1
Rename the <active> pointer in struct aa_task_context: there are
2
no other (inactive?) profiles. (And hats really are just profiles
5
Index: b/security/apparmor/apparmor.h
6
===================================================================
7
--- a/security/apparmor/apparmor.h
8
+++ b/security/apparmor/apparmor.h
9
@@ -52,14 +52,14 @@ static inline int mediated_filesystem(st
11
#define APPARMOR_COMPLAIN(_cxt) \
12
(apparmor_complain == 1 || \
13
- ((_cxt) && (_cxt)->active && (_cxt)->active->flags.complain))
14
+ ((_cxt) && (_cxt)->profile && (_cxt)->profile->flags.complain))
16
#define PROFILE_AUDIT(_profile) \
17
(apparmor_audit == 1 || ((_profile) && (_profile)->flags.audit))
19
#define APPARMOR_AUDIT(_cxt) \
20
(apparmor_audit == 1 || \
21
- ((_cxt) && (_cxt)->active && (_cxt)->active->flags.audit))
22
+ ((_cxt) && (_cxt)->profile && (_cxt)->profile->flags.audit))
25
* DEBUG remains global (no per profile flag) since it is mostly used in sysctl
26
@@ -124,17 +124,17 @@ struct aa_profile {
29
* struct aa_task_context - primary label for confined tasks
30
- * @active: the current active profile
31
+ * @profile: the current profile
32
* @hat_magic: the magic token controling the ability to leave a hat
33
* @list: list this aa_task_context is on
34
* @task: task that the aa_task_context confines
35
* @caps_logged: caps that have previously generated log entries
37
- * Contains the tasks current active profile (which could change due to
38
+ * Contains the task's current profile (which could change due to
39
* change_hat). Plus the hat_magic needed during change_hat.
41
struct aa_task_context {
42
- struct aa_profile *active; /* The current active profile */
43
+ struct aa_profile *profile; /* The current profile */
44
u32 hat_magic; /* used with change_hat */
45
struct list_head list;
46
struct task_struct *task;
47
@@ -210,24 +210,24 @@ struct aa_audit {
48
extern int alloc_null_complain_profile(void);
49
extern void free_null_complain_profile(void);
50
extern int attach_nullprofile(struct aa_profile *profile);
51
-extern int aa_audit_message(struct aa_profile *active, gfp_t gfp, int,
52
+extern int aa_audit_message(struct aa_profile *profile, gfp_t gfp, int,
54
-extern int aa_audit_syscallreject(struct aa_profile *active, gfp_t gfp,
55
+extern int aa_audit_syscallreject(struct aa_profile *profile, gfp_t gfp,
57
-extern int aa_audit(struct aa_profile *active, const struct aa_audit *);
58
+extern int aa_audit(struct aa_profile *profile, const struct aa_audit *);
59
extern char *aa_get_name(struct dentry *dentry, struct vfsmount *mnt);
61
-extern int aa_attr(struct aa_profile *active, struct dentry *dentry,
62
+extern int aa_attr(struct aa_profile *profile, struct dentry *dentry,
63
struct vfsmount *mnt, struct iattr *iattr);
64
-extern int aa_perm_xattr(struct aa_profile *active, struct dentry *dentry,
65
+extern int aa_perm_xattr(struct aa_profile *profile, struct dentry *dentry,
66
struct vfsmount *mnt, const char *operation,
67
const char *xattr_xattr, int mask);
68
-extern int aa_capability(struct aa_profile *active, int cap);
69
-extern int aa_perm(struct aa_profile *active, struct dentry *dentry,
70
+extern int aa_capability(struct aa_profile *profile, int cap);
71
+extern int aa_perm(struct aa_profile *profile, struct dentry *dentry,
72
struct vfsmount *mnt, int mask, int leaf);
73
-extern int aa_perm_dir(struct aa_profile *active, struct dentry *dentry,
74
+extern int aa_perm_dir(struct aa_profile *profile, struct dentry *dentry,
75
struct vfsmount *mnt, const char *operation, int mask);
76
-extern int aa_link(struct aa_profile *active,
77
+extern int aa_link(struct aa_profile *profile,
78
struct dentry *link, struct vfsmount *link_mnt,
79
struct dentry *target, struct vfsmount *target_mnt);
80
extern int aa_fork(struct task_struct *p);
81
@@ -258,7 +258,7 @@ extern void free_aa_profile(struct aa_pr
82
extern void free_aa_profile_kref(struct kref *kref);
85
-extern size_t aa_getprocattr(struct aa_profile *active, char *str, size_t size);
86
+extern size_t aa_getprocattr(struct aa_profile *profile, char *str, size_t size);
87
extern int aa_setprocattr_changehat(char *hatinfo, size_t infosize);
88
extern int aa_setprocattr_setprofile(struct task_struct *p, char *profilename,
90
Index: b/security/apparmor/apparmorfs.c
91
===================================================================
92
--- a/security/apparmor/apparmorfs.c
93
+++ b/security/apparmor/apparmorfs.c
94
@@ -151,7 +151,7 @@ static char *aa_simple_write_to_buffer(c
95
size_t alloc_size, size_t copy_size,
96
loff_t *pos, const char *msg)
98
- struct aa_profile *active;
99
+ struct aa_profile *profile;
103
@@ -164,13 +164,13 @@ static char *aa_simple_write_to_buffer(c
104
* No sane person would add rules allowing this to a profile
105
* but we enforce the restriction anyways.
