apparmor: refcount the pdb

With the move to permission tables the dfa is no longer a stand
alone entity when used, needing a minimum of a permission table.
However it still could be shared among different pdbs each using
a different permission table.

Instead of duping the permission table when sharing a pdb, add a
refcount to the pdb so it can be easily shared.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

1 files changed, 30 insertions, 30 deletions

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index d95292a23bcf..87dfa0e40398 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -77,7 +77,7 @@ out:
 /**** TODO: dedup to aa_label_match - needs perm and dfa, merging
  * specifically this is an exact copy of aa_label_match except
  * aa_compute_perms is replaced with aa_compute_fperms
- * and policy.dfa with file.dfa
+ * and policy->dfa with file->dfa
  ****/
 /* match a profile and its associated ns component if needed
  * Assumes visibility test has already been done.
@@ -93,16 +93,16 @@ static inline aa_state_t match_component(struct aa_profile *profile,
 	const char *ns_name;
 
 	if (stack)
-		state = aa_dfa_match(rules->file.dfa, state, "&");
+		state = aa_dfa_match(rules->file->dfa, state, "&");
 	if (profile->ns == tp->ns)
-		return aa_dfa_match(rules->file.dfa, state, tp->base.hname);
+		return aa_dfa_match(rules->file->dfa, state, tp->base.hname);
 
 	/* try matching with namespace name and then profile */
 	ns_name = aa_ns_name(profile->ns, tp->ns, true);
-	state = aa_dfa_match_len(rules->file.dfa, state, ":", 1);
-	state = aa_dfa_match(rules->file.dfa, state, ns_name);
-	state = aa_dfa_match_len(rules->file.dfa, state, ":", 1);
-	return aa_dfa_match(rules->file.dfa, state, tp->base.hname);
+	state = aa_dfa_match_len(rules->file->dfa, state, ":", 1);
+	state = aa_dfa_match(rules->file->dfa, state, ns_name);
+	state = aa_dfa_match_len(rules->file->dfa, state, ":", 1);
+	return aa_dfa_match(rules->file->dfa, state, tp->base.hname);
 }
 
 /**
@@ -150,12 +150,12 @@ next:
 	label_for_each_cont(i, label, tp) {
 		if (!aa_ns_visible(profile->ns, tp->ns, subns))
 			continue;
-		state = aa_dfa_match(rules->file.dfa, state, "//&");
+		state = aa_dfa_match(rules->file->dfa, state, "//&");
 		state = match_component(profile, tp, false, state);
 		if (!state)
 			goto fail;
 	}
-	*perms = *(aa_lookup_fperms(&(rules->file), state, &cond));
+	*perms = *(aa_lookup_fperms(rules->file, state, &cond));
 	aa_apply_modes_to_perms(profile, perms);
 	if ((perms->allow & request) != request)
 		return -EACCES;
@@ -210,7 +210,7 @@ static int label_components_match(struct aa_profile *profile,
 	return 0;
 
 next:
-	tmp = *(aa_lookup_fperms(&(rules->file), state, &cond));
+	tmp = *(aa_lookup_fperms(rules->file, state, &cond));
 	aa_apply_modes_to_perms(profile, &tmp);
 	aa_perms_accum(perms, &tmp);
 	label_for_each_cont(i, label, tp) {
@@ -219,7 +219,7 @@ next:
 		state = match_component(profile, tp, stack, start);
 		if (!state)
 			goto fail;
-		tmp = *(aa_lookup_fperms(&(rules->file), state, &cond));
+		tmp = *(aa_lookup_fperms(rules->file, state, &cond));
 		aa_apply_modes_to_perms(profile, &tmp);
 		aa_perms_accum(perms, &tmp);
 	}
@@ -317,7 +317,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
 	might_sleep();
 
 	/* transition from exec match to xattr set */
-	state = aa_dfa_outofband_transition(attach->xmatch.dfa, state);
+	state = aa_dfa_outofband_transition(attach->xmatch->dfa, state);
 	d = bprm->file->f_path.dentry;
 
 	for (i = 0; i < attach->xattr_count; i++) {
@@ -331,20 +331,20 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
 			 * that not present xattr can be distinguished from a 0
 			 * length value or rule that matches any value
 			 */
-			state = aa_dfa_null_transition(attach->xmatch.dfa,
+			state = aa_dfa_null_transition(attach->xmatch->dfa,
 						       state);
 			/* Check xattr value */
-			state = aa_dfa_match_len(attach->xmatch.dfa, state,
+			state = aa_dfa_match_len(attach->xmatch->dfa, state,
 						 value, size);
-			index = ACCEPT_TABLE(attach->xmatch.dfa)[state];
-			perm = attach->xmatch.perms[index].allow;
+			index = ACCEPT_TABLE(attach->xmatch->dfa)[state];
+			perm = attach->xmatch->perms[index].allow;
 			if (!(perm & MAY_EXEC)) {
 				ret = -EINVAL;
 				goto out;
 			}
 		}
 		/* transition to next element */
-		state = aa_dfa_outofband_transition(attach->xmatch.dfa, state);
+		state = aa_dfa_outofband_transition(attach->xmatch->dfa, state);
 		if (size < 0) {
 			/*
 			 * No xattr match, so verify if transition to
@@ -413,16 +413,16 @@ restart:
 		 * as another profile, signal a conflict and refuse to
 		 * match.
 		 */
-		if (attach->xmatch.dfa) {
+		if (attach->xmatch->dfa) {
 			unsigned int count;
 			aa_state_t state;
 			u32 index, perm;
 
