     }
1280
1281     return 0;
1282 }
1283
1284 static int seq_rawdata_compressed_size_show(struct seq_file *seq, void *v)
1285 {
1286     struct aa_loaddata *data = seq->private;
1287
1288     seq_printf(seq, "%zu\n", data->compressed_size);
1289
1290     return 0;
1291 }
1292
1293 SEQ_RAWDATA_FOPS(abi);
1294 SEQ_RAWDATA_FOPS(revision);
1295 SEQ_RAWDATA_FOPS(hash);
1296 SEQ_RAWDATA_FOPS(compressed_size);
1297
1298 static int deflate_decompress(char *src, size_t slen, char *dst, size_t dlen)
1299 {
1300 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
1301     if (aa_g_rawdata_compression_level != 0) {
1302         int error = 0;
1303         struct z_stream_s strm;
1304
1305         memset(&strm, 0, sizeof(strm));
1306
1307         strm.workspace = kvzalloc(zlib_inflate_workspacesize(), GFP_KERNEL);
1308         if (!strm.workspace)
1309             return -ENOMEM;
1310
1311         strm.next_in = src;
1312         strm.avail_in = slen;
1313
1314         error = zlib_inflateInit(&strm);
1315         if (error != Z_OK) {
1316             error = -ENOMEM;
1317             goto fail_inflate_init;
1318         }
1319
1320         strm.next_out = dst;
1321         strm.avail_out = dlen;
1322
1323         error = zlib_inflate(&strm, Z_FINISH);
1324         if (error != Z_STREAM_END)
1325             error = -EINVAL;
1326         else
1327             error = 0;
1328
1329         zlib_inflateEnd(&strm);
1330 fail_inflate_init:
1331         kvfree(strm.workspace);
1332
1333         return error;
1334     }
1335 #endif
1336
1337     if (dlen < slen)
1338         return -EINVAL;
1339     memcpy(dst, src, slen);
1340     return 0;
1341 }
1342
1343 static ssize_t rawdata_read(struct file *file, char __user *buf, size_t size,
1344                 loff_t *ppos)
1345 {
1346     struct rawdata_f_data *private = file->private_data;
1347
1348     return simple_read_from_buffer(buf, size, ppos,
1349                        RAWDATA_F_DATA_BUF(private),
1350                        private->loaddata->size);
1351 }
1352
1353 static int rawdata_release(struct inode *inode, struct file *file)
1354 {
1355     rawdata_f_data_free(file->private_data);
1356
1357     return 0;
1358 }
1359
1360 static int rawdata_open(struct inode *inode, struct file *file)
1361 {
1362     int error;
1363     struct aa_loaddata *loaddata;
1364     struct rawdata_f_data *private;
1365
1366     if (!aa_current_policy_view_capable(NULL))
1367         return -EACCES;
1368
1369     loaddata = __aa_get_loaddata(inode->i_private);
1370     if (!loaddata)
1371         /* lost race: this entry is being reaped */
1372         return -ENOENT;
1373
1374     private = rawdata_f_data_alloc(loaddata->size);
1375     if (IS_ERR(private)) {
1376         error = PTR_ERR(private);
1377         goto fail_private_alloc;
1378     }
1379
1380     private->loaddata = loaddata;
1381
1382     error = deflate_decompress(loaddata->data, loaddata->compressed_size,
1383                    RAWDATA_F_DATA_BUF(private),
1384                    loaddata->size);
1385     if (error)
1386         goto fail_decompress;
1387
1388     file->private_data = private;
1389     return 0;
1390
1391 fail_decompress:
1392     rawdata_f_data_free(private);
1393     return error;
1394
1395 fail_private_alloc:
1396     aa_put_loaddata(loaddata);
1397     return error;
1398 }
1399
1400 static const struct file_operations rawdata_fops = {
1401     .open = rawdata_open,
1402     .read = rawdata_read,
1403     .llseek = generic_file_llseek,
1404     .release = rawdata_release,
1405 };
1406
1407 static void remove_rawdata_dents(struct aa_loaddata *rawdata)
1408 {
1409     int i;
1410
1411     for (i = 0; i < AAFS_LOADDATA_NDENTS; i++) {
1412         if (!IS_ERR_OR_NULL(rawdata->dents[i])) {
1413             /* no refcounts on i_private */
1414             aafs_remove(rawdata->dents[i]);
1415             rawdata->dents[i] = NULL;
1416         }
1417     }
1418 }
1419
1420 void __aa_fs_remove_rawdata(struct aa_loaddata *rawdata)
1421 {
1422     AA_BUG(rawdata->ns && !mutex_is_locked(&rawdata->ns->lock));
1423
1424     if (rawdata->ns) {
1425         remove_rawdata_dents(rawdata);
1426         list_del_init(&rawdata->list);
1427         aa_put_ns(rawdata->ns);
1428         rawdata->ns = NULL;
1429     }
1430 }
1431
1432 int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata)
1433 {
1434     struct dentry *dent, *dir;
1435
1436     AA_BUG(!ns);
1437     AA_BUG(!rawdata);
1438     AA_BUG(!mutex_is_locked(&ns->lock));
1439     AA_BUG(!ns_subdata_dir(ns));
1440
1441     /*
1442      * just use ns revision dir was originally created at. This is
1443      * under ns->lock and if load is successful revision will be
1444      * bumped and is guaranteed to be unique
1445      */
1446     rawdata->name = kasprintf(GFP_KERNEL, "%ld", ns->revision);
1447     if (!rawdata->name)
1448         return -ENOMEM;
1449
1450     dir = aafs_create_dir(rawdata->name, ns_subdata_dir(ns));
1451     if (IS_ERR(dir))
1452         /* ->name freed when rawdata freed */
1453         return PTR_ERR(dir);
1454     rawdata->dents[AAFS_LOADDATA_DIR] = dir;
1455
1456     dent = aafs_create_file("abi", S_IFREG | 0444, dir, rawdata,
1457                       &seq_rawdata_abi_fops);
1458     if (IS_ERR(dent))
1459         goto fail;
1460     rawdata->dents[AAFS_LOADDATA_ABI] = dent;
1461
1462     dent = aafs_create_file("revision", S_IFREG | 0444, dir, rawdata,
1463                       &seq_rawdata_revision_fops);
1464     if (IS_ERR(dent))
1465         goto fail;
1466     rawdata->dents[AAFS_LOADDATA_REVISION] = dent;
1467
1468     if (aa_g_hash_policy) {
1469         dent = aafs_create_file("sha1", S_IFREG | 0444, dir,
1470                           rawdata, &seq_rawdata_hash_fops);
1471         if (IS_ERR(dent))
1472             goto fail;
1473         rawdata->dents[AAFS_LOADDATA_HASH] = dent;
1474     }
1475
1476     dent = aafs_create_file("compressed_size", S_IFREG | 0444, dir,
1477                 rawdata,
1478                 &seq_rawdata_compressed_size_fops);