107
- active = aa_get_profile(current);
109
+ profile = aa_get_profile(current);
111
AA_WARN("REJECTING access to profile %s (%s(%d) "
112
"profile %s active %s)\n",
113
msg, current->comm, current->pid,
114
- BASE_PROFILE(active)->name, active->name);
115
- put_aa_profile(active);
116
+ BASE_PROFILE(profile)->name, profile->name);
117
+ put_aa_profile(profile);
119
data = ERR_PTR(-EPERM);
121
Index: b/security/apparmor/inline.h
122
===================================================================
123
--- a/security/apparmor/inline.h
124
+++ b/security/apparmor/inline.h
125
@@ -37,29 +37,29 @@ static inline void put_aa_profile(struct
126
static inline struct aa_profile *aa_get_profile(struct task_struct *task)
128
struct aa_task_context *cxt;
129
- struct aa_profile *active = NULL;
130
+ struct aa_profile *profile = NULL;
133
cxt = aa_task_context(task);
135
- active = (struct aa_profile *)rcu_dereference(cxt->active);
136
- aa_dup_profile(active);
137
+ profile = (struct aa_profile *)rcu_dereference(cxt->profile);
138
+ aa_dup_profile(profile);
147
* aa_switch_to_profile - change aa_task_context to use a new profile
148
- * @cxt: aa_task_context to switch the active profile on
149
- * @newactive: new active profile (NULL for unconfined)
150
+ * @cxt: aa_task_context to switch the profile on
151
+ * @newactive: new profile (NULL for unconfined)
152
* @hat_magic: hat value to switch to (0 for no hat)
154
- * aa_switch_to_profile handles the changing of a aa_task_context's active
155
+ * aa_switch_to_profile handles the changing of a aa_task_context's profile
156
* profile. The cxt_lock must be held to ensure consistency against
157
* other writers. Some write paths (ex. aa_register) require
158
- * cxt->active not to change over several operations, so the calling
159
+ * cxt->profile not to change over several operations, so the calling
160
* function is responsible for grabing the cxt_lock to meet its
161
* consistency constraints before calling aa_switch_to_profile
163
@@ -67,11 +67,11 @@ static inline void aa_switch_to_profile(
164
struct aa_profile *newactive,
167
- struct aa_profile *old = cxt->active;
168
+ struct aa_profile *old = cxt->profile;
170
cxt->caps_logged = CAP_EMPTY_SET;
171
cxt->hat_magic = hat_magic;
172
- rcu_assign_pointer(cxt->active, aa_dup_profile(newactive));
173
+ rcu_assign_pointer(cxt->profile, aa_dup_profile(newactive));
177
@@ -94,7 +94,7 @@ static inline struct aa_task_context *al
180
/* any readers of the list must make sure that they can handle
181
- * case where cxt->active is not yet set (null)
182
+ * case where cxt->profile is not yet set (null)
184
aa_task_context_list_add(cxt);
186
Index: b/security/apparmor/lsm.c
187
===================================================================
188
--- a/security/apparmor/lsm.c
189
+++ b/security/apparmor/lsm.c
190
@@ -87,12 +87,12 @@ __setup("apparmor_logsyscall=", aa_getop
191
static int aa_reject_syscall(struct task_struct *task, gfp_t flags,
194
- struct aa_profile *active = aa_get_profile(task);
195
+ struct aa_profile *profile = aa_get_profile(task);
199
- error = aa_audit_syscallreject(active, flags, name);
200
- put_aa_profile(active);
202
+ error = aa_audit_syscallreject(profile, flags, name);
203
+ put_aa_profile(profile);
207
@@ -141,14 +141,14 @@ static int apparmor_capable(struct task_
208
error = cap_capable(tsk, cap);
211
- struct aa_profile *active;
212
+ struct aa_profile *profile;
214
- active = aa_get_profile(tsk);
215
+ profile = aa_get_profile(tsk);
218
- error = aa_capability(active, cap);
220
+ error = aa_capability(profile, cap);
222
- put_aa_profile(active);
223
+ put_aa_profile(profile);
227
@@ -222,18 +222,18 @@ static int apparmor_umount(struct vfsmou
228
static int apparmor_inode_mkdir(struct inode *dir, struct dentry *dentry,
229
struct vfsmount *mnt, int mask)
231
- struct aa_profile *active;
232
+ struct aa_profile *profile;
235
if (!mnt || !mediated_filesystem(dir))
238
- active = aa_get_profile(current);
239
+ profile = aa_get_profile(current);
242
- error = aa_perm_dir(active, dentry, mnt, "mkdir", MAY_WRITE);
244
+ error = aa_perm_dir(profile, dentry, mnt, "mkdir", MAY_WRITE);
246
- put_aa_profile(active);
247
+ put_aa_profile(profile);
251
@@ -242,18 +242,18 @@ out:
252
static int apparmor_inode_rmdir(struct inode *dir, struct dentry *dentry,
253
struct vfsmount *mnt)
255
- struct aa_profile *active;
256
+ struct aa_profile *profile;
259
if (!mnt || !mediated_filesystem(dir))
262
- active = aa_get_profile(current);
263
+ profile = aa_get_profile(current);
266
- error = aa_perm_dir(active, dentry, mnt, "rmdir", MAY_WRITE);
268
+ error = aa_perm_dir(profile, dentry, mnt, "rmdir", MAY_WRITE);
270
- put_aa_profile(active);
271
+ put_aa_profile(profile);
275
@@ -265,11 +265,11 @@ static int aa_permission(struct inode *i
278
if (mnt && mediated_filesystem(inode)) {
279
- struct aa_profile *active = aa_get_profile(current);
280
+ struct aa_profile *profile = aa_get_profile(current);
283
- error = aa_perm(active, dentry, mnt, mask, leaf);
284
- put_aa_profile(active);
286
+ error = aa_perm(profile, dentry, mnt, mask, leaf);
287
+ put_aa_profile(profile);
