apparmor: transition from a list of rules to a vector of rules

The set of rules on a profile is not dynamically extended, instead
if a new ruleset is needed a new version of the profile is created.
This allows us to use a vector of rules instead of a list, slightly
reducing memory usage and simplifying the code.

Signed-off-by: John Johansen <john.johansen@canonical.com>

Author: jrjohansen

security/apparmor/af_unix.c

@@ -202,8 +202,7 @@ static int profile_create_perm(struct aa_profile *profile, int family,
 			       int type, int protocol,
 			       struct apparmor_audit_data *ad)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	aa_state_t state;
 
 	AA_BUG(!profile);
@@ -227,9 +226,7 @@ static int profile_sk_perm(struct aa_profile *profile,
 			   struct apparmor_audit_data *ad,
 			   u32 request, struct sock *sk, struct path *path)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules),
-						    list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	struct aa_perms *p = NULL;
 	aa_state_t state;
 
@@ -257,8 +254,7 @@ static int profile_sk_perm(struct aa_profile *profile,
 static int profile_bind_perm(struct aa_profile *profile, struct sock *sk,
 			     struct apparmor_audit_data *ad)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	struct aa_perms *p = NULL;
 	aa_state_t state;
 
@@ -289,8 +285,7 @@ static int profile_bind_perm(struct aa_profile *profile, struct sock *sk,
 static int profile_listen_perm(struct aa_profile *profile, struct sock *sk,
 			       int backlog, struct apparmor_audit_data *ad)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	struct aa_perms *p = NULL;
 	aa_state_t state;
 
@@ -327,8 +322,7 @@ static int profile_accept_perm(struct aa_profile *profile,
 			       struct sock *sk,
 			       struct apparmor_audit_data *ad)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	struct aa_perms *p = NULL;
 	aa_state_t state;
 
@@ -358,8 +352,7 @@ static int profile_opt_perm(struct aa_profile *profile, u32 request,
 			    struct sock *sk, int optname,
 			    struct apparmor_audit_data *ad)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	struct aa_perms *p = NULL;
 	aa_state_t state;
 
@@ -399,8 +392,7 @@ static int profile_peer_perm(struct aa_profile *profile, u32 request,
 			     struct aa_label *peer_label,
 			     struct apparmor_audit_data *ad)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	struct aa_perms *p = NULL;
 	aa_state_t state;
 

security/apparmor/apparmorfs.c

@@ -612,8 +612,7 @@ static const struct file_operations aa_fs_ns_revision_fops = {
 static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
 			     const char *match_str, size_t match_len)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	struct aa_perms tmp = { };
 	aa_state_t state = DFA_NOMATCH;
 

security/apparmor/capability.c

@@ -69,8 +69,7 @@ static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile
 {
 	const u64 AUDIT_CACHE_TIMEOUT_NS = 1000*1000*1000; /* 1 second */
 
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	struct audit_cache *ent;
 	int type = AUDIT_APPARMOR_AUTO;
 
@@ -122,8 +121,7 @@ static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile
 static int profile_capable(struct aa_profile *profile, int cap,
 			   unsigned int opts, struct apparmor_audit_data *ad)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	aa_state_t state;
 	int error;
 
@@ -195,8 +193,7 @@ int aa_capable(const struct cred *subj_cred, struct aa_label *label,
 
 kernel_cap_t aa_profile_capget(struct aa_profile *profile)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	aa_state_t state;
 
 	state = RULE_MEDIATES(rules, AA_CLASS_CAP);

security/apparmor/domain.c

@@ -93,8 +93,7 @@ static inline aa_state_t match_component(struct aa_profile *profile,
 					 struct aa_profile *tp,
 					 bool stack, aa_state_t state)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	const char *ns_name;
 
