mirror of
https://github.com/torvalds/linux.git
synced 2024-11-27 06:31:52 +00:00
+ Cleanups
- apparmor: fix spelling mistake: "resoure" -> "resource" - apparmor: remove unused redundant variable stop - apparmor: Fix bool initialization/comparison + Bug Fixes - apparmor: initialized returned struct aa_perms - apparmor: fix leak of null profile name if profile allocation fails - apparmor: ensure that undecidable profile attachments fail - apparmor: fix profile attachment for special unconfined profiles - apparmor: fix locking when creating a new complain profile. - apparmor: fix possible recursive lock warning in __aa_create_ns -----BEGIN PGP SIGNATURE----- iQIcBAABCgAGBQJaFFMGAAoJEAUvNnAY1cPY+sEQAK3H5kU+WDzEaMyzCSYEF4p2 ivlgzEDOvhf+R1nLTEYg2AThUpE0oD2rg78w2T7h19OyTH/mINofOIukDkz+lyRX 4AXRqLUUf6MXds3yY/m0HCcpE9cRQQEsKT4XDXf1PpsRHKmle+cZbbmKmyCrmAB3 gRaYGghuIbMlux8nzDZH3osLfdeyKMKgUPCeOvtzO17iZD1RrTjtvfI66Q1KSifu 3QxTMt7nDYl/i4Owq5NoSF9rVrgDvs9oruuAb25frlCncdBC/dw2thCr/c362LWg 8f44iquo6benlm7z3BNHU0yAxUYPjYb8RcD3pEwIQqqRgxyuk5kSuh9FKGdo778z r8T49/4EQAtfthtmwMmlCG/vrCrGFNITXnIfALJ7mVb+u3MhOyWC/385KrYj/LaS YfCHqlxPxOTVVN2vvxMiwVNU2GpTNa/wfpkgTXVErY4OwotepHY65W/YPxaHpjgO aFbKUJ9bO6c1Im83fyEpt1RPHWvfWSbtxEZpG3d9FqfAexYUJrF7DQW2SfcEFYr6 VzMSrpk3/vESZFUmGzFqrhEku8bu8CeEhB5aU3Tvavx64AMOR59niXzkZspM8P9j x/IuizHClrYR3TQAyp7Dtl9J2s25GbUkZMNlx0d6X9ILgzHATusrlO+1D+hWy3pm 9HN3wpEXC1BwLYUcp60M =xeyB -----END PGP SIGNATURE----- Merge tag 'apparmor-pr-2017-11-21' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor updates from John Johansen: "No features this time, just minor cleanups and bug fixes. Cleanups: - fix spelling mistake: "resoure" -> "resource" - remove unused redundant variable stop - Fix bool initialization/comparison Bug Fixes: - initialized returned struct aa_perms - fix leak of null profile name if profile allocation fails - ensure that undecidable profile attachments fail - fix profile attachment for special unconfined profiles - fix locking when creating a new complain profile. - fix possible recursive lock warning in __aa_create_ns" * tag 'apparmor-pr-2017-11-21' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: fix possible recursive lock warning in __aa_create_ns apparmor: fix locking when creating a new complain profile. apparmor: fix profile attachment for special unconfined profiles apparmor: ensure that undecidable profile attachments fail apparmor: fix leak of null profile name if profile allocation fails apparmor: remove unused redundant variable stop apparmor: Fix bool initialization/comparison apparmor: initialized returned struct aa_perms apparmor: fix spelling mistake: "resoure" -> "resource"
This commit is contained in:
commit
26064dea2d
@ -533,7 +533,7 @@ static ssize_t ns_revision_read(struct file *file, char __user *buf,
|
||||
long last_read;
|
||||
int avail;
|
||||
|
||||
mutex_lock(&rev->ns->lock);
|
||||
mutex_lock_nested(&rev->ns->lock, rev->ns->level);
|
||||
last_read = rev->last_read;
|
||||
if (last_read == rev->ns->revision) {
|
||||
mutex_unlock(&rev->ns->lock);
|
||||
@ -543,7 +543,7 @@ static ssize_t ns_revision_read(struct file *file, char __user *buf,
|
||||
last_read !=
|
||||
READ_ONCE(rev->ns->revision)))
|
||||
return -ERESTARTSYS;
|
||||
mutex_lock(&rev->ns->lock);
|
||||
mutex_lock_nested(&rev->ns->lock, rev->ns->level);
|
||||
}
|
||||
|
||||
avail = sprintf(buffer, "%ld\n", rev->ns->revision);
|
||||
@ -577,7 +577,7 @@ static unsigned int ns_revision_poll(struct file *file, poll_table *pt)
|
||||
unsigned int mask = 0;
|
||||
|
||||
if (rev) {
|
||||
mutex_lock(&rev->ns->lock);
|
||||