291
@@ -286,18 +286,18 @@ static int apparmor_inode_link(struct de
292
struct vfsmount *new_mnt)
295
- struct aa_profile *active;
296
+ struct aa_profile *profile;
298
if (!old_mnt || !new_mnt || !mediated_filesystem(dir))
301
- active = aa_get_profile(current);
302
+ profile = aa_get_profile(current);
305
- error = aa_link(active, new_dentry, new_mnt,
307
+ error = aa_link(profile, new_dentry, new_mnt,
308
old_dentry, old_mnt);
310
- put_aa_profile(active);
311
+ put_aa_profile(profile);
315
@@ -329,25 +329,25 @@ static int apparmor_inode_rename(struct
316
struct dentry *new_dentry,
317
struct vfsmount *new_mnt)
319
- struct aa_profile *active;
320
+ struct aa_profile *profile;
323
if ((!old_mnt && !new_mnt) || !mediated_filesystem(old_dir))
326
- active = aa_get_profile(current);
327
+ profile = aa_get_profile(current);
332
- error = aa_perm(active, old_dentry, old_mnt,
333
+ error = aa_perm(profile, old_dentry, old_mnt,
334
MAY_READ | MAY_WRITE, 1);
336
if (!error && new_mnt)
337
- error = aa_perm(active, new_dentry, new_mnt,
338
+ error = aa_perm(profile, new_dentry, new_mnt,
342
- put_aa_profile(active);
343
+ put_aa_profile(profile);
347
@@ -385,17 +385,17 @@ static int apparmor_inode_setattr(struct
350
if (mediated_filesystem(dentry->d_inode)) {
351
- struct aa_profile *active;
352
+ struct aa_profile *profile;
354
- active = aa_get_profile(current);
355
+ profile = aa_get_profile(current);
357
* Mediate any attempt to change attributes of a file
358
* (chmod, chown, chgrp, etc)
361
- error = aa_attr(active, dentry, mnt, iattr);
363
+ error = aa_attr(profile, dentry, mnt, iattr);
365
- put_aa_profile(active);
366
+ put_aa_profile(profile);
370
@@ -409,12 +409,12 @@ static int aa_xattr_permission(struct de
373
if (mnt && mediated_filesystem(dentry->d_inode)) {
374
- struct aa_profile *active = aa_get_profile(current);
375
+ struct aa_profile *profile = aa_get_profile(current);
378
- error = aa_perm_xattr(active, dentry, mnt, name,
380
+ error = aa_perm_xattr(profile, dentry, mnt, name,
382
- put_aa_profile(active);
383
+ put_aa_profile(profile);
387
@@ -505,7 +505,7 @@ static int apparmor_getprocattr(struct t
391
- struct aa_profile *active;
392
+ struct aa_profile *profile;
395
/* AppArmor only supports the "current" process attribute */
396
@@ -520,9 +520,9 @@ static int apparmor_getprocattr(struct t
400
- active = aa_get_profile(p);
401
- error = aa_getprocattr(active, str, size);
402
- put_aa_profile(active);
403
+ profile = aa_get_profile(p);
404
+ error = aa_getprocattr(profile, str, size);
405
+ put_aa_profile(profile);
409
@@ -572,7 +572,7 @@ static int apparmor_setprocattr(struct t
410
/* SET NEW PROFILE */
411
} else if (size > strlen(cmd_setprofile) &&
412
strncmp(cmd, cmd_setprofile, strlen(cmd_setprofile)) == 0) {
413
- struct aa_profile *active;
414
+ struct aa_profile *profile;
416
/* only an unconfined process with admin capabilities
417
* may change the profile of another task
418
@@ -591,8 +591,8 @@ static int apparmor_setprocattr(struct t
422
- active = aa_get_profile(current);
424
+ profile = aa_get_profile(current);
426
char *profile = cmd + strlen(cmd_setprofile);
427
size_t profilesize = size - strlen(cmd_setprofile);
429
@@ -614,7 +614,7 @@ static int apparmor_setprocattr(struct t
433
- put_aa_profile(active);
434
+ put_aa_profile(profile);
436
/* unknown operation */
437
AA_WARN("%s: Unknown setprocattr command '%.*s' by task %s(%d) "
438
@@ -724,14 +724,14 @@ static int apparmor_exit_removeall_iter(
440
/* spin_lock(&cxt_lock) held here */
443
+ if (cxt->profile) {
444
AA_DEBUG("%s: Dropping profiles %s(%d) "
445
"profile %s(%p) active %s(%p)\n",
447
cxt->task->comm, cxt->task->pid,
448
- BASE_PROFILE(cxt->active)->name,
449
- BASE_PROFILE(cxt->active),
450
- cxt->active->name, cxt->active);
451
+ BASE_PROFILE(cxt->profile)->name,
452
+ BASE_PROFILE(cxt->profile),
453
+ cxt->profile->name, cxt->profile);
454
aa_switch_to_profile(cxt, NULL, 0);
457
@@ -748,7 +748,7 @@ static void __exit apparmor_exit(void)
459
aa_profilelist_release();
461
- /* Remove profiles from active tasks
462
+ /* Remove profiles from profiled tasks
463
* If this is not done, if module is reloaded after being removed,
464
* old profiles (still refcounted in memory) will become 'magically'
466
@@ -758,7 +758,7 @@ static void __exit apparmor_exit(void)
467
aa_task_context_list_iterate(apparmor_exit_removeall_iter, NULL);
468
spin_unlock_irqrestore(&cxt_lock, flags);
470
- /* Free up list of active aa_task_context */
471
+ /* Free up list of profile aa_task_context */
472
aa_task_context_list_release();
474
free_null_complain_profile();
475
Index: b/security/apparmor/main.c
476
===================================================================
477
--- a/security/apparmor/main.c
478
+++ b/security/apparmor/main.c
479
@@ -104,18 +104,18 @@ static inline void aa_permerror2result(i
482
* aa_file_perm - calculate access mode for file
483
- * @active: profile to check against
484
+ * @profile: profile to check against
485
* @name: name of file to calculate mode for
486
* @mask: permission mask requested for file
488
- * Search the aa_entry list in @active.