 	if (stack)
@@ -131,8 +130,7 @@ static int label_compound_match(struct aa_profile *profile,
 				aa_state_t state, bool subns, u32 request,
 				struct aa_perms *perms)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	struct aa_profile *tp;
 	struct label_it i;
 	struct path_cond cond = { };
@@ -194,8 +192,7 @@ static int label_components_match(struct aa_profile *profile,
 				  aa_state_t start, bool subns, u32 request,
 				  struct aa_perms *perms)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	struct aa_profile *tp;
 	struct label_it i;
 	struct aa_perms tmp;
@@ -520,8 +517,7 @@ static const char *next_name(int xtype, const char *name)
 struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex,
 				const char **name)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	struct aa_label *label = NULL;
 	u32 xtype = xindex & AA_X_TYPE_MASK;
 	int index = xindex & AA_X_INDEX_MASK;
@@ -575,8 +571,6 @@ static struct aa_label *x_to_label(struct aa_profile *profile,
 				   const char **lookupname,
 				   const char **info)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
 	struct aa_label *new = NULL;
 	struct aa_label *stack = NULL;
 	struct aa_ns *ns = profile->ns;
@@ -668,8 +662,7 @@ static struct aa_label *profile_transition(const struct cred *subj_cred,
 					   char *buffer, struct path_cond *cond,
 					   bool *secure_exec)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	struct aa_label *new = NULL;
 	struct aa_profile *new_profile = NULL;
 	const char *info = NULL, *name = NULL, *target = NULL;
@@ -802,8 +795,7 @@ static int profile_onexec(const struct cred *subj_cred,
 			  char *buffer, struct path_cond *cond,
 			  bool *secure_exec)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	aa_state_t state = rules->file->start[AA_CLASS_FILE];
 	struct aa_perms perms = {};
 	const char *xname = NULL, *info = "change_profile onexec";
@@ -1361,8 +1353,7 @@ static int change_profile_perms_wrapper(const char *op, const char *name,
 					struct aa_label *target, bool stack,
 					u32 request, struct aa_perms *perms)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	const char *info = NULL;
 	int error = 0;
 

security/apparmor/file.c

@@ -223,8 +223,7 @@ int __aa_path_perm(const char *op, const struct cred *subj_cred,
 		   u32 request, struct path_cond *cond, int flags,
 		   struct aa_perms *perms)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	int e = 0;
 
 	if (profile_unconfined(profile) ||
@@ -323,8 +322,7 @@ static int profile_path_link(const struct cred *subj_cred,
 			     const struct path *target, char *buffer2,
 			     struct path_cond *cond)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	const char *lname, *tname = NULL;
 	struct aa_perms lperms = {}, perms;
 	const char *info = NULL;

security/apparmor/include/label.h

@@ -19,6 +19,7 @@
 #include "lib.h"
 
 struct aa_ns;
+struct aa_ruleset;
 
 #define LOCAL_VEC_ENTRIES 8
 #define DEFINE_VEC(T, V)						\
@@ -109,7 +110,7 @@ struct label_it {
 	int i, j;
 };
 
-/* struct aa_label - lazy labeling struct
+/* struct aa_label_base - base info of label
  * @count: ref count of active users
  * @node: rbtree position
  * @rcu: rcu callback struct
@@ -118,7 +119,10 @@ struct label_it {
  * @flags: stale and other flags - values may change under label set lock
  * @secid: secid that references this label
  * @size: number of entries in @ent[]
- * @ent: set of profiles for label, actual size determined by @size
+ * @mediates: bitmask for label_mediates
+ * profile: label vec when embedded in a profile FLAG_PROFILE is set
+ * rules: variable length rules in a profile FLAG_PROFILE is set
+ * vec: vector of profiles comprising the compound label
  */
 struct aa_label {
 	struct kref count;
@@ -130,7 +134,17 @@ struct aa_label {
 	u32 secid;
 	int size;
 	u64 mediates;
-	struct aa_profile *vec[];
+	union {
+		struct {
+			/* only used is the label is a profile, size of
+			 * rules[] is determined by the profile
+			 * profile[1] is poison or null as guard
+			 */
+			struct aa_profile *profile[2];
+			DECLARE_FLEX_ARRAY(struct aa_ruleset *, rules);
+		};
+		DECLARE_FLEX_ARRAY(struct aa_profile *, vec);
+	};
 };
 
 #define last_error(E, FN)				\

security/apparmor/include/policy.h

@@ -165,8 +165,6 @@ struct aa_data {
  * @secmark: secmark label match info
  */
 struct aa_ruleset {
-	struct list_head list;
-
 	int size;
 
 	/* TODO: merge policy and file */
@@ -180,6 +178,7 @@ struct aa_ruleset {
 	struct aa_secmark *secmark;
 };
 