mutex_lock_nested(&rev->ns->lock, rev->ns->level);
|
||||
poll_wait(file, &rev->ns->wait, pt);
|
||||
if (rev->last_read < rev->ns->revision)
|
||||
mask |= POLLIN | POLLRDNORM;
|
||||
@ -1643,7 +1643,7 @@ static int ns_mkdir_op(struct inode *dir, struct dentry *dentry, umode_t mode)
|
||||
*/
|
||||
inode_unlock(dir);
|
||||
error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count);
|
||||
mutex_lock(&parent->lock);
|
||||
mutex_lock_nested(&parent->lock, parent->level);
|
||||
inode_lock_nested(dir, I_MUTEX_PARENT);
|
||||
if (error)
|
||||
goto out;
|
||||
@ -1692,7 +1692,7 @@ static int ns_rmdir_op(struct inode *dir, struct dentry *dentry)
|
||||
inode_unlock(dir);
|
||||
inode_unlock(dentry->d_inode);
|
||||
|
||||
mutex_lock(&parent->lock);
|
||||
mutex_lock_nested(&parent->lock, parent->level);
|
||||
ns = aa_get_ns(__aa_findn_ns(&parent->sub_ns, dentry->d_name.name,
|
||||
dentry->d_name.len));
|
||||
if (!ns) {
|
||||
@ -1747,7 +1747,7 @@ void __aafs_ns_rmdir(struct aa_ns *ns)
|
||||
__aafs_profile_rmdir(child);
|
||||
|
||||
list_for_each_entry(sub, &ns->sub_ns, base.list) {
|
||||
mutex_lock(&sub->lock);
|
||||
mutex_lock_nested(&sub->lock, sub->level);
|
||||
__aafs_ns_rmdir(sub);
|
||||
mutex_unlock(&sub->lock);
|
||||
}
|
||||
@ -1877,7 +1877,7 @@ int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name,
|
||||
|
||||
/* subnamespaces */
|
||||
list_for_each_entry(sub, &ns->sub_ns, base.list) {
|
||||
mutex_lock(&sub->lock);
|
||||
mutex_lock_nested(&sub->lock, sub->level);
|
||||
error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL, NULL);
|
||||
mutex_unlock(&sub->lock);
|
||||
if (error)
|
||||
@ -1921,7 +1921,7 @@ static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns)
|
||||
/* is next namespace a child */
|
||||
if (!list_empty(&ns->sub_ns)) {
|
||||
next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
|
||||
mutex_lock(&next->lock);
|
||||
mutex_lock_nested(&next->lock, next->level);
|
||||
return next;
|
||||
}
|
||||
|
||||
@ -1931,7 +1931,7 @@ static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns)
|
||||
mutex_unlock(&ns->lock);
|
||||
next = list_next_entry(ns, base.list);
|
||||
if (!list_entry_is_head(next, &parent->sub_ns, base.list)) {
|
||||
mutex_lock(&next->lock);
|
||||
mutex_lock_nested(&next->lock, next->level);
|
||||
return next;
|
||||
}
|
||||
ns = parent;
|
||||
@ -2039,7 +2039,7 @@ static void *p_start(struct seq_file *f, loff_t *pos)
|
||||
f->private = root;
|
||||
|
||||
/* find the first profile */
|
||||
mutex_lock(&root->lock);
|
||||
mutex_lock_nested(&root->lock, root->level);
|
||||
profile = __first_profile(root, root);
|
||||
|
||||
/* skip to position */
|
||||
@ -2491,7 +2491,7 @@ static int __init aa_create_aafs(void)
|
||||
ns_subrevision(root_ns) = dent;
|
||||
|
||||
/* policy tree referenced by magic policy symlink */
|
||||
mutex_lock(&root_ns->lock);
|
||||
mutex_lock_nested(&root_ns->lock, root_ns->level);
|
||||
error = __aafs_ns_mkdir(root_ns, aafs_mnt->mnt_root, ".policy",
|
||||
aafs_mnt->mnt_root);
|
||||
mutex_unlock(&root_ns->lock);
|
||||
|
@ -305,6 +305,7 @@ static int change_profile_perms(struct aa_profile *profile,
|
||||
* __attach_match_ - find an attachment match
|
||||
* @name - to match against (NOT NULL)
|
||||
* @head - profile list to walk (NOT NULL)
|
||||
* @info - info message if there was an error (NOT NULL)
|
||||
*
|
||||
* Do a linear search on the profiles in the list. There is a matching
|
||||
* preference where an exact match is preferred over a name which uses
|
||||
