From 408d53e923bd852d5d80243a642004163db53a87 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Mon, 30 Mar 2020 16:43:29 -0400 Subject: apparmor: compute file permissions on profile load Rather than computing file permissions for each file access, file permissions can be computed once on profile load and stored for lookup. Signed-off-by: Mike Salvatore Signed-off-by: John Johansen --- security/apparmor/include/file.h | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'security/apparmor/include') diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h index 029cb20e322d..ab201d625a34 100644 --- a/security/apparmor/include/file.h +++ b/security/apparmor/include/file.h @@ -181,11 +181,13 @@ struct aa_file_rules { /* struct perms perms; */ struct aa_domain trans; /* TODO: add delegate table */ + struct aa_perms *fperms_table; }; -struct aa_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state, - struct path_cond *cond); -unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start, +void aa_compute_fperms(struct aa_file_rules *file_rules); +struct aa_perms *aa_lookup_fperms(struct aa_file_rules *file_rules, + unsigned int state, struct path_cond *cond); +unsigned int aa_str_perms(struct aa_file_rules *file_rules, unsigned int start, const char *name, struct path_cond *cond, struct aa_perms *perms); @@ -204,10 +206,17 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file, void aa_inherit_files(const struct cred *cred, struct files_struct *files); +static inline void aa_free_fperms_table(struct aa_perms *fperms_table) +{ + if (fperms_table) + kvfree(fperms_table); +} + static inline void aa_free_file_rules(struct aa_file_rules *rules) { aa_put_dfa(rules->dfa); aa_free_domain_entries(&rules->trans); + aa_free_fperms_table(rules->fperms_table); } /** -- cgit v1.2.3