489
+ * Search the aa_entry list in @profile.
490
* Search looking to verify all permissions passed in mask.
491
* Perform the search by looking at the partitioned list of entries, one
492
* partition per permission bit.
494
* Return %0 on success, else mask of non-allowed permissions
496
-static int aa_file_perm(struct aa_profile *active, const char *name, int mask)
497
+static int aa_file_perm(struct aa_profile *profile, const char *name, int mask)
501
@@ -123,14 +123,14 @@ static int aa_file_perm(struct aa_profil
502
if (mask == MAY_WRITE && aa_taskattr_access(name))
505
- perms = aa_match(active->file_rules, name);
506
+ perms = aa_match(profile->file_rules, name);
508
return mask & ~perms; /* return permissions not satisfied */
512
* aa_link_perm - test permission to link to a file
513
- * @active: profile to check against
514
+ * @profile: profile to check against
515
* @link: name of link being created
516
* @target: name of target to be linked to
518
@@ -138,17 +138,17 @@ static int aa_file_perm(struct aa_profil
519
* permission mode as @target. At least @link must have the link bit enabled.
520
* Return %0 on success, else -EPERM
522
-static int aa_link_perm(struct aa_profile *active,
523
+static int aa_link_perm(struct aa_profile *profile,
524
const char *link, const char *target)
526
int l_mode, t_mode, ret = -EPERM;
528
- l_mode = aa_file_mode(active, link);
529
+ l_mode = aa_file_mode(profile, link);
530
if (l_mode & AA_MAY_LINK) {
531
/* mask off link bit */
532
l_mode &= ~AA_MAY_LINK;
534
- t_mode = aa_file_mode(active, target);
535
+ t_mode = aa_file_mode(profile, target);
536
t_mode &= ~AA_MAY_LINK;
538
if (l_mode == t_mode)
539
@@ -158,7 +158,7 @@ static int aa_link_perm(struct aa_profil
543
-static int _aa_perm_vfsmount(struct aa_profile *active, struct dentry *dentry,
544
+static int _aa_perm_vfsmount(struct aa_profile *profile, struct dentry *dentry,
545
struct vfsmount *mnt, struct aa_audit *sa, int mask)
547
int permerror, error;
548
@@ -169,12 +169,12 @@ static int _aa_perm_vfsmount(struct aa_p
549
permerror = PTR_ERR(sa->name);
552
- permerror = aa_file_perm(active, sa->name, mask);
553
+ permerror = aa_file_perm(profile, sa->name, mask);
556
aa_permerror2result(permerror, sa);
558
- error = aa_audit(active, sa);
559
+ error = aa_audit(profile, sa);
561
aa_put_name(sa->name);
563
@@ -264,12 +264,12 @@ void free_null_complain_profile(void)
566
* aa_audit_message - Log a message to the audit subsystem
567
- * @active: profile to check against
568
+ * @profile: profile to check against
569
* @gfp: allocation flags
570
* @flags: audit flags
573
-int aa_audit_message(struct aa_profile *active, gfp_t gfp, int flags,
574
+int aa_audit_message(struct aa_profile *profile, gfp_t gfp, int flags,
575
const char *fmt, ...)
578
@@ -283,7 +283,7 @@ int aa_audit_message(struct aa_profile *
580
sa.result = 0; /* fake failure: force message to be logged */
582
- ret = aa_audit(active, &sa);
583
+ ret = aa_audit(profile, &sa);
587
@@ -292,11 +292,11 @@ int aa_audit_message(struct aa_profile *
590
* aa_audit_syscallreject - Log a syscall rejection to the audit subsystem
591
- * @active: profile to check against
592
+ * @profile: profile to check against
593
* @msg: string describing syscall being rejected
594
* @gfp: memory allocation flags
596
-int aa_audit_syscallreject(struct aa_profile *active, gfp_t gfp,
597
+int aa_audit_syscallreject(struct aa_profile *profile, gfp_t gfp,
601
@@ -308,15 +308,15 @@ int aa_audit_syscallreject(struct aa_pro
603
sa.result = 0; /* failure */
605
- return aa_audit(active, &sa);
606
+ return aa_audit(profile, &sa);
610
* aa_audit - Log an audit event to the audit subsystem
611
- * @active: profile to check against
612
+ * @profile: profile to check against
615
-int aa_audit(struct aa_profile *active, const struct aa_audit *sa)
616
+int aa_audit(struct aa_profile *profile, const struct aa_audit *sa)
618
struct audit_buffer *ab = NULL;
619
struct audit_context *ctx;
620
@@ -340,7 +340,7 @@ int aa_audit(struct aa_profile *active,
623
if (likely(sa->result)) {
624
- if (likely(!PROFILE_AUDIT(active))) {
625
+ if (likely(!PROFILE_AUDIT(profile))) {
629
@@ -362,12 +362,12 @@ int aa_audit(struct aa_profile *active,
631
logcls = "REJECTING";
633
- complain = PROFILE_COMPLAIN(active);
634
+ complain = PROFILE_COMPLAIN(profile);
635
logcls = complain ? "PERMITTING" : "REJECTING";
638
/* In future extend w/ per-profile flags
639
- * (flags |= sa->active->flags)
640
+ * (flags |= sa->profile->flags)
643
if (apparmor_logsyscall)
644
@@ -467,7 +467,7 @@ int aa_audit(struct aa_profile *active,
646
audit_log_format(ab, "(%s(%d) profile %s active %s)",
647
current->comm, current->pid,
648
- BASE_PROFILE(active)->name, active->name);
649
+ BASE_PROFILE(profile)->name, profile->name);
653
@@ -527,11 +527,11 @@ out:
656
* aa_attr - check whether attribute change allowed
657
- * @active: profile to check against
658
+ * @profile: profile to check against
659
* @dentry: file to check
660
* @iattr: attribute changes requested
662
-int aa_attr(struct aa_profile *active, struct dentry *dentry,