1479     if (IS_ERR(dent))
1480         goto fail;
1481     rawdata->dents[AAFS_LOADDATA_COMPRESSED_SIZE] = dent;
1482
1483     dent = aafs_create_file("raw_data", S_IFREG | 0444,
1484                       dir, rawdata, &rawdata_fops);
1485     if (IS_ERR(dent))
1486         goto fail;
1487     rawdata->dents[AAFS_LOADDATA_DATA] = dent;
1488     d_inode(dent)->i_size = rawdata->size;
1489
1490     rawdata->ns = aa_get_ns(ns);
1491     list_add(&rawdata->list, &ns->rawdata_list);
1492     /* no refcount on inode rawdata */
1493
1494     return 0;
1495
1496 fail:
1497     remove_rawdata_dents(rawdata);
1498
1499     return PTR_ERR(dent);
1500 }
1501 #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */
1502
1503
1504 /** fns to setup dynamic per profile/namespace files **/
1505
1506 /*
1507  *
1508  * Requires: @profile->ns->lock held
1509  */
1510 void __aafs_profile_rmdir(struct aa_profile *profile)
1511 {
1512     struct aa_profile *child;
1513     int i;
1514
1515     if (!profile)
1516         return;
1517
1518     list_for_each_entry(child, &profile->base.profiles, base.list)
1519         __aafs_profile_rmdir(child);
1520
1521     for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) {
1522         struct aa_proxy *proxy;
1523         if (!profile->dents[i])
1524             continue;
1525
1526         proxy = d_inode(profile->dents[i])->i_private;
1527         aafs_remove(profile->dents[i]);
1528         aa_put_proxy(proxy);
1529         profile->dents[i] = NULL;
1530     }
1531 }
1532
1533 /*
1534  *
1535  * Requires: @old->ns->lock held
1536  */
1537 void __aafs_profile_migrate_dents(struct aa_profile *old,
1538                   struct aa_profile *new)
1539 {
1540     int i;
1541
1542     AA_BUG(!old);
1543     AA_BUG(!new);
1544     AA_BUG(!mutex_is_locked(&profiles_ns(old)->lock));
1545
1546     for (i = 0; i < AAFS_PROF_SIZEOF; i++) {
1547         new->dents[i] = old->dents[i];
1548         if (new->dents[i])
1549             new->dents[i]->d_inode->i_mtime = current_time(new->dents[i]->d_inode);
1550         old->dents[i] = NULL;
1551     }
1552 }
1553
1554 static struct dentry *create_profile_file(struct dentry *dir, const char *name,
1555                       struct aa_profile *profile,
1556                       const struct file_operations *fops)
1557 {
1558     struct aa_proxy *proxy = aa_get_proxy(profile->label.proxy);
1559     struct dentry *dent;
1560
1561     dent = aafs_create_file(name, S_IFREG | 0444, dir, proxy, fops);
1562     if (IS_ERR(dent))
1563         aa_put_proxy(proxy);
1564
1565     return dent;
1566 }
1567
1568 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
1569 static int profile_depth(struct aa_profile *profile)
1570 {
1571     int depth = 0;
1572
1573     rcu_read_lock();
1574     for (depth = 0; profile; profile = rcu_access_pointer(profile->parent))
1575         depth++;
1576     rcu_read_unlock();
1577
1578     return depth;
1579 }
1580
1581 static char *gen_symlink_name(int depth, const char *dirname, const char *fname)
1582 {
1583     char *buffer, *s;
1584     int error;
1585     int size = depth * 6 + strlen(dirname) + strlen(fname) + 11;
1586
1587     s = buffer = kmalloc(size, GFP_KERNEL);
1588     if (!buffer)
1589         return ERR_PTR(-ENOMEM);
1590
1591     for (; depth > 0; depth--) {
1592         strcpy(s, "../../");
1593         s += 6;
1594         size -= 6;
1595     }
1596
1597     error = snprintf(s, size, "raw_data/%s/%s", dirname, fname);
1598     if (error >= size || error < 0) {
1599         kfree(buffer);
1600         return ERR_PTR(-ENAMETOOLONG);
1601     }
1602
1603     return buffer;
1604 }
1605
1606 static void rawdata_link_cb(void *arg)
1607 {
1608     kfree(arg);
1609 }
1610
1611 static const char *rawdata_get_link_base(struct dentry *dentry,
1612                      struct inode *inode,
1613                      struct delayed_call *done,
1614                      const char *name)
1615 {
1616     struct aa_proxy *proxy = inode->i_private;
1617     struct aa_label *label;
1618     struct aa_profile *profile;
1619     char *target;
1620     int depth;
1621
1622     if (!dentry)
1623         return ERR_PTR(-ECHILD);
1624
1625     label = aa_get_label_rcu(&proxy->label);
1626     profile = labels_profile(label);
1627     depth = profile_depth(profile);
1628     target = gen_symlink_name(depth, profile->rawdata->name, name);
1629     aa_put_label(label);
1630
1631     if (IS_ERR(target))
1632         return target;
1633
1634     set_delayed_call(done, rawdata_link_cb, target);
1635
1636     return target;
1637 }
1638
1639 static const char *rawdata_get_link_sha1(struct dentry *dentry,
1640                      struct inode *inode,
1641                      struct delayed_call *done)
1642 {
1643     return rawdata_get_link_base(dentry, inode, done, "sha1");
1644 }
1645
1646 static const char *rawdata_get_link_abi(struct dentry *dentry,
1647                     struct inode *inode,
1648                     struct delayed_call *done)
1649 {
1650     return rawdata_get_link_base(dentry, inode, done, "abi");
1651 }
1652
1653 static const char *rawdata_get_link_data(struct dentry *dentry,
1654                      struct inode *inode,
1655                      struct delayed_call *done)
1656 {
1657     return rawdata_get_link_base(dentry, inode, done, "raw_data");
1658 }
1659
1660 static const struct inode_operations rawdata_link_sha1_iops = {
1661     .get_link   = rawdata_get_link_sha1,
1662 };
1663
1664 static const struct inode_operations rawdata_link_abi_iops = {
1665     .get_link   = rawdata_get_link_abi,
1666 };
1667 static const struct inode_operations rawdata_link_data_iops = {
1668     .get_link   = rawdata_get_link_data,
1669 };
1670 #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */
1671
1672 /*
1673  * Requires: @profile->ns->lock held
1674  */
1675 int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
1676 {
1677     struct aa_profile *child;
1678     struct dentry *dent = NULL, *dir;
1679     int error;
