Lines Matching refs:profile
16 * task is confined by. Every task in the system has a profile attached
20 * Each profile exists in a profile namespace which is a container of
21 * visible profiles. Each namespace contains a special "unconfined" profile,
24 * Namespace and profile names can be written together in either
26 * :namespace:profile - used by kernel interfaces for easy detection
27 * namespace://profile - used by policy
31 * Reserved profile names
32 * unconfined - special automatically generated unconfined profile
33 * inherit - special name to indicate profile inheritance
40 * a // in a profile or namespace name indicates a hierarchical name with the
48 * The profile hierarchy severs two distinct purposes,
50 * subprograms under its own profile with different restriction than it
51 * self, and not have it use the system profile.
57 * but is allowed. NOTE: this is currently suboptimal because profile
58 * aliasing is not currently implemented so that a profile for each
63 * A profile or namespace name that can contain one or more // separators
67 * An fqname is a name that may contain both namespace and profile hnames.
71 * - locking of profile lists is currently fairly coarse. All profile
73 * FIXME: move profile lists to using rcu_lists
92 /* root profile namespace */
104 * @name: hname to find the base profile name component of (NOT NULL)
106 * Returns: the tail (base profile name) name component of an hname
313 * free_namespace - free a profile namespace
317 * namespace was referenced by a profile confining a task,
348 * aa_find_namespace - look up a profile namespace on the namespace list
383 /* if name isn't specified the profile is loaded to the current ns */
417 * __list_add_profile - add a profile to a list
419 * @profile: the profile to add (NOT NULL)
421 * refcount @profile, should be put by __list_remove_profile
426 struct aa_profile *profile)
428 list_add_rcu(&profile->base.list, list);
430 aa_get_profile(profile);
434 * __list_remove_profile - remove a profile from the list it is on
435 * @profile: the profile to remove (NOT NULL)
437 * remove a profile from the list, warning generally removal should
438 * be done with __replace_profile as most profile removals are
439 * replacements to the unconfined profile.
441 * put @profile list refcount
445 static void __list_remove_profile(struct aa_profile *profile)
447 list_del_rcu(&profile->base.list);
448 aa_put_profile(profile);
454 * __remove_profile - remove old profile, and children
455 * @profile: profile to be replaced (NOT NULL)
459 static void __remove_profile(struct aa_profile *profile)
462 __profile_list_release(&profile->base.profiles);
464 __aa_update_replacedby(profile, profile->ns->unconfined);
465 __aa_fs_profile_rmdir(profile);
466 __list_remove_profile(profile);
477 struct aa_profile *profile, *tmp;
478 list_for_each_entry_safe(profile, tmp, head, base.list)
479 __remove_profile(profile);
521 * __ns_list_release - remove all profile namespaces on the list put refs
522 * @head: list of profile namespaces (NOT NULL)
535 * aa_alloc_root_ns - allocate the root profile namespace
551 * aa_free_root_ns - free the root profile namespace
566 /* r->profile will not be updated any more as r is dead */
567 aa_put_profile(rcu_dereference_protected(r->profile, true));
581 * aa_free_profile - free a profile
582 * @profile: the profile to free (MAYBE NULL)
584 * Free a profile, its hats and null_profile. All references to the profile,
587 * If the profile was referenced from a task context, free_profile() will
590 void aa_free_profile(struct aa_profile *profile)
592 AA_DEBUG("%s(%p)\n", __func__, profile);
594 if (!profile)
598 policy_destroy(&profile->base);
599 aa_put_profile(rcu_access_pointer(profile->parent));
601 aa_put_namespace(profile->ns);
602 kzfree(profile->rename);
604 aa_free_file_rules(&profile->file);
605 aa_free_cap_rules(&profile->caps);
606 aa_free_rlimit_rules(&profile->rlimits);
608 kzfree(profile->dirname);
609 aa_put_dfa(profile->xmatch);
610 aa_put_dfa(profile->policy.dfa);
611 aa_put_replacedby(profile->replacedby);
613 kzfree(profile->hash);
614 kzfree(profile);
619 * @head: rcu_head callback for freeing of a profile (NOT NULL)
632 * @kr: kref callback for freeing of a profile (NOT NULL)
641 * aa_alloc_profile - allocate, initialize and return a new profile
642 * @hname: name of the profile (NOT NULL)
644 * Returns: refcount profile or NULL on failure
648 struct aa_profile *profile;
651 profile = kzalloc(sizeof(*profile), GFP_KERNEL);
652 if (!profile)
655 profile->replacedby = kzalloc(sizeof(struct aa_replacedby), GFP_KERNEL);
656 if (!profile->replacedby)
658 kref_init(&profile->replacedby->count);
660 if (!policy_init(&profile->base, NULL, hname))
662 kref_init(&profile->count);
665 return profile;
668 kzfree(profile->replacedby);
669 kzfree(profile);
675 * aa_new_null_profile - create a new null-X learning profile
676 * @parent: profile that caused this profile to be created (NOT NULL)
677 * @hat: true if the null- learning profile is a hat
679 * Create a null- complain mode profile used in learning mode. The name of
680 * the profile is unique and follows the format of parent//null-<uniq>.