663
+int aa_attr(struct aa_profile *profile, struct dentry *dentry,
664
struct vfsmount *mnt, struct iattr *iattr)
667
@@ -542,21 +542,21 @@ int aa_attr(struct aa_profile *active, s
669
sa.gfp_mask = GFP_KERNEL;
671
- error = _aa_perm_vfsmount(active, dentry, mnt, &sa, MAY_WRITE);
672
+ error = _aa_perm_vfsmount(profile, dentry, mnt, &sa, MAY_WRITE);
678
* aa_perm_xattr - check whether xattr attribute change allowed
679
- * @active: profile to check against
680
+ * @profile: profile to check against
681
* @dentry: file to check
682
* @mnt: mount of file to check
683
* @operation: xattr operation being done
684
* @xattr_name: name of xattr to check
685
* @mask: access mode requested
687
-int aa_perm_xattr(struct aa_profile *active, struct dentry *dentry,
688
+int aa_perm_xattr(struct aa_profile *profile, struct dentry *dentry,
689
struct vfsmount *mnt, const char *operation,
690
const char *xattr_name, int mask)
692
@@ -569,23 +569,23 @@ int aa_perm_xattr(struct aa_profile *act
694
sa.gfp_mask = GFP_KERNEL;
696
- error = _aa_perm_vfsmount(active, dentry, mnt, &sa, mask);
697
+ error = _aa_perm_vfsmount(profile, dentry, mnt, &sa, mask);
703
* aa_perm - basic apparmor permissions check
704
- * @active: profile to check against
705
+ * @profile: profile to check against
708
* @mask: access mode requested
709
* @leaf: are we checking a leaf node?
711
- * Determine if access (mask) for dentry is authorized by active
712
+ * Determine if access (mask) for dentry is authorized by profile
713
* profile. Result, %0 (success), -ve (error)
715
-int aa_perm(struct aa_profile *active, struct dentry *dentry,
716
+int aa_perm(struct aa_profile *profile, struct dentry *dentry,
717
struct vfsmount *mnt, int mask, int leaf)
719
struct inode *inode = dentry->d_inode;
720
@@ -610,7 +610,7 @@ int aa_perm(struct aa_profile *active, s
723
sa.gfp_mask = GFP_KERNEL;
724
- error = _aa_perm_vfsmount(active, dentry, mnt, &sa, mask);
725
+ error = _aa_perm_vfsmount(profile, dentry, mnt, &sa, mask);
729
@@ -618,17 +618,17 @@ out:
733
- * @active: profile to check against
734
+ * @profile: profile to check against
735
* @dentry: requested dentry
736
* @mnt: mount of file to check
737
* @operation: directory operation being performed
738
* @mask: access mode requested
740
* Determine if directory operation (make/remove) for dentry is authorized
741
- * by @active profile.
743
* Result, %0 (success), -ve (error)
745
-int aa_perm_dir(struct aa_profile *active, struct dentry *dentry,
746
+int aa_perm_dir(struct aa_profile *profile, struct dentry *dentry,
747
struct vfsmount *mnt, const char *operation, int mask)
750
@@ -638,26 +638,26 @@ int aa_perm_dir(struct aa_profile *activ
752
sa.gfp_mask = GFP_KERNEL;
754
- return _aa_perm_vfsmount(active, dentry, mnt, &sa, mask);
755
+ return _aa_perm_vfsmount(profile, dentry, mnt, &sa, mask);
759
* aa_capability - test permission to use capability
760
- * @active: profile to check against
761
+ * @profile: profile to check against
762
* @cap: capability to be tested
764
- * Look up capability in active profile capability set.
765
+ * Look up capability in profile capability set.
766
* Return %0 (success), -%EPERM (error)
768
-int aa_capability(struct aa_profile *active, int cap)
769
+int aa_capability(struct aa_profile *profile, int cap)
771
- int error = cap_raised(active->capabilities, cap) ? 0 : -EPERM;
772
+ int error = cap_raised(profile->capabilities, cap) ? 0 : -EPERM;
774
struct aa_task_context *cxt = aa_task_context(current);
776
/* test if cap has alread been logged */
777
if (cap_raised(cxt->caps_logged, cap)) {
778
- if (PROFILE_COMPLAIN(active))
779
+ if (PROFILE_COMPLAIN(profile))
783
@@ -671,19 +671,19 @@ int aa_capability(struct aa_profile *act
785
sa.gfp_mask = GFP_ATOMIC;
787
- error = aa_audit(active, &sa);
788
+ error = aa_audit(profile, &sa);
794
* aa_link - hard link check
795
- * @active: profile to check against
796
+ * @profile: profile to check against
797
* @link: dentry for link being created
798
* @target: dentry for link target
799
* @mnt: vfsmount (-EXDEV is link and target are not on same vfsmount)
801
-int aa_link(struct aa_profile *active,
802
+int aa_link(struct aa_profile *profile,
803
struct dentry *link, struct vfsmount *link_mnt,
804
struct dentry *target, struct vfsmount *target_mnt)
806
@@ -703,7 +703,7 @@ int aa_link(struct aa_profile *active,
809
if (sa.name && sa.pval)
810
- permerror = aa_link_perm(active, sa.name, sa.pval);
811
+ permerror = aa_link_perm(profile, sa.name, sa.pval);
813
aa_permerror2result(permerror, &sa);
815
@@ -711,7 +711,7 @@ int aa_link(struct aa_profile *active,
817
sa.gfp_mask = GFP_KERNEL;
819
- error = aa_audit(active, &sa);
820
+ error = aa_audit(profile, &sa);
822
aa_put_name(sa.name);
823
aa_put_name(sa.pval);
824
@@ -744,13 +744,13 @@ int aa_fork(struct task_struct *p)
826
AA_DEBUG("%s\n", __FUNCTION__);
828
- if (cxt && cxt->active) {
829
+ if (cxt && cxt->profile) {
832
newcxt = alloc_aa_task_context(p);
834
/* FIXME: The alloc above is a blocking operation, so
835
- * cxt->active may have vanished by now.