1680
1681     AA_BUG(!profile);
1682     AA_BUG(!mutex_is_locked(&profiles_ns(profile)->lock));
1683
1684     if (!parent) {
1685         struct aa_profile *p;
1686         p = aa_deref_parent(profile);
1687         dent = prof_dir(p);
1688         /* adding to parent that previously didn't have children */
1689         dent = aafs_create_dir("profiles", dent);
1690         if (IS_ERR(dent))
1691             goto fail;
1692         prof_child_dir(p) = parent = dent;
1693     }
1694
1695     if (!profile->dirname) {
1696         int len, id_len;
1697         len = mangle_name(profile->base.name, NULL);
1698         id_len = snprintf(NULL, 0, ".%ld", profile->ns->uniq_id);
1699
1700         profile->dirname = kmalloc(len + id_len + 1, GFP_KERNEL);
1701         if (!profile->dirname) {
1702             error = -ENOMEM;
1703             goto fail2;
1704         }
1705
1706         mangle_name(profile->base.name, profile->dirname);
1707         sprintf(profile->dirname + len, ".%ld", profile->ns->uniq_id++);
1708     }
1709
1710     dent = aafs_create_dir(profile->dirname, parent);
1711     if (IS_ERR(dent))
1712         goto fail;
1713     prof_dir(profile) = dir = dent;
1714
1715     dent = create_profile_file(dir, "name", profile,
1716                    &seq_profile_name_fops);
1717     if (IS_ERR(dent))
1718         goto fail;
1719     profile->dents[AAFS_PROF_NAME] = dent;
1720
1721     dent = create_profile_file(dir, "mode", profile,
1722                    &seq_profile_mode_fops);
1723     if (IS_ERR(dent))
1724         goto fail;
1725     profile->dents[AAFS_PROF_MODE] = dent;
1726
1727     dent = create_profile_file(dir, "attach", profile,
1728                    &seq_profile_attach_fops);
1729     if (IS_ERR(dent))
1730         goto fail;
1731     profile->dents[AAFS_PROF_ATTACH] = dent;
1732
1733     if (profile->hash) {
1734         dent = create_profile_file(dir, "sha1", profile,
1735                        &seq_profile_hash_fops);
1736         if (IS_ERR(dent))
1737             goto fail;
1738         profile->dents[AAFS_PROF_HASH] = dent;
1739     }
1740
1741 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
1742     if (profile->rawdata) {
1743         if (aa_g_hash_policy) {
1744             dent = aafs_create("raw_sha1", S_IFLNK | 0444, dir,
1745                        profile->label.proxy, NULL, NULL,
1746                        &rawdata_link_sha1_iops);
1747             if (IS_ERR(dent))
1748                 goto fail;
1749             aa_get_proxy(profile->label.proxy);
1750             profile->dents[AAFS_PROF_RAW_HASH] = dent;
1751         }
1752         dent = aafs_create("raw_abi", S_IFLNK | 0444, dir,
1753                    profile->label.proxy, NULL, NULL,
1754                    &rawdata_link_abi_iops);
1755         if (IS_ERR(dent))
1756             goto fail;
1757         aa_get_proxy(profile->label.proxy);
1758         profile->dents[AAFS_PROF_RAW_ABI] = dent;
1759
1760         dent = aafs_create("raw_data", S_IFLNK | 0444, dir,
1761                    profile->label.proxy, NULL, NULL,
1762                    &rawdata_link_data_iops);
1763         if (IS_ERR(dent))
1764             goto fail;
1765         aa_get_proxy(profile->label.proxy);
1766         profile->dents[AAFS_PROF_RAW_DATA] = dent;
1767     }
1768 #endif /*CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */
1769
1770     list_for_each_entry(child, &profile->base.profiles, base.list) {
1771         error = __aafs_profile_mkdir(child, prof_child_dir(profile));
1772         if (error)
1773             goto fail2;
1774     }
1775
1776     return 0;
1777
1778 fail:
1779     error = PTR_ERR(dent);
1780
1781 fail2:
1782     __aafs_profile_rmdir(profile);
1783
1784     return error;
1785 }
1786
1787 static int ns_mkdir_op(struct user_namespace *mnt_userns, struct inode *dir,
1788                struct dentry *dentry, umode_t mode)
1789 {
1790     struct aa_ns *ns, *parent;
1791     /* TODO: improve permission check */
1792     struct aa_label *label;
1793     int error;
1794
1795     label = begin_current_label_crit_section();
1796     error = aa_may_manage_policy(label, NULL, AA_MAY_LOAD_POLICY);
1797     end_current_label_crit_section(label);
1798     if (error)
1799         return error;
1800
1801     parent = aa_get_ns(dir->i_private);
1802     AA_BUG(d_inode(ns_subns_dir(parent)) != dir);
1803
1804     /* we have to unlock and then relock to get locking order right
1805      * for pin_fs
1806      */
1807     inode_unlock(dir);
1808     error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count);
1809     mutex_lock_nested(&parent->lock, parent->level);
1810     inode_lock_nested(dir, I_MUTEX_PARENT);
1811     if (error)
1812         goto out;
1813
1814     error = __aafs_setup_d_inode(dir, dentry, mode | S_IFDIR,  NULL,
1815                      NULL, NULL, NULL);
1816     if (error)
1817         goto out_pin;
1818
1819     ns = __aa_find_or_create_ns(parent, READ_ONCE(dentry->d_name.name),
1820                     dentry);
1821     if (IS_ERR(ns)) {
1822         error = PTR_ERR(ns);
1823         ns = NULL;
1824     }
1825
1826     aa_put_ns(ns);      /* list ref remains */
1827 out_pin:
1828     if (error)
1829         simple_release_fs(&aafs_mnt, &aafs_count);
1830 out:
1831     mutex_unlock(&parent->lock);
1832     aa_put_ns(parent);
1833
1834     return error;
1835 }
1836
1837 static int ns_rmdir_op(struct inode *dir, struct dentry *dentry)
1838 {
1839     struct aa_ns *ns, *parent;
1840     /* TODO: improve permission check */
1841     struct aa_label *label;
1842     int error;
1843
1844     label = begin_current_label_crit_section();
1845     error = aa_may_manage_policy(label, NULL, AA_MAY_LOAD_POLICY);
1846     end_current_label_crit_section(label);
1847     if (error)
1848         return error;
1849
1850     parent = aa_get_ns(dir->i_private);
1851     /* rmdir calls the generic securityfs functions to remove files
1852      * from the apparmor dir. It is up to the apparmor ns locking
1853      * to avoid races.
