@@ -18,10 +18,11 @@
#include <linux/cred.h>
#include <linux/slab.h>
#include <linux/sched.h>
+#include <linux/lsm_hooks.h>
#include "policy.h"
-#define cred_cxt(X) (X)->security
+#define cred_cxt(X) apparmor_cred(X)
#define current_cxt() cred_cxt(current_cred())
/* struct aa_file_cxt - the AppArmor context the file was opened in
@@ -85,6 +86,10 @@ int aa_set_current_hat(struct aa_profile *profile, u64 token);
int aa_restore_previous_profile(u64 cookie);
struct aa_profile *aa_get_task_profile(struct task_struct *task);
+static inline struct aa_task_cxt *apparmor_cred(const struct cred *cred)
+{
+ return cred->security;
+}
/**
* aa_cred_profile - obtain cred's profiles
@@ -96,7 +101,8 @@ struct aa_profile *aa_get_task_profile(struct task_struct *task);
*/
static inline struct aa_profile *aa_cred_profile(const struct cred *cred)
{
- struct aa_task_cxt *cxt = cred_cxt(cred);
+ struct aa_task_cxt *cxt = apparmor_cred(cred);
+
BUG_ON(!cxt || !cxt->profile);
return cxt->profile;
}
@@ -49,7 +49,7 @@ int apparmor_initialized __initdata;
static void apparmor_cred_free(struct cred *cred)
{
aa_free_task_context(cred_cxt(cred));
- cred_cxt(cred) = NULL;
+ cred->security = NULL;
}
/*
@@ -62,7 +62,7 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
if (!cxt)
return -ENOMEM;
- cred_cxt(cred) = cxt;
+ cred->security = cxt;
return 0;
}
@@ -72,13 +72,14 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp)
{
+ struct aa_task_cxt *cxt;
/* freed by apparmor_cred_free */
- struct aa_task_cxt *cxt = aa_alloc_task_context(gfp);
+ cxt = aa_alloc_task_context(gfp);
if (!cxt)
return -ENOMEM;
aa_dup_task_context(cxt, cred_cxt(old));
- cred_cxt(new) = cxt;
+ new->security = cxt;
return 0;
}
@@ -886,7 +887,7 @@ static int __init set_init_cxt(void)
return -ENOMEM;
cxt->profile = aa_get_profile(root_ns->unconfined);
- cred_cxt(cred) = cxt;
+ cred->security = cxt;
return 0;
}
@@ -896,11 +897,13 @@ static int __init apparmor_init(void)
int error;
if (!apparmor_enabled || !security_module_enable("apparmor")) {
- aa_info_message("AppArmor disabled by boot time parameter");
+ aa_info_message(
+ "AppArmor disabled by boot time parameter");
apparmor_enabled = 0;
return 0;
}
+
error = aa_alloc_root_ns();
if (error) {
AA_ERROR("Unable to allocate default profile namespace\n");
Subject: [PATCH 04/25] AppArmor: Abstract the cred security blob Abstract reading the credential security blob. Remove abstraction when writing the credential security blob. There is no change in the behavior of the code. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- security/apparmor/include/context.h | 10 ++++++++-- security/apparmor/lsm.c | 15 +++++++++------ 2 files changed, 17 insertions(+), 8 deletions(-)