836
+ * cxt->profile may have vanished by now.
837
* We really need to do the full stale checking
840
@@ -766,12 +766,12 @@ int aa_fork(struct task_struct *p)
841
* he new task would end up with an obsolete profile.
843
spin_lock_irqsave(&cxt_lock, flags);
844
- aa_switch_to_profile(newcxt, cxt->active, cxt->hat_magic);
845
+ aa_switch_to_profile(newcxt, cxt->profile, cxt->hat_magic);
846
spin_unlock_irqrestore(&cxt_lock, flags);
848
if (APPARMOR_COMPLAIN(cxt) &&
849
- cxt->active == null_complain_profile)
850
- LOG_HINT(cxt->active, GFP_KERNEL, HINT_FORK,
851
+ cxt->profile == null_complain_profile)
852
+ LOG_HINT(cxt->profile, GFP_KERNEL, HINT_FORK,
854
current->pid, p->pid);
856
@@ -790,7 +790,7 @@ int aa_register(struct linux_binprm *bpr
859
struct file *filp = bprm->file;
860
- struct aa_profile *active;
861
+ struct aa_profile *profile;
862
struct aa_profile *newprofile = NULL, unconstrained_flag;
865
@@ -809,20 +809,20 @@ int aa_register(struct linux_binprm *bpr
869
- active = aa_get_profile(current);
870
+ profile = aa_get_profile(current);
874
/* Unconfined task, load profile if it exists */
879
- complain = PROFILE_COMPLAIN(active);
880
+ complain = PROFILE_COMPLAIN(profile);
882
/* Confined task, determine what mode inherit, unconstrained or
883
* mandatory to load new profile
885
- exec_mode = AA_EXEC_MASK(aa_match(active->file_rules, filename));
886
+ exec_mode = AA_EXEC_MASK(aa_match(profile->file_rules, filename));
887
unsafe_exec = exec_mode & AA_EXEC_UNSAFE;
890
@@ -865,7 +865,7 @@ int aa_register(struct linux_binprm *bpr
893
current->comm, current->pid,
894
- BASE_PROFILE(active)->name, active->name);
895
+ BASE_PROFILE(profile)->name, profile->name);
899
@@ -877,7 +877,7 @@ int aa_register(struct linux_binprm *bpr
902
current->comm, current->pid,
903
- BASE_PROFILE(active)->name, active->name);
904
+ BASE_PROFILE(profile)->name, profile->name);
908
@@ -896,7 +896,7 @@ int aa_register(struct linux_binprm *bpr
911
current->comm, current->pid,
912
- BASE_PROFILE(active)->name, active->name);
913
+ BASE_PROFILE(profile)->name, profile->name);
917
@@ -914,11 +914,11 @@ find_profile:
918
/* Profile (mandatory) could not be found */
921
- LOG_HINT(active, GFP_KERNEL, HINT_MANDPROF,
922
+ LOG_HINT(profile, GFP_KERNEL, HINT_MANDPROF,
923
"image=%s pid=%d profile=%s active=%s\n",
926
- BASE_PROFILE(active)->name, active->name);
927
+ BASE_PROFILE(profile)->name, profile->name);
929
newprofile = aa_dup_profile(null_complain_profile);
931
@@ -927,7 +927,7 @@ find_profile:
932
"(%s(%d) profile %s active %s)\n",
934
current->comm, current->pid,
935
- BASE_PROFILE(active)->name, active->name);
936
+ BASE_PROFILE(profile)->name, profile->name);
940
@@ -937,7 +937,7 @@ find_profile:
947
AA_DEBUG("%s: No profile found for exec image %s\n",
949
@@ -963,11 +963,11 @@ apply_profile:
950
* case we have to lazily allocate one. Note we may be raced
951
* to this allocation by a setprofile.
953
- * - If we are a confined process, active is a refcounted copy
954
+ * - If we are a confined process, profile is a refcounted copy
955
* of the profile that was on the aa_task_context at entry.
956
* This allows us to not have to hold a lock around
957
* all this code. If profile replacement has taken place
958
- * our active may not equal cxt->active any more.
959
+ * our profile may not equal cxt->profile any more.
960
* This is okay since the operation is treated as if
961
* the transition occured before replacement.
963
@@ -977,7 +977,7 @@ apply_profile:
964
* having to hold a lock around all this code.