1854      */
1855     inode_unlock(dir);
1856     inode_unlock(dentry->d_inode);
1857
1858     mutex_lock_nested(&parent->lock, parent->level);
1859     ns = aa_get_ns(__aa_findn_ns(&parent->sub_ns, dentry->d_name.name,
1860                      dentry->d_name.len));
1861     if (!ns) {
1862         error = -ENOENT;
1863         goto out;
1864     }
1865     AA_BUG(ns_dir(ns) != dentry);
1866
1867     __aa_remove_ns(ns);
1868     aa_put_ns(ns);
1869
1870 out:
1871     mutex_unlock(&parent->lock);
1872     inode_lock_nested(dir, I_MUTEX_PARENT);
1873     inode_lock(dentry->d_inode);
1874     aa_put_ns(parent);
1875
1876     return error;
1877 }
1878
1879 static const struct inode_operations ns_dir_inode_operations = {
1880     .lookup     = simple_lookup,
1881     .mkdir      = ns_mkdir_op,
1882     .rmdir      = ns_rmdir_op,
1883 };
1884
1885 static void __aa_fs_list_remove_rawdata(struct aa_ns *ns)
1886 {
1887     struct aa_loaddata *ent, *tmp;
1888
1889     AA_BUG(!mutex_is_locked(&ns->lock));
1890
1891     list_for_each_entry_safe(ent, tmp, &ns->rawdata_list, list)
1892         __aa_fs_remove_rawdata(ent);
1893 }
1894
1895 /*
1896  *
1897  * Requires: @ns->lock held
1898  */
1899 void __aafs_ns_rmdir(struct aa_ns *ns)
1900 {
1901     struct aa_ns *sub;
1902     struct aa_profile *child;
1903     int i;
1904
1905     if (!ns)
1906         return;
1907     AA_BUG(!mutex_is_locked(&ns->lock));
1908
1909     list_for_each_entry(child, &ns->base.profiles, base.list)
1910         __aafs_profile_rmdir(child);
1911
1912     list_for_each_entry(sub, &ns->sub_ns, base.list) {
1913         mutex_lock_nested(&sub->lock, sub->level);
1914         __aafs_ns_rmdir(sub);
1915         mutex_unlock(&sub->lock);
1916     }
1917
1918     __aa_fs_list_remove_rawdata(ns);
1919
1920     if (ns_subns_dir(ns)) {
1921         sub = d_inode(ns_subns_dir(ns))->i_private;
1922         aa_put_ns(sub);
1923     }
1924     if (ns_subload(ns)) {
1925         sub = d_inode(ns_subload(ns))->i_private;
1926         aa_put_ns(sub);
1927     }
1928     if (ns_subreplace(ns)) {
1929         sub = d_inode(ns_subreplace(ns))->i_private;
1930         aa_put_ns(sub);
1931     }
1932     if (ns_subremove(ns)) {
1933         sub = d_inode(ns_subremove(ns))->i_private;
1934         aa_put_ns(sub);
1935     }
1936     if (ns_subrevision(ns)) {
1937         sub = d_inode(ns_subrevision(ns))->i_private;
1938         aa_put_ns(sub);
1939     }
1940
1941     for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) {
1942         aafs_remove(ns->dents[i]);
1943         ns->dents[i] = NULL;
1944     }
1945 }
1946
1947 /* assumes cleanup in caller */
1948 static int __aafs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir)
1949 {
1950     struct dentry *dent;
1951
1952     AA_BUG(!ns);
1953     AA_BUG(!dir);
1954
1955     dent = aafs_create_dir("profiles", dir);
1956     if (IS_ERR(dent))
1957         return PTR_ERR(dent);
1958     ns_subprofs_dir(ns) = dent;
1959
1960     dent = aafs_create_dir("raw_data", dir);
1961     if (IS_ERR(dent))
1962         return PTR_ERR(dent);
1963     ns_subdata_dir(ns) = dent;
1964
1965     dent = aafs_create_file("revision", 0444, dir, ns,
1966                 &aa_fs_ns_revision_fops);
1967     if (IS_ERR(dent))
1968         return PTR_ERR(dent);
1969     aa_get_ns(ns);
1970     ns_subrevision(ns) = dent;
1971
1972     dent = aafs_create_file(".load", 0640, dir, ns,
1973                       &aa_fs_profile_load);
1974     if (IS_ERR(dent))
1975         return PTR_ERR(dent);
1976     aa_get_ns(ns);
1977     ns_subload(ns) = dent;
1978
1979     dent = aafs_create_file(".replace", 0640, dir, ns,
1980                       &aa_fs_profile_replace);
1981     if (IS_ERR(dent))
1982         return PTR_ERR(dent);
1983     aa_get_ns(ns);
1984     ns_subreplace(ns) = dent;
1985
1986     dent = aafs_create_file(".remove", 0640, dir, ns,
1987                       &aa_fs_profile_remove);
1988     if (IS_ERR(dent))
1989         return PTR_ERR(dent);
1990     aa_get_ns(ns);
1991     ns_subremove(ns) = dent;
1992
1993       /* use create_dentry so we can supply private data */
1994     dent = aafs_create("namespaces", S_IFDIR | 0755, dir, ns, NULL, NULL,
1995                &ns_dir_inode_operations);
1996     if (IS_ERR(dent))
1997         return PTR_ERR(dent);
1998     aa_get_ns(ns);
1999     ns_subns_dir(ns) = dent;
2000
2001     return 0;
2002 }
2003
2004 /*
2005  * Requires: @ns->lock held
2006  */
2007 int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name,
2008             struct dentry *dent)
2009 {
2010     struct aa_ns *sub;
2011     struct aa_profile *child;
2012     struct dentry *dir;
2013     int error;
2014
2015     AA_BUG(!ns);
2016     AA_BUG(!parent);
2017     AA_BUG(!mutex_is_locked(&ns->lock));
2018
2019     if (!name)
2020         name = ns->base.name;
2021
2022     if (!dent) {
2023         /* create ns dir if it doesn't already exist */
2024         dent = aafs_create_dir(name, parent);
2025         if (IS_ERR(dent))
2026             goto fail;
2027     } else
2028         dget(dent);
2029     ns_dir(ns) = dir = dent;
2030     error = __aafs_ns_mkdir_entries(ns, dir);
2031     if (error)
2032         goto fail2;
2033
2034     /* profiles */