@ -316,28 +317,46 @@ static int change_profile_perms(struct aa_profile *profile,
|
||||
* Returns: profile or NULL if no match found
|
||||
*/
|
||||
static struct aa_profile *__attach_match(const char *name,
|
||||
struct list_head *head)
|
||||
struct list_head *head,
|
||||
const char **info)
|
||||
{
|
||||
int len = 0;
|
||||
bool conflict = false;
|
||||
struct aa_profile *profile, *candidate = NULL;
|
||||
|
||||
list_for_each_entry_rcu(profile, head, base.list) {
|
||||
if (profile->label.flags & FLAG_NULL)
|
||||
if (profile->label.flags & FLAG_NULL &&
|
||||
&profile->label == ns_unconfined(profile->ns))
|
||||
continue;
|
||||
if (profile->xmatch && profile->xmatch_len > len) {
|
||||
unsigned int state = aa_dfa_match(profile->xmatch,
|
||||
DFA_START, name);
|
||||
u32 perm = dfa_user_allow(profile->xmatch, state);
|
||||
/* any accepting state means a valid match. */
|
||||
if (perm & MAY_EXEC) {
|
||||
candidate = profile;
|
||||
len = profile->xmatch_len;
|
||||
|
||||
if (profile->xmatch) {
|
||||
if (profile->xmatch_len == len) {
|
||||
conflict = true;
|
||||
continue;
|
||||
} else if (profile->xmatch_len > len) {
|
||||
unsigned int state;
|
||||
u32 perm;
|
||||
|
||||
state = aa_dfa_match(profile->xmatch,
|
||||
DFA_START, name);
|
||||
perm = dfa_user_allow(profile->xmatch, state);
|
||||
/* any accepting state means a valid match. */
|
||||
if (perm & MAY_EXEC) {
|
||||
candidate = profile;
|
||||
len = profile->xmatch_len;
|
||||
conflict = false;
|
||||
}
|
||||
}
|
||||
} else if (!strcmp(profile->base.name, name))
|
||||
/* exact non-re match, no more searching required */
|
||||
return profile;
|
||||
}
|
||||
|
||||
if (conflict) {
|
||||
*info = "conflicting profile attachments";
|
||||
return NULL;
|
||||
}
|
||||
|
||||
return candidate;
|
||||
}
|
||||
|
||||
@ -346,16 +365,17 @@ static struct aa_profile *__attach_match(const char *name,
|
||||
* @ns: the current namespace (NOT NULL)
|
||||
* @list: list to search (NOT NULL)
|
||||
* @name: the executable name to match against (NOT NULL)
|
||||
* @info: info message if there was an error
|
||||
*
|
||||
* Returns: label or NULL if no match found
|
||||
*/
|
||||
static struct aa_label *find_attach(struct aa_ns *ns, struct list_head *list,
|
||||
const char *name)
|
||||
const char *name, const char **info)
|
||||
{
|
||||
struct aa_profile *profile;
|
||||
|
||||
rcu_read_lock();
|
||||
profile = aa_get_profile(__attach_match(name, list));
|
||||
profile = aa_get_profile(__attach_match(name, list, info));
|
||||
rcu_read_unlock();
|
||||
|
||||
return profile ? &profile->label : NULL;
|
||||
@ -448,11 +468,11 @@ static struct aa_label *x_to_label(struct aa_profile *profile,
|
||||
if (xindex & AA_X_CHILD)
|
||||
/* released by caller */
|
||||
new = find_attach(ns, &profile->base.profiles,
|
||||
name);
|
||||
name, info);
|
||||
else
|
||||
/* released by caller */
|
||||
new = find_attach(ns, &ns->base.profiles,
|
||||
name);
|
||||
name, info);
|
||||
*lookupname = name;
|
||||
break;
|
||||
}
|
||||
@ -516,7 +536,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
|
||||
|
||||
if (profile_unconfined(profile)) {
|
||||
new = find_attach(profile->ns, &profile->ns->base.profiles,
|
||||
name);
|
||||
name, &info);
|
||||
if (new) {
|
||||
AA_DEBUG("unconfined attached to new label");
|
||||
return new;
|
||||
@ -541,9 +561,21 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
|
||||
}
|
||||
} else if (COMPLAIN_MODE(profile)) {
|
||||
/* no exec permission - learning mode */
|
||||
struct aa_profile *new_profile = aa_new_null_profile(profile,
|
||||
false, name,
|
||||
GFP_ATOMIC);