967
- if (!active && !(cxt = aa_task_context(current))) {
968
+ if (!profile && !(cxt = aa_task_context(current))) {
969
lazy_cxt = alloc_aa_task_context(current);
971
AA_ERROR("%s: Failed to allocate aa_task_context\n",
972
@@ -1033,7 +1033,7 @@ apply_profile:
973
* Cases 2 and 3 are marked as requiring secure exec
974
* (unless policy specified "unsafe exec")
976
- if (cxt && cxt->active && !unsafe_exec) {
977
+ if (cxt && cxt->profile && !unsafe_exec) {
978
unsigned long bprm_flags;
980
bprm_flags = AA_SECURE_EXEC_NEEDED;
981
@@ -1055,7 +1055,7 @@ apply_profile:
983
aa_put_name(filename);
985
- put_aa_profile(active);
986
+ put_aa_profile(profile);
990
@@ -1105,7 +1105,7 @@ static inline int do_change_hat(const ch
991
struct aa_profile *sub;
994
- sub = __aa_find_profile(hat_name, &BASE_PROFILE(cxt->active)->sub);
995
+ sub = __aa_find_profile(hat_name, &BASE_PROFILE(cxt->profile)->sub);
999
@@ -1121,13 +1121,13 @@ static inline int do_change_hat(const ch
1000
* out to the parent profile (assuming magic != 0)
1002
if (APPARMOR_COMPLAIN(cxt)) {
1003
- LOG_HINT(cxt->active, GFP_ATOMIC, HINT_UNKNOWN_HAT,
1004
+ LOG_HINT(cxt->profile, GFP_ATOMIC, HINT_UNKNOWN_HAT,
1006
"profile=%s active=%s\n",
1009
- BASE_PROFILE(cxt->active)->name,
1010
- cxt->active->name);
1011
+ BASE_PROFILE(cxt->profile)->name,
1012
+ cxt->profile->name);
1014
AA_DEBUG("%s: Unknown hatname '%s'. "
1015
"Changing to NULL profile "
1016
@@ -1135,11 +1135,11 @@ static inline int do_change_hat(const ch
1019
current->comm, current->pid,
1020
- BASE_PROFILE(cxt->active)->name,
1021
- cxt->active->name);
1022
+ BASE_PROFILE(cxt->profile)->name,
1023
+ cxt->profile->name);
1026
- aa_switch_to_profile(cxt, cxt->active->null_profile, hat_magic);
1027
+ aa_switch_to_profile(cxt, cxt->profile->null_profile, hat_magic);
1031
@@ -1174,14 +1174,14 @@ int aa_change_hat(const char *hat_name,
1034
/* check to see if an unconfined process is doing a changehat. */
1035
- if (!cxt || !cxt->active) {
1036
+ if (!cxt || !cxt->profile) {
1041
/* check to see if the confined process has any hats. */
1042
- if (list_empty(&BASE_PROFILE(cxt->active)->sub) &&
1043
- !PROFILE_COMPLAIN(cxt->active)) {
1044
+ if (list_empty(&BASE_PROFILE(cxt->profile)->sub) &&
1045
+ !PROFILE_COMPLAIN(cxt->profile)) {
1049
@@ -1189,7 +1189,7 @@ int aa_change_hat(const char *hat_name,
1050
/* Check whether current domain is parent
1051
* or one of the sibling children
1053
- if (!IN_SUBPROFILE(cxt->active)) {
1054
+ if (!IN_SUBPROFILE(cxt->profile)) {
1058
@@ -1227,7 +1227,7 @@ int aa_change_hat(const char *hat_name,
1059
* Got here via changehat(NULL, magic)
1060
* Return from subprofile, back to parent
1062
- aa_switch_to_profile(cxt, cxt->active->parent,
1063
+ aa_switch_to_profile(cxt, cxt->profile->parent,
1067
@@ -1244,8 +1244,8 @@ int aa_change_hat(const char *hat_name,
1068
current->comm, current->pid,
1070
hat_name ? hat_name : "NULL",
1071
- BASE_PROFILE(cxt->active)->name,
1072
- cxt->active->name);
1073
+ BASE_PROFILE(cxt->profile)->name,
1074
+ cxt->profile->name);
1076
/* terminate current process */
1077
(void)send_sig_info(SIGKILL, NULL, current);
1078
@@ -1254,8 +1254,8 @@ int aa_change_hat(const char *hat_name,
1079
"Task was confined to current subprofile "
1080
"(profile %s active %s)\n",
1081
current->comm, current->pid,
1082
- BASE_PROFILE(cxt->active)->name,
1083
- cxt->active->name);
1084
+ BASE_PROFILE(cxt->profile)->name,
1085
+ cxt->profile->name);
1087
/* terminate current process */
1088
(void)send_sig_info(SIGKILL, NULL, current);
1089
Index: b/security/apparmor/module_interface.c
1090
===================================================================
1091
--- a/security/apparmor/module_interface.c
1092
+++ b/security/apparmor/module_interface.c
1093
@@ -41,7 +41,7 @@ static void free_aa_profile_rcu(struct r
1094
* task_remove - remove profile from a task's aa_task_context
1095
* @cxt: task's aa_task_context
1097
- * remove the active profile from a task's aa_task_context, switching the task
1098
+ * remove the profile from a task's aa_task_context, switching the task
1099
* to an unconfined state.
1101
static inline void task_remove(struct aa_task_context *cxt)
1102
@@ -51,8 +51,8 @@ static inline void task_remove(struct aa
1106
- BASE_PROFILE(cxt->active)->name,
1107
- cxt->active->name);
1108
+ BASE_PROFILE(cxt->profile)->name,
1109
+ cxt->profile->name);
1111
aa_switch_to_profile(cxt, NULL, 0);
1113
@@ -61,7 +61,7 @@ static inline void task_remove(struct aa
1114
* @cxt: aa_task_context to consider for profile removal
1115
* @cookie: pointer to the oldprofile which is being removed
1117
- * If the aa_task_context's active profile matches old_profile, then call
1118
+ * If the aa_task_context's profile matches old_profile, then call
1119
* task_remove() to remove the profile leaving the task (aa_task_context) unconfined.