2035     list_for_each_entry(child, &ns->base.profiles, base.list) {
2036         error = __aafs_profile_mkdir(child, ns_subprofs_dir(ns));
2037         if (error)
2038             goto fail2;
2039     }
2040
2041     /* subnamespaces */
2042     list_for_each_entry(sub, &ns->sub_ns, base.list) {
2043         mutex_lock_nested(&sub->lock, sub->level);
2044         error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL, NULL);
2045         mutex_unlock(&sub->lock);
2046         if (error)
2047             goto fail2;
2048     }
2049
2050     return 0;
2051
2052 fail:
2053     error = PTR_ERR(dent);
2054
2055 fail2:
2056     __aafs_ns_rmdir(ns);
2057
2058     return error;
2059 }
2060
2061 /**
2062  * __next_ns - find the next namespace to list
2063  * @root: root namespace to stop search at (NOT NULL)
2064  * @ns: current ns position (NOT NULL)
2065  *
2066  * Find the next namespace from @ns under @root and handle all locking needed
2067  * while switching current namespace.
2068  *
2069  * Returns: next namespace or NULL if at last namespace under @root
2070  * Requires: ns->parent->lock to be held
2071  * NOTE: will not unlock root->lock
2072  */
2073 static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns)
2074 {
2075     struct aa_ns *parent, *next;
2076
2077     AA_BUG(!root);
2078     AA_BUG(!ns);
2079     AA_BUG(ns != root && !mutex_is_locked(&ns->parent->lock));
2080
2081     /* is next namespace a child */
2082     if (!list_empty(&ns->sub_ns)) {
2083         next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
2084         mutex_lock_nested(&next->lock, next->level);
2085         return next;
2086     }
2087
2088     /* check if the next ns is a sibling, parent, gp, .. */
2089     parent = ns->parent;
2090     while (ns != root) {
2091         mutex_unlock(&ns->lock);
2092         next = list_next_entry(ns, base.list);
2093         if (!list_entry_is_head(next, &parent->sub_ns, base.list)) {
2094             mutex_lock_nested(&next->lock, next->level);
2095             return next;
2096         }
2097         ns = parent;
2098         parent = parent->parent;
2099     }
2100
2101     return NULL;
2102 }
2103
2104 /**
2105  * __first_profile - find the first profile in a namespace
2106  * @root: namespace that is root of profiles being displayed (NOT NULL)
2107  * @ns: namespace to start in   (NOT NULL)
2108  *
2109  * Returns: unrefcounted profile or NULL if no profile
2110  * Requires: profile->ns.lock to be held
2111  */
2112 static struct aa_profile *__first_profile(struct aa_ns *root,
2113                       struct aa_ns *ns)
2114 {
2115     AA_BUG(!root);
2116     AA_BUG(ns && !mutex_is_locked(&ns->lock));
2117
2118     for (; ns; ns = __next_ns(root, ns)) {
2119         if (!list_empty(&ns->base.profiles))
2120             return list_first_entry(&ns->base.profiles,
2121                         struct aa_profile, base.list);
2122     }
2123     return NULL;
2124 }
2125
2126 /**
2127  * __next_profile - step to the next profile in a profile tree
2128  * @p: current profile in tree (NOT NULL)
2129  *
2130  * Perform a depth first traversal on the profile tree in a namespace
2131  *
2132  * Returns: next profile or NULL if done
2133  * Requires: profile->ns.lock to be held
2134  */
2135 static struct aa_profile *__next_profile(struct aa_profile *p)
2136 {
2137     struct aa_profile *parent;
2138     struct aa_ns *ns = p->ns;
2139
2140     AA_BUG(!mutex_is_locked(&profiles_ns(p)->lock));
2141
2142     /* is next profile a child */
2143     if (!list_empty(&p->base.profiles))
2144         return list_first_entry(&p->base.profiles, typeof(*p),
2145                     base.list);
2146
2147     /* is next profile a sibling, parent sibling, gp, sibling, .. */
2148     parent = rcu_dereference_protected(p->parent,
2149                        mutex_is_locked(&p->ns->lock));
2150     while (parent) {
2151         p = list_next_entry(p, base.list);
2152         if (!list_entry_is_head(p, &parent->base.profiles, base.list))
2153             return p;
2154         p = parent;
2155         parent = rcu_dereference_protected(parent->parent,
2156                         mutex_is_locked(&parent->ns->lock));
2157     }
2158
2159     /* is next another profile in the namespace */
2160     p = list_next_entry(p, base.list);
2161     if (!list_entry_is_head(p, &ns->base.profiles, base.list))
2162         return p;
2163
2164     return NULL;
2165 }
2166
2167 /**
2168  * next_profile - step to the next profile in where ever it may be
2169  * @root: root namespace  (NOT NULL)
2170  * @profile: current profile  (NOT NULL)
2171  *
2172  * Returns: next profile or NULL if there isn't one
2173  */
2174 static struct aa_profile *next_profile(struct aa_ns *root,
2175                        struct aa_profile *profile)
2176 {
2177     struct aa_profile *next = __next_profile(profile);
2178     if (next)
2179         return next;
2180
2181     /* finished all profiles in namespace move to next namespace */
2182     return __first_profile(root, __next_ns(root, profile->ns));
2183 }
2184
2185 /**
2186  * p_start - start a depth first traversal of profile tree
2187  * @f: seq_file to fill
2188  * @pos: current position
2189  *
2190  * Returns: first profile under current namespace or NULL if none found