-			state = aa_dfa_leftmatch(attach->xmatch.dfa,
-					attach->xmatch.start[AA_CLASS_XMATCH],
+			state = aa_dfa_leftmatch(attach->xmatch->dfa,
+					attach->xmatch->start[AA_CLASS_XMATCH],
 					name, &count);
-			index = ACCEPT_TABLE(attach->xmatch.dfa)[state];
-			perm = attach->xmatch.perms[index].allow;
+			index = ACCEPT_TABLE(attach->xmatch->dfa)[state];
+			perm = attach->xmatch->perms[index].allow;
 			/* any accepting state means a valid match. */
 			if (perm & MAY_EXEC) {
 				int ret = 0;
@@ -525,7 +525,7 @@ struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex,
 	/* TODO: move lookup parsing to unpack time so this is a straight
 	 *       index into the resultant label
 	 */
-	for (*name = rules->file.trans.table[index]; !label && *name;
+	for (*name = rules->file->trans.table[index]; !label && *name;
 	     *name = next_name(xtype, *name)) {
 		if (xindex & AA_X_CHILD) {
 			struct aa_profile *new_profile;
@@ -579,7 +579,7 @@ static struct aa_label *x_to_label(struct aa_profile *profile,
 		break;
 	case AA_X_TABLE:
 		/* TODO: fix when perm mapping done at unload */
-		stack = rules->file.trans.table[xindex & AA_X_INDEX_MASK];
+		stack = rules->file->trans.table[xindex & AA_X_INDEX_MASK];
 		if (*stack != '&') {
 			/* released by caller */
 			new = x_table_lookup(profile, xindex, lookupname);
@@ -638,7 +638,7 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
 						    typeof(*rules), list);
 	struct aa_label *new = NULL;
 	const char *info = NULL, *name = NULL, *target = NULL;
-	aa_state_t state = rules->file.start[AA_CLASS_FILE];
+	aa_state_t state = rules->file->start[AA_CLASS_FILE];
 	struct aa_perms perms = {};
 	bool nonewprivs = false;
 	int error = 0;
@@ -672,7 +672,7 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
 	}
 
 	/* find exec permissions for name */
-	state = aa_str_perms(&(rules->file), state, name, cond, &perms);
+	state = aa_str_perms(rules->file, state, name, cond, &perms);
 	if (perms.allow & MAY_EXEC) {
 		/* exec permission determine how to transition */
 		new = x_to_label(profile, bprm, name, perms.xindex, &target,
@@ -738,7 +738,7 @@ static int profile_onexec(const struct cred *subj_cred,
 {
 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
 						    typeof(*rules), list);
-	aa_state_t state = rules->file.start[AA_CLASS_FILE];
+	aa_state_t state = rules->file->start[AA_CLASS_FILE];
 	struct aa_perms perms = {};
 	const char *xname = NULL, *info = "change_profile onexec";
 	int error = -EACCES;
@@ -771,7 +771,7 @@ static int profile_onexec(const struct cred *subj_cred,
 	}
 
 	/* find exec permissions for name */
-	state = aa_str_perms(&(rules->file), state, xname, cond, &perms);
+	state = aa_str_perms(rules->file, state, xname, cond, &perms);
 	if (!(perms.allow & AA_MAY_ONEXEC)) {
 		info = "no change_onexec valid for executable";
 		goto audit;
@@ -780,7 +780,7 @@ static int profile_onexec(const struct cred *subj_cred,
 	 * onexec permission is linked to exec with a standard pairing
 	 * exec\0change_profile
 	 */
-	state = aa_dfa_null_transition(rules->file.dfa, state);
+	state = aa_dfa_null_transition(rules->file->dfa, state);
 	error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC,
 				     state, &perms);
 	if (error) {
@@ -1300,7 +1300,7 @@ static int change_profile_perms_wrapper(const char *op, const char *name,
 
 	if (!error)
 		error = change_profile_perms(profile, target, stack, request,
-					     rules->file.start[AA_CLASS_FILE],
+					     rules->file->start[AA_CLASS_FILE],
 					     perms);
 	if (error)
 		error = aa_audit_file(subj_cred, profile, perms, op, request,