1121
static int taskremove_iter(struct aa_task_context *cxt, void *cookie)
1122
@@ -71,7 +71,7 @@ static int taskremove_iter(struct aa_tas
1124
spin_lock_irqsave(&cxt_lock, flags);
1126
- if (cxt->active && BASE_PROFILE(cxt->active) == old_profile) {
1127
+ if (cxt->profile && BASE_PROFILE(cxt->profile) == old_profile) {
1131
@@ -84,7 +84,7 @@ static int taskremove_iter(struct aa_tas
1132
* @cxt: aa_task_context to replace the profile on
1135
- * Replace a task's (aa_task_context's) active profile with a new profile. If
1136
+ * Replace a task's (aa_task_context's) profile with a new profile. If
1137
* task was in a hat then the new profile will also be in the equivalent
1138
* hat in the new profile if it exists. If it doesn't exist the
1139
* task will be placed in the special null_profile state.
1140
@@ -93,21 +93,21 @@ static inline void task_replace(struct a
1141
struct aa_profile *new)
1143
AA_DEBUG("%s: replacing profile for task %s(%d) "
1144
- "profile=%s (%p) active=%s (%p)\n",
1145
+ "profile=%s (%p) hat=%s (%p)\n",
1147
cxt->task->comm, cxt->task->pid,
1148
- BASE_PROFILE(cxt->active)->name, BASE_PROFILE(cxt->active),
1149
- cxt->active->name, cxt->active);
1150
+ BASE_PROFILE(cxt->profile)->name, BASE_PROFILE(cxt->profile),
1151
+ cxt->profile->name, cxt->profile);
1154
+ if (!cxt->profile)
1157
- if (IN_SUBPROFILE(cxt->active)) {
1158
+ if (IN_SUBPROFILE(cxt->profile)) {
1159
struct aa_profile *nactive;
1161
/* The old profile was in a hat, check to see if the new
1162
* profile has an equivalent hat */
1163
- nactive = __aa_find_profile(cxt->active->name, &new->sub);
1164
+ nactive = __aa_find_profile(cxt->profile->name, &new->sub);
1167
nactive = aa_dup_profile(new->null_profile);
1168
@@ -122,8 +122,8 @@ static inline void task_replace(struct a
1169
* @cxt: aa_task_context to consider for profile replacement
1170
* @cookie: pointer to the old profile which is being replaced.
1172
- * If the aa_task_context's active profile matches old_profile call
1173
- * task_replace() to replace with the aa_task_context's active profile with
1174
+ * If the aa_task_context's profile matches old_profile call
1175
+ * task_replace() to replace with the aa_task_context's profile with
1178
static int taskreplace_iter(struct aa_task_context *cxt, void *cookie)
1179
@@ -133,7 +133,7 @@ static int taskreplace_iter(struct aa_ta
1181
spin_lock_irqsave(&cxt_lock, flags);
1183
- if (cxt->active && BASE_PROFILE(cxt->active) == data->old_profile)
1184
+ if (cxt->profile && BASE_PROFILE(cxt->profile) == data->old_profile)
1185
task_replace(cxt, data->new_profile);
1187
spin_unlock_irqrestore(&cxt_lock, flags);
1188
Index: b/security/apparmor/procattr.c
1189
===================================================================
1190
--- a/security/apparmor/procattr.c
1191
+++ b/security/apparmor/procattr.c
1193
#include "apparmor.h"
1196
-size_t aa_getprocattr(struct aa_profile *active, char *str, size_t size)
1197
+size_t aa_getprocattr(struct aa_profile *profile, char *str, size_t size)
1199
int error = -EACCES; /* default to a perm denied */
1204
size_t lena, lenm, lenp = 0;
1205
const char *enforce_str = " (enforce)";
1206
const char *complain_str = " (complain)";
1207
const char *mode_str =
1208
- PROFILE_COMPLAIN(active) ? complain_str : enforce_str;
1209
+ PROFILE_COMPLAIN(profile) ? complain_str : enforce_str;
1211
lenm = strlen(mode_str);
1213
- lena = strlen(active->name);
1214
+ lena = strlen(profile->name);
1217
- if (IN_SUBPROFILE(active)) {
1218
- lenp = strlen(BASE_PROFILE(active)->name);
1219
+ if (IN_SUBPROFILE(profile)) {
1220
+ lenp = strlen(BASE_PROFILE(profile)->name);
1221
len += (lenp + 1); /* +1 for ^ */
1223
/* DONT null terminate strings we output via proc */
1224
@@ -40,13 +40,13 @@ size_t aa_getprocattr(struct aa_profile
1228
- memcpy(str, BASE_PROFILE(active)->name,
1229
+ memcpy(str, BASE_PROFILE(profile)->name,
1235
- memcpy(str, active->name, lena);
1236
+ memcpy(str, profile->name, lena);
1238
memcpy(str, mode_str, lenm);
1240
@@ -227,13 +227,13 @@ int aa_setprocattr_setprofile(struct tas
1242
/* switch to unconstrained */
1244
- if (cxt && cxt->active) {
1245
+ if (cxt && cxt->profile) {
1246
AA_WARN("%s: Unconstraining task %s(%d) "
1247
"profile %s active %s\n",
1250
- BASE_PROFILE(cxt->active)->name,
1251
- cxt->active->name);
1252
+ BASE_PROFILE(cxt->profile)->name,
1253
+ cxt->profile->name);
1255
aa_switch_to_profile(cxt, NULL, 0);
1257
@@ -303,9 +303,9 @@ int aa_setprocattr_setprofile(struct tas
1258
"profile %s active %s to new profile %s\n",
1261
- cxt->active ? BASE_PROFILE(cxt->active)->name :
1262
+ cxt->profile ? BASE_PROFILE(cxt->profile)->name :
1264
- cxt->active ? cxt->active->name : "unconstrained",
1265
+ cxt->profile ? cxt->profile->name : "unconstrained",
1268
aa_switch_to_profile(cxt, profile, 0);