2191  *
2192  * acquires first ns->lock
2193  */
2194 static void *p_start(struct seq_file *f, loff_t *pos)
2195 {
2196     struct aa_profile *profile = NULL;
2197     struct aa_ns *root = aa_get_current_ns();
2198     loff_t l = *pos;
2199     f->private = root;
2200
2201     /* find the first profile */
2202     mutex_lock_nested(&root->lock, root->level);
2203     profile = __first_profile(root, root);
2204
2205     /* skip to position */
2206     for (; profile && l > 0; l--)
2207         profile = next_profile(root, profile);
2208
2209     return profile;
2210 }
2211
2212 /**
2213  * p_next - read the next profile entry
2214  * @f: seq_file to fill
2215  * @p: profile previously returned
2216  * @pos: current position
2217  *
2218  * Returns: next profile after @p or NULL if none
2219  *
2220  * may acquire/release locks in namespace tree as necessary
2221  */
2222 static void *p_next(struct seq_file *f, void *p, loff_t *pos)
2223 {
2224     struct aa_profile *profile = p;
2225     struct aa_ns *ns = f->private;
2226     (*pos)++;
2227
2228     return next_profile(ns, profile);
2229 }
2230
2231 /**
2232  * p_stop - stop depth first traversal
2233  * @f: seq_file we are filling
2234  * @p: the last profile writen
2235  *
2236  * Release all locking done by p_start/p_next on namespace tree
2237  */
2238 static void p_stop(struct seq_file *f, void *p)
2239 {
2240     struct aa_profile *profile = p;
2241     struct aa_ns *root = f->private, *ns;
2242
2243     if (profile) {
2244         for (ns = profile->ns; ns && ns != root; ns = ns->parent)
2245             mutex_unlock(&ns->lock);
2246     }
2247     mutex_unlock(&root->lock);
2248     aa_put_ns(root);
2249 }
2250
2251 /**
2252  * seq_show_profile - show a profile entry
2253  * @f: seq_file to file
2254  * @p: current position (profile)    (NOT NULL)
2255  *
2256  * Returns: error on failure
2257  */
2258 static int seq_show_profile(struct seq_file *f, void *p)
2259 {
2260     struct aa_profile *profile = (struct aa_profile *)p;
2261     struct aa_ns *root = f->private;
2262
2263     aa_label_seq_xprint(f, root, &profile->label,
2264                 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS, GFP_KERNEL);
2265     seq_putc(f, '\n');
2266
2267     return 0;
2268 }
2269
2270 static const struct seq_operations aa_sfs_profiles_op = {
2271     .start = p_start,
2272     .next = p_next,
2273     .stop = p_stop,
2274     .show = seq_show_profile,
2275 };
2276
2277 static int profiles_open(struct inode *inode, struct file *file)
2278 {
2279     if (!aa_current_policy_view_capable(NULL))
2280         return -EACCES;
2281
2282     return seq_open(file, &aa_sfs_profiles_op);
2283 }
2284
2285 static int profiles_release(struct inode *inode, struct file *file)
2286 {
2287     return seq_release(inode, file);
2288 }
2289
2290 static const struct file_operations aa_sfs_profiles_fops = {
2291     .open = profiles_open,
2292     .read = seq_read,
2293     .llseek = seq_lseek,
2294     .release = profiles_release,
2295 };
2296
2297
2298 /** Base file system setup **/
2299 static struct aa_sfs_entry aa_sfs_entry_file[] = {
2300     AA_SFS_FILE_STRING("mask",
2301                "create read write exec append mmap_exec link lock"),
2302     { }
2303 };
2304
2305 static struct aa_sfs_entry aa_sfs_entry_ptrace[] = {
2306     AA_SFS_FILE_STRING("mask", "read trace"),
2307     { }
2308 };
2309
2310 static struct aa_sfs_entry aa_sfs_entry_signal[] = {
2311     AA_SFS_FILE_STRING("mask", AA_SFS_SIG_MASK),
2312     { }
2313 };
2314
2315 static struct aa_sfs_entry aa_sfs_entry_attach[] = {
2316     AA_SFS_FILE_BOOLEAN("xattr", 1),
2317     { }
2318 };
2319 static struct aa_sfs_entry aa_sfs_entry_domain[] = {
2320     AA_SFS_FILE_BOOLEAN("change_hat",   1),
2321     AA_SFS_FILE_BOOLEAN("change_hatv",  1),
2322     AA_SFS_FILE_BOOLEAN("change_onexec",    1),
2323     AA_SFS_FILE_BOOLEAN("change_profile",   1),
2324     AA_SFS_FILE_BOOLEAN("stack",        1),
2325     AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap",  1),
2326     AA_SFS_FILE_BOOLEAN("post_nnp_subset",  1),
2327     AA_SFS_FILE_BOOLEAN("computed_longest_left",    1),
2328     AA_SFS_DIR("attach_conditions",     aa_sfs_entry_attach),
2329     AA_SFS_FILE_STRING("version", "1.2"),
2330     { }
2331 };
2332
2333 static struct aa_sfs_entry aa_sfs_entry_versions[] = {
2334     AA_SFS_FILE_BOOLEAN("v5",   1),
2335     AA_SFS_FILE_BOOLEAN("v6",   1),
2336     AA_SFS_FILE_BOOLEAN("v7",   1),
2337     AA_SFS_FILE_BOOLEAN("v8",   1),
2338     AA_SFS_FILE_BOOLEAN("v9",   1),
2339     { }
2340 };
2341
2342 static struct aa_sfs_entry aa_sfs_entry_policy[] = {
2343     AA_SFS_DIR("versions",          aa_sfs_entry_versions),
2344     AA_SFS_FILE_BOOLEAN("set_load",     1),
2345     /* number of out of band transitions supported */
2346     AA_SFS_FILE_U64("outofband",        MAX_OOB_SUPPORTED),
2347     { }
2348 };
2349
2350 static struct aa_sfs_entry aa_sfs_entry_mount[] = {
2351     AA_SFS_FILE_STRING("mask", "mount umount pivot_root"),
2352     { }
2353 };
2354
2355 static struct aa_sfs_entry aa_sfs_entry_ns[] = {
2356     AA_SFS_FILE_BOOLEAN("profile",      1),
2357     AA_SFS_FILE_BOOLEAN("pivot_root",   0),
2358     { }
2359 };
2360