|
||||
struct aa_profile *new_profile = NULL;
|
||||
char *n = kstrdup(name, GFP_ATOMIC);
|
||||
|
||||
if (n) {
|
||||
/* name is ptr into buffer */
|
||||
long pos = name - buffer;
|
||||
/* break per cpu buffer hold */
|
||||
put_buffers(buffer);
|
||||
new_profile = aa_new_null_profile(profile, false, n,
|
||||
GFP_KERNEL);
|
||||
get_buffers(buffer);
|
||||
name = buffer + pos;
|
||||
strcpy((char *)name, n);
|
||||
kfree(n);
|
||||
}
|
||||
if (!new_profile) {
|
||||
error = -ENOMEM;
|
||||
info = "could not create null profile";
|
||||
|
@ -226,18 +226,12 @@ static u32 map_old_perms(u32 old)
|
||||
struct aa_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state,
|
||||
struct path_cond *cond)
|
||||
{
|
||||
struct aa_perms perms;
|
||||
|
||||
/* FIXME: change over to new dfa format
|
||||
* currently file perms are encoded in the dfa, new format
|
||||
* splits the permissions from the dfa. This mapping can be
|
||||
* done at profile load
|
||||
*/
|
||||
perms.deny = 0;
|
||||
perms.kill = perms.stop = 0;
|
||||
perms.complain = perms.cond = 0;
|
||||
perms.hide = 0;
|
||||
perms.prompt = 0;
|
||||
struct aa_perms perms = { };
|
||||
|
||||
if (uid_eq(current_fsuid(), cond->uid)) {
|
||||
perms.allow = map_old_perms(dfa_user_allow(dfa, state));
|
||||
|
@ -2115,7 +2115,7 @@ void __aa_labelset_update_subtree(struct aa_ns *ns)
|
||||
__labelset_update(ns);
|
||||
|
||||
list_for_each_entry(child, &ns->sub_ns, base.list) {
|
||||
mutex_lock(&child->lock);
|
||||
mutex_lock_nested(&child->lock, child->level);
|
||||
__aa_labelset_update_subtree(child);
|
||||
mutex_unlock(&child->lock);
|
||||
}
|
||||
|
@ -317,14 +317,11 @@ static u32 map_other(u32 x)
|
||||
void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
|
||||
struct aa_perms *perms)
|
||||
{
|
||||
perms->deny = 0;
|
||||
perms->kill = perms->stop = 0;
|
||||
perms->complain = perms->cond = 0;
|
||||
perms->hide = 0;
|
||||
perms->prompt = 0;
|
||||
perms->allow = dfa_user_allow(dfa, state);
|
||||
perms->audit = dfa_user_audit(dfa, state);
|
||||
perms->quiet = dfa_user_quiet(dfa, state);
|
||||
*perms = (struct aa_perms) {
|
||||
.allow = dfa_user_allow(dfa, state),
|
||||
.audit = dfa_user_audit(dfa, state),
|
||||
.quiet = dfa_user_quiet(dfa, state),
|
||||
};
|
||||
|
||||
/* for v5 perm mapping in the policydb, the other set is used
|
||||
* to extend the general perm set
|
||||
@ -426,7 +423,6 @@ int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
|
||||
void (*cb)(struct audit_buffer *, void *))
|
||||
{
|
||||
int type, error;
|
||||
bool stop = false;
|
||||
u32 denied = request & (~perms->allow | perms->deny);
|
||||
|
||||
if (likely(!denied)) {
|
||||
@ -447,8 +443,6 @@ int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
|
||||
else
|
||||
type = AUDIT_APPARMOR_DENIED;
|
||||
|
||||
if (denied & perms->stop)
|
||||
stop = true;
|
||||
if (denied == (denied & perms->hide))
|
||||
error = -ENOENT;
|
||||
|
||||
|
@ -846,7 +846,7 @@ module_param_call(audit, param_set_audit, param_get_audit,
|
||||
/* Determines if audit header is included in audited messages. This
|
||||
* provides more context if the audit daemon is not running
|
||||
*/
|
||||
bool aa_g_audit_header = 1;
|
||||
bool aa_g_audit_header = true;
|
||||
module_param_named(audit_header, aa_g_audit_header, aabool,
|
||||
S_IRUSR | S_IWUSR);
|
||||
|
||||
@ -871,7 +871,7 @@ module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
|
||||
* DEPRECATED: read only as strict checking of load is always done now
|
||||
* that none root users (user namespaces) can load policy.