682 * null profiles are added to the profile list but the list does not
686 * Returns: new refcounted profile else NULL on failure
690 struct aa_profile *profile = NULL;
700 profile = aa_alloc_profile(name);
702 if (!profile)
705 profile->mode = APPARMOR_COMPLAIN;
706 profile->flags = PFLAG_NULL;
708 profile->flags |= PFLAG_HAT;
711 rcu_assign_pointer(profile->parent, aa_get_profile(parent));
712 profile->ns = aa_get_namespace(parent->ns);
714 mutex_lock(&profile->ns->lock);
715 __list_add_profile(&parent->base.profiles, profile);
716 mutex_unlock(&profile->ns->lock);
719 return profile;
725 /* TODO: profile accounting - setup in remove */
728 * __find_child - find a profile on @head list with a name matching @name
730 * @name: name of profile (NOT NULL)
734 * Returns: unrefcounted profile ptr, or NULL if not found
742 * __strn_find_child - find a profile on @head list using substring of @name
744 * @name: name of profile (NOT NULL)
749 * Returns: unrefcounted profile ptr, or NULL if not found
758 * aa_find_child - find a profile by @name in @parent
759 * @parent: profile to search (NOT NULL)
760 * @name: profile name to search for (NOT NULL)
762 * Returns: a refcounted profile or NULL if not found
766 struct aa_profile *profile;
769 profile = aa_get_profile(__find_child(&parent->base.profiles, name));
773 return profile;
777 * __lookup_parent - lookup the parent of a profile of name @hname
778 * @ns: namespace to lookup profile in (NOT NULL)
779 * @hname: hierarchical profile name to find parent of (NOT NULL)
781 * Lookups up the parent of a fully qualified profile name, the profile
783 * is used to load a new profile.
793 struct aa_profile *profile = NULL;
799 profile = __strn_find_child(&policy->profiles, hname,
801 if (!profile)
803 policy = &profile->base;
807 if (!profile)
809 return &profile->base;
813 * __lookup_profile - lookup the profile matching @hname
814 * @base: base list to start looking up profile name from (NOT NULL)
815 * @hname: hierarchical profile name (NOT NULL)
819 * Returns: unrefcounted profile pointer or NULL if not found
821 * Do a relative name lookup, recursing through profile tree.
826 struct aa_profile *profile = NULL;
830 profile = __strn_find_child(&base->profiles, hname,
832 if (!profile)
835 base = &profile->base;
840 profile = __find_child(&base->profiles, hname);
842 return profile;
846 * aa_lookup_profile - find a profile by its full or partial name
850 * Returns: refcounted profile or NULL if not found
854 struct aa_profile *profile;
858 profile = __lookup_profile(&ns->base, hname);
859 } while (profile && !aa_get_profile_not0(profile));
862 /* the unconfined profile is not in the regular profile list */
863 if (!profile && strcmp(hname, "unconfined") == 0)
864 profile = aa_get_newest_profile(ns->unconfined);
867 return profile;
872 * @profile: profile to test if it can be replaced (MAYBE NULL)
878 static int replacement_allowed(struct aa_profile *profile, int noreplace,
881 if (profile) {
882 if (profile->flags & PFLAG_IMMUTABLE) {
883 *info = "cannot replace immutible profile";
886 *info = "profile already exists";
897 * @name: name of profile being manipulated (NOT NULL)
942 struct aa_profile *profile)
944 const char *base = hname_tail(profile->base.hname);
945 long len = base - profile->base.hname;
954 if (ent->new == profile)
956 if (strncmp(ent->new->base.hname, profile->base.hname, len) ==
966 * @old: profile to be replaced (NOT NULL)
967 * @new: profile to replace @old with (NOT NULL)
1015 } else if (!rcu_access_pointer(new->replacedby->profile))
1017 rcu_assign_pointer(new->replacedby->profile,
1031 * __lookup_replace - lookup replacement information for a profile
1033 * @hname - name of profile to lookup
1034 * @noreplace - true if not replacing an existing profile
1035 * @p - Returns: profile to be replaced
1038 * Returns: profile to replace (no ref) on success else ptr error
1048 *info = "profile can not be replaced";
1057 * aa_replace_profiles - replace profile(s) on the profile list
1062 * unpack and replace a profile on the profile list and uses of that profile
1063 * by any aa_task_cxt. If the profile does not exist on the profile list
1129 /* released on profile replacement or free_profile */
1173 rcu_assign_pointer(r->profile,
1179 rcu_assign_pointer(ent->new->replacedby->profile,
1195 rcu_assign_pointer(ent->new->replacedby->profile,
1200 rcu_assign_pointer(ent->new->replacedby->profile,
1229 * aa_remove_profiles - remove profile(s) from the system
1230 * @fqname: name of the profile or namespace to remove (NOT NULL)
1233 * Remove a profile or sub namespace from the current namespace, so that
1243 struct aa_profile *profile = NULL;
1248 info = "no profile specified";
1275 /* remove profile */
1277 profile = aa_get_profile(__lookup_profile(&ns->base, name));
1278 if (!profile) {
1280 info = "profile does not exist";
1283 name = profile->base.hname;
1284 __remove_profile(profile);
1291 aa_put_profile(profile);