2361 static struct aa_sfs_entry aa_sfs_entry_query_label[] = {
2362     AA_SFS_FILE_STRING("perms", "allow deny audit quiet"),
2363     AA_SFS_FILE_BOOLEAN("data",     1),
2364     AA_SFS_FILE_BOOLEAN("multi_transaction",    1),
2365     { }
2366 };
2367
2368 static struct aa_sfs_entry aa_sfs_entry_query[] = {
2369     AA_SFS_DIR("label",         aa_sfs_entry_query_label),
2370     { }
2371 };
2372 static struct aa_sfs_entry aa_sfs_entry_features[] = {
2373     AA_SFS_DIR("policy",            aa_sfs_entry_policy),
2374     AA_SFS_DIR("domain",            aa_sfs_entry_domain),
2375     AA_SFS_DIR("file",          aa_sfs_entry_file),
2376     AA_SFS_DIR("network_v8",        aa_sfs_entry_network),
2377     AA_SFS_DIR("mount",         aa_sfs_entry_mount),
2378     AA_SFS_DIR("namespaces",        aa_sfs_entry_ns),
2379     AA_SFS_FILE_U64("capability",       VFS_CAP_FLAGS_MASK),
2380     AA_SFS_DIR("rlimit",            aa_sfs_entry_rlimit),
2381     AA_SFS_DIR("caps",          aa_sfs_entry_caps),
2382     AA_SFS_DIR("ptrace",            aa_sfs_entry_ptrace),
2383     AA_SFS_DIR("signal",            aa_sfs_entry_signal),
2384     AA_SFS_DIR("query",         aa_sfs_entry_query),
2385     { }
2386 };
2387
2388 static struct aa_sfs_entry aa_sfs_entry_apparmor[] = {
2389     AA_SFS_FILE_FOPS(".access", 0666, &aa_sfs_access),
2390     AA_SFS_FILE_FOPS(".stacked", 0444, &seq_ns_stacked_fops),
2391     AA_SFS_FILE_FOPS(".ns_stacked", 0444, &seq_ns_nsstacked_fops),
2392     AA_SFS_FILE_FOPS(".ns_level", 0444, &seq_ns_level_fops),
2393     AA_SFS_FILE_FOPS(".ns_name", 0444, &seq_ns_name_fops),
2394     AA_SFS_FILE_FOPS("profiles", 0444, &aa_sfs_profiles_fops),
2395     AA_SFS_DIR("features", aa_sfs_entry_features),
2396     { }
2397 };
2398
2399 static struct aa_sfs_entry aa_sfs_entry =
2400     AA_SFS_DIR("apparmor", aa_sfs_entry_apparmor);
2401
2402 /**
2403  * entry_create_file - create a file entry in the apparmor securityfs
2404  * @fs_file: aa_sfs_entry to build an entry for (NOT NULL)
2405  * @parent: the parent dentry in the securityfs
2406  *
2407  * Use entry_remove_file to remove entries created with this fn.
2408  */
2409 static int __init entry_create_file(struct aa_sfs_entry *fs_file,
2410                     struct dentry *parent)
2411 {
2412     int error = 0;
2413
2414     fs_file->dentry = securityfs_create_file(fs_file->name,
2415                          S_IFREG | fs_file->mode,
2416                          parent, fs_file,
2417                          fs_file->file_ops);
2418     if (IS_ERR(fs_file->dentry)) {
2419         error = PTR_ERR(fs_file->dentry);
2420         fs_file->dentry = NULL;
2421     }
2422     return error;
2423 }
2424
2425 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir);
2426 /**
2427  * entry_create_dir - recursively create a directory entry in the securityfs
2428  * @fs_dir: aa_sfs_entry (and all child entries) to build (NOT NULL)
2429  * @parent: the parent dentry in the securityfs
2430  *
2431  * Use entry_remove_dir to remove entries created with this fn.
2432  */
2433 static int __init entry_create_dir(struct aa_sfs_entry *fs_dir,
2434                    struct dentry *parent)
2435 {
2436     struct aa_sfs_entry *fs_file;
2437     struct dentry *dir;
2438     int error;
2439
2440     dir = securityfs_create_dir(fs_dir->name, parent);
2441     if (IS_ERR(dir))
2442         return PTR_ERR(dir);
2443     fs_dir->dentry = dir;
2444
2445     for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) {
2446         if (fs_file->v_type == AA_SFS_TYPE_DIR)
2447             error = entry_create_dir(fs_file, fs_dir->dentry);
2448         else
2449             error = entry_create_file(fs_file, fs_dir->dentry);
2450         if (error)
2451             goto failed;
2452     }
2453
2454     return 0;
2455
2456 failed:
2457     entry_remove_dir(fs_dir);
2458
2459     return error;
2460 }
2461
2462 /**
2463  * entry_remove_file - drop a single file entry in the apparmor securityfs
2464  * @fs_file: aa_sfs_entry to detach from the securityfs (NOT NULL)
2465  */
2466 static void __init entry_remove_file(struct aa_sfs_entry *fs_file)
2467 {
2468     if (!fs_file->dentry)
2469         return;
2470
2471     securityfs_remove(fs_file->dentry);
2472     fs_file->dentry = NULL;
2473 }
2474
2475 /**
2476  * entry_remove_dir - recursively drop a directory entry from the securityfs
2477  * @fs_dir: aa_sfs_entry (and all child entries) to detach (NOT NULL)
2478  */
2479 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir)
2480 {
2481     struct aa_sfs_entry *fs_file;
2482
2483     for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) {
2484         if (fs_file->v_type == AA_SFS_TYPE_DIR)
2485             entry_remove_dir(fs_file);
2486         else
2487             entry_remove_file(fs_file);
2488     }
2489
2490     entry_remove_file(fs_dir);
2491 }
2492
2493 /**
2494  * aa_destroy_aafs - cleanup and free aafs
2495  *
2496  * releases dentries allocated by aa_create_aafs
2497  */
2498 void __init aa_destroy_aafs(void)
2499 {
2500     entry_remove_dir(&aa_sfs_entry);
2501 }
2502
2503
2504 #define NULL_FILE_NAME ".null"
2505 struct path aa_null;
2506
2507 static int aa_mk_null_file(struct dentry *parent)
2508 {
2509     struct vfsmount *mount = NULL;