|
||||
*/
|
||||
bool aa_g_paranoid_load = 1;
|
||||
bool aa_g_paranoid_load = true;
|
||||
module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
|
||||
|
||||
/* Boot time disable flag */
|
||||
@ -1119,7 +1119,7 @@ static int __init apparmor_init(void)
|
||||
|
||||
if (!apparmor_enabled || !security_module_enable("apparmor")) {
|
||||
aa_info_message("AppArmor disabled by boot time parameter");
|
||||
apparmor_enabled = 0;
|
||||
apparmor_enabled = false;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -1175,7 +1175,7 @@ alloc_out:
|
||||
aa_destroy_aafs();
|
||||
aa_teardown_dfa_engine();
|
||||
|
||||
apparmor_enabled = 0;
|
||||
apparmor_enabled = false;
|
||||
return error;
|
||||
}
|
||||
|
||||
|
@ -216,13 +216,12 @@ static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state,
|
||||
static struct aa_perms compute_mnt_perms(struct aa_dfa *dfa,
|
||||
unsigned int state)
|
||||
{
|
||||
struct aa_perms perms;
|
||||
|
||||
perms.kill = 0;
|
||||
perms.allow = dfa_user_allow(dfa, state);
|
||||
perms.audit = dfa_user_audit(dfa, state);
|
||||
perms.quiet = dfa_user_quiet(dfa, state);
|
||||
perms.xindex = dfa_user_xindex(dfa, state);
|
||||
struct aa_perms perms = {
|
||||
.allow = dfa_user_allow(dfa, state),
|
||||
.audit = dfa_user_audit(dfa, state),
|
||||
.quiet = dfa_user_quiet(dfa, state),
|
||||
.xindex = dfa_user_xindex(dfa, state),
|
||||
};
|
||||
|
||||
return perms;
|
||||
}
|
||||
|
@ -502,7 +502,7 @@ struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
|
||||
{
|
||||
struct aa_profile *p, *profile;
|
||||
const char *bname;
|
||||
char *name;
|
||||
char *name = NULL;
|
||||
|
||||
AA_BUG(!parent);
|
||||
|
||||
@ -545,7 +545,7 @@ name:
|
||||
profile->file.dfa = aa_get_dfa(nulldfa);
|
||||
profile->policy.dfa = aa_get_dfa(nulldfa);
|
||||
|
||||
mutex_lock(&profile->ns->lock);
|
||||
mutex_lock_nested(&profile->ns->lock, profile->ns->level);
|
||||
p = __find_child(&parent->base.profiles, bname);
|
||||
if (p) {
|
||||
aa_free_profile(profile);
|
||||
@ -562,6 +562,7 @@ out:
|
||||
return profile;
|
||||
|
||||
fail:
|
||||
kfree(name);
|
||||
aa_free_profile(profile);
|
||||
return NULL;
|
||||
}
|
||||
@ -905,7 +906,7 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
|
||||
} else
|
||||
ns = aa_get_ns(policy_ns ? policy_ns : labels_ns(label));
|
||||
|
||||
mutex_lock(&ns->lock);
|
||||
mutex_lock_nested(&ns->lock, ns->level);
|
||||
/* check for duplicate rawdata blobs: space and file dedup */
|
||||
list_for_each_entry(rawdata_ent, &ns->rawdata_list, list) {
|
||||
if (aa_rawdata_eq(rawdata_ent, udata)) {
|
||||
@ -1116,13 +1117,13 @@ ssize_t aa_remove_profiles(struct aa_ns *policy_ns, struct aa_label *subj,
|
||||
|
||||
if (!name) {
|
||||
/* remove namespace - can only happen if fqname[0] == ':' */
|
||||
mutex_lock(&ns->parent->lock);
|
||||
mutex_lock_nested(&ns->parent->lock, ns->level);
|
||||