+
 /* struct aa_attachment - data and rules for a profiles attachment
  * @list:
  * @xmatch_str: human readable attachment string
@@ -218,6 +217,7 @@ struct aa_attachment {
  * @dents: set of dentries associated with the profile
  * @data: hashtable for free-form policy aa_data
  * @label - label this profile is an extension of
+ * @rules - label with the rule vec on its end
  *
  * The AppArmor profile contains the basic confinement data.  Each profile
  * has a name, and exists in a namespace.  The @name and @exec_match are
@@ -245,14 +245,14 @@ struct aa_profile {
 	const char *disconnected;
 
 	struct aa_attachment attach;
-	struct list_head rules;
 
 	struct aa_loaddata *rawdata;
 	unsigned char *hash;
 	char *dirname;
 	struct dentry *dents[AAFS_PROF_SIZEOF];
 	struct rhashtable *data;
 
+	int n_rules;
 	/* special - variable length must be last entry in profile */
 	struct aa_label label;
 };
@@ -332,16 +332,6 @@ static inline aa_state_t RULE_MEDIATES_NET(struct aa_ruleset *rules)
 }
 
 
-static inline aa_state_t ANY_RULE_MEDIATES(struct list_head *head,
-					   unsigned char class)
-{
-	struct aa_ruleset *rule;
-
-	/* TODO: change to list walk */
-	rule = list_first_entry(head, typeof(*rule), list);
-	return RULE_MEDIATES(rule, class);
-}
-
 void aa_compute_profile_mediates(struct aa_profile *profile);
 static inline bool profile_mediates(struct aa_profile *profile,
 				    unsigned char class)

security/apparmor/ipc.c

@@ -80,8 +80,7 @@ static int profile_signal_perm(const struct cred *cred,
 			       struct aa_label *peer, u32 request,
 			       struct apparmor_audit_data *ad)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	struct aa_perms perms;
 	aa_state_t state;
 

security/apparmor/lsm.c

@@ -182,8 +182,7 @@ static int apparmor_capget(const struct task_struct *target, kernel_cap_t *effec
 			struct aa_ruleset *rules;
 			kernel_cap_t allowed;
 
-			rules = list_first_entry(&profile->rules,
-						 typeof(*rules), list);
+			rules = profile->label.rules[0];
 			allowed = aa_profile_capget(profile);
 			*effective = cap_intersect(*effective, allowed);
 			*permitted = cap_intersect(*permitted, allowed);
@@ -636,7 +635,7 @@ static int profile_uring(struct aa_profile *profile, u32 request,
 
 	AA_BUG(!profile);
 
-	rules = list_first_entry(&profile->rules, typeof(*rules), list);
+	rules = profile->label.rules[0];
 	state = RULE_MEDIATES(rules, AA_CLASS_IO_URING);
 	if (state) {
 		struct aa_perms perms = { };

security/apparmor/mount.c

@@ -311,8 +311,7 @@ static int match_mnt_path_str(const struct cred *subj_cred,
 {
 	struct aa_perms perms = { };
 	const char *mntpnt = NULL, *info = NULL;
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	int pos, error;
 
 	AA_BUG(!profile);
@@ -371,8 +370,7 @@ static int match_mnt(const struct cred *subj_cred,
 		     bool binary)
 {
 	const char *devname = NULL, *info = NULL;
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	int error = -EACCES;
 
 	AA_BUG(!profile);
@@ -604,8 +602,7 @@ static int profile_umount(const struct cred *subj_cred,
 			  struct aa_profile *profile, const struct path *path,
 			  char *buffer)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	struct aa_perms perms = { };
 	const char *name = NULL, *info = NULL;
 	aa_state_t state;
@@ -668,8 +665,7 @@ static struct aa_label *build_pivotroot(const struct cred *subj_cred,
 					const struct path *old_path,
 					char *old_buffer)
 {
-	struct aa_ruleset *rules = list_first_entry(&profile->rules,
-						    typeof(*rules), list);
+	struct aa_ruleset *rules = profile->label.rules[0];
 	const char *old_name, *new_name = NULL, *info = NULL;
 	const char *trans_name = NULL;
 	struct aa_perms perms = { };