2510     struct dentry *dentry;
2511     struct inode *inode;
2512     int count = 0;
2513     int error = simple_pin_fs(parent->d_sb->s_type, &mount, &count);
2514
2515     if (error)
2516         return error;
2517
2518     inode_lock(d_inode(parent));
2519     dentry = lookup_one_len(NULL_FILE_NAME, parent, strlen(NULL_FILE_NAME));
2520     if (IS_ERR(dentry)) {
2521         error = PTR_ERR(dentry);
2522         goto out;
2523     }
2524     inode = new_inode(parent->d_inode->i_sb);
2525     if (!inode) {
2526         error = -ENOMEM;
2527         goto out1;
2528     }
2529
2530     inode->i_ino = get_next_ino();
2531     inode->i_mode = S_IFCHR | S_IRUGO | S_IWUGO;
2532     inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
2533     init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO,
2534                MKDEV(MEM_MAJOR, 3));
2535     d_instantiate(dentry, inode);
2536     aa_null.dentry = dget(dentry);
2537     aa_null.mnt = mntget(mount);
2538
2539     error = 0;
2540
2541 out1:
2542     dput(dentry);
2543 out:
2544     inode_unlock(d_inode(parent));
2545     simple_release_fs(&mount, &count);
2546     return error;
2547 }
2548
2549
2550
2551 static const char *policy_get_link(struct dentry *dentry,
2552                    struct inode *inode,
2553                    struct delayed_call *done)
2554 {
2555     struct aa_ns *ns;
2556     struct path path;
2557     int error;
2558
2559     if (!dentry)
2560         return ERR_PTR(-ECHILD);
2561
2562     ns = aa_get_current_ns();
2563     path.mnt = mntget(aafs_mnt);
2564     path.dentry = dget(ns_dir(ns));
2565     error = nd_jump_link(&path);
2566     aa_put_ns(ns);
2567
2568     return ERR_PTR(error);
2569 }
2570
2571 static int policy_readlink(struct dentry *dentry, char __user *buffer,
2572                int buflen)
2573 {
2574     char name[32];
2575     int res;
2576
2577     res = snprintf(name, sizeof(name), "%s:[%lu]", AAFS_NAME,
2578                d_inode(dentry)->i_ino);
2579     if (res > 0 && res < sizeof(name))
2580         res = readlink_copy(buffer, buflen, name);
2581     else
2582         res = -ENOENT;
2583
2584     return res;
2585 }
2586
2587 static const struct inode_operations policy_link_iops = {
2588     .readlink   = policy_readlink,
2589     .get_link   = policy_get_link,
2590 };
2591
2592
2593 /**
2594  * aa_create_aafs - create the apparmor security filesystem
2595  *
2596  * dentries created here are released by aa_destroy_aafs
2597  *
2598  * Returns: error on failure
2599  */
2600 static int __init aa_create_aafs(void)
2601 {
2602     struct dentry *dent;
2603     int error;
2604
2605     if (!apparmor_initialized)
2606         return 0;
2607
2608     if (aa_sfs_entry.dentry) {
2609         AA_ERROR("%s: AppArmor securityfs already exists\n", __func__);
2610         return -EEXIST;
2611     }
2612
2613     /* setup apparmorfs used to virtualize policy/ */
2614     aafs_mnt = kern_mount(&aafs_ops);
2615     if (IS_ERR(aafs_mnt))
2616         panic("can't set apparmorfs up\n");
2617     aafs_mnt->mnt_sb->s_flags &= ~SB_NOUSER;
2618
2619     /* Populate fs tree. */
2620     error = entry_create_dir(&aa_sfs_entry, NULL);
2621     if (error)
2622         goto error;
2623
2624     dent = securityfs_create_file(".load", 0666, aa_sfs_entry.dentry,
2625                       NULL, &aa_fs_profile_load);
2626     if (IS_ERR(dent))
2627         goto dent_error;
2628     ns_subload(root_ns) = dent;
2629
2630     dent = securityfs_create_file(".replace", 0666, aa_sfs_entry.dentry,
2631                       NULL, &aa_fs_profile_replace);
2632     if (IS_ERR(dent))
2633         goto dent_error;
2634     ns_subreplace(root_ns) = dent;
2635
2636     dent = securityfs_create_file(".remove", 0666, aa_sfs_entry.dentry,
2637                       NULL, &aa_fs_profile_remove);
2638     if (IS_ERR(dent))
2639         goto dent_error;
2640     ns_subremove(root_ns) = dent;
2641
2642     dent = securityfs_create_file("revision", 0444, aa_sfs_entry.dentry,
2643                       NULL, &aa_fs_ns_revision_fops);
2644     if (IS_ERR(dent))
2645         goto dent_error;
2646     ns_subrevision(root_ns) = dent;
2647
2648     /* policy tree referenced by magic policy symlink */
2649     mutex_lock_nested(&root_ns->lock, root_ns->level);
2650     error = __aafs_ns_mkdir(root_ns, aafs_mnt->mnt_root, ".policy",
2651                 aafs_mnt->mnt_root);
2652     mutex_unlock(&root_ns->lock);
2653     if (error)
2654         goto error;
2655
2656     /* magic symlink similar to nsfs redirects based on task policy */
2657     dent = securityfs_create_symlink("policy", aa_sfs_entry.dentry,
2658                      NULL, &policy_link_iops);
2659     if (IS_ERR(dent))
2660         goto dent_error;
2661
2662     error = aa_mk_null_file(aa_sfs_entry.dentry);
2663     if (error)
2664         goto error;
2665
2666     /* TODO: add default profile to apparmorfs */
2667
2668     /* Report that AppArmor fs is enabled */
2669     aa_info_message("AppArmor Filesystem Enabled");
2670     return 0;
2671
2672 dent_error:
2673     error = PTR_ERR(dent);
2674 error:
2675     aa_destroy_aafs();
2676     AA_ERROR("Error creating AppArmor securityfs\n");
2677     return error;
2678 }
2679
2680 fs_initcall(aa_create_aafs);