__aa_remove_ns(ns);
|
||||
__aa_bump_ns_revision(ns);
|
||||
mutex_unlock(&ns->parent->lock);
|
||||
} else {
|
||||
/* remove profile */
|
||||
mutex_lock(&ns->lock);
|
||||
mutex_lock_nested(&ns->lock, ns->level);
|
||||
profile = aa_get_profile(__lookup_profile(&ns->base, name));
|
||||
if (!profile) {
|
||||
error = -ENOENT;
|
||||
|
@ -256,7 +256,8 @@ static struct aa_ns *__aa_create_ns(struct aa_ns *parent, const char *name,
|
||||
ns = alloc_ns(parent->base.hname, name);
|
||||
if (!ns)
|
||||
return NULL;
|
||||
mutex_lock(&ns->lock);
|
||||
ns->level = parent->level + 1;
|
||||
mutex_lock_nested(&ns->lock, ns->level);
|
||||
error = __aafs_ns_mkdir(ns, ns_subns_dir(parent), name, dir);
|
||||
if (error) {
|
||||
AA_ERROR("Failed to create interface for ns %s\n",
|
||||
@ -266,7 +267,6 @@ static struct aa_ns *__aa_create_ns(struct aa_ns *parent, const char *name,
|
||||
return ERR_PTR(error);
|
||||
}
|
||||
ns->parent = aa_get_ns(parent);
|
||||
ns->level = parent->level + 1;
|
||||
list_add_rcu(&ns->base.list, &parent->sub_ns);
|
||||
/* add list ref */
|
||||
aa_get_ns(ns);
|
||||
@ -313,7 +313,7 @@ struct aa_ns *aa_prepare_ns(struct aa_ns *parent, const char *name)
|
||||
{
|
||||
struct aa_ns *ns;
|
||||
|
||||
mutex_lock(&parent->lock);
|
||||
mutex_lock_nested(&parent->lock, parent->level);
|
||||
/* try and find the specified ns and if it doesn't exist create it */
|
||||
/* released by caller */
|
||||
ns = aa_get_ns(__aa_find_ns(&parent->sub_ns, name));
|
||||
@ -336,7 +336,7 @@ static void destroy_ns(struct aa_ns *ns)
|
||||
if (!ns)
|
||||
return;
|
||||
|
||||
mutex_lock(&ns->lock);
|
||||
mutex_lock_nested(&ns->lock, ns->level);
|
||||
/* release all profiles in this namespace */
|
||||
__aa_profile_list_release(&ns->base.profiles);
|
||||
|
||||
|
@ -157,7 +157,7 @@ static void do_loaddata_free(struct work_struct *work)
|
||||
struct aa_ns *ns = aa_get_ns(d->ns);
|
||||
|
||||
if (ns) {
|
||||
mutex_lock(&ns->lock);
|
||||
mutex_lock_nested(&ns->lock, ns->level);
|
||||
__aa_fs_remove_rawdata(d);
|
||||
mutex_unlock(&ns->lock);
|
||||
aa_put_ns(ns);
|
||||
|
@ -47,7 +47,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
|
||||
/**
|
||||
* audit_resource - audit setting resource limit
|
||||
* @profile: profile being enforced (NOT NULL)
|
||||
* @resoure: rlimit being auditing
|
||||
* @resource: rlimit being auditing
|
||||
* @value: value being set
|
||||
* @error: error value
|
||||
*
|
||||
@ -128,7 +128,7 @@ int aa_task_setrlimit(struct aa_label *label, struct task_struct *task,
|
||||
error = fn_for_each(label, profile,
|
||||
audit_resource(profile, resource,
|
||||
new_rlim->rlim_max, peer,
|
||||
"cap_sys_resoure", -EACCES));
|
||||
"cap_sys_resource", -EACCES));
|
||||
else
|
||||
error = fn_for_each_confined(label, profile,
|
||||
profile_setrlimit(profile, resource, new_rlim));
|
||||
|
Loading…
Reference in New Issue
Block a user