]> asedeno.scripts.mit.edu Git - linux.git/blobdiff - security/apparmor/mount.c
projects / linux.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
apparmor: reduce rcu_read_lock scope for aa_file_perm mediation
[linux.git] / security / apparmor / mount.c
diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
index c1da22482bfbb3162f81203062daaae6186d45d2..2dbccb021663b9c15514aaa3da3f559e670ad9f9 100644 (file)
--- a/security/apparmor/mount.c
+++ b/security/apparmor/mount.c
@@ -15,6 +15,7 @@
 #include <linux/fs.h>
 #include <linux/mount.h>
 #include <linux/namei.h>
+#include <uapi/linux/mount.h>
 
 #include "include/apparmor.h"
 #include "include/audit.h"
@@ -411,11 +412,13 @@ int aa_remount(struct aa_label *label, const struct path *path,
 
        binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
 
-       get_buffers(buffer);
+       buffer = aa_get_buffer();
+       if (!buffer)
+               return -ENOMEM;
        error = fn_for_each_confined(label, profile,
                        match_mnt(profile, path, buffer, NULL, NULL, NULL,
                                  flags, data, binary));
-       put_buffers(buffer);
+       aa_put_buffer(buffer);
 
        return error;
 }
@@ -440,11 +443,18 @@ int aa_bind_mount(struct aa_label *label, const struct path *path,
        if (error)
                return error;
 
-       get_buffers(buffer, old_buffer);
+       buffer = aa_get_buffer();
+       old_buffer = aa_get_buffer();
+       error = -ENOMEM;
+       if (!buffer || old_buffer)
+               goto out;
+
        error = fn_for_each_confined(label, profile,
                        match_mnt(profile, path, buffer, &old_path, old_buffer,
                                  NULL, flags, NULL, false));
-       put_buffers(buffer, old_buffer);
+out:
+       aa_put_buffer(buffer);
+       aa_put_buffer(old_buffer);
        path_put(&old_path);
 
        return error;
@@ -464,11 +474,13 @@ int aa_mount_change_type(struct aa_label *label, const struct path *path,
        flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
                  MS_UNBINDABLE);
 
-       get_buffers(buffer);
+       buffer = aa_get_buffer();
+       if (!buffer)
+               return -ENOMEM;
        error = fn_for_each_confined(label, profile,
                        match_mnt(profile, path, buffer, NULL, NULL, NULL,
                                  flags, NULL, false));
-       put_buffers(buffer);
+       aa_put_buffer(buffer);
 
        return error;
 }
@@ -491,11 +503,17 @@ int aa_move_mount(struct aa_label *label, const struct path *path,
        if (error)
                return error;
 
-       get_buffers(buffer, old_buffer);
+       buffer = aa_get_buffer();
+       old_buffer = aa_get_buffer();
+       error = -ENOMEM;
+       if (!buffer || !old_buffer)
+               goto out;
        error = fn_for_each_confined(label, profile,
                        match_mnt(profile, path, buffer, &old_path, old_buffer,
                                  NULL, MS_MOVE, NULL, false));
-       put_buffers(buffer, old_buffer);
+out:
+       aa_put_buffer(buffer);
+       aa_put_buffer(old_buffer);
        path_put(&old_path);
 
        return error;
@@ -536,8 +554,17 @@ int aa_new_mount(struct aa_label *label, const char *dev_name,
                }
        }
 
-       get_buffers(buffer, dev_buffer);
+       buffer = aa_get_buffer();
+       if (!buffer) {
+               error = -ENOMEM;
+               goto out;
+       }
        if (dev_path) {
+               dev_buffer = aa_get_buffer();
+               if (!dev_buffer) {
+                       error = -ENOMEM;
+                       goto out;
+               }
                error = fn_for_each_confined(label, profile,
                        match_mnt(profile, path, buffer, dev_path, dev_buffer,
                                  type, flags, data, binary));
@@ -546,7 +573,10 @@ int aa_new_mount(struct aa_label *label, const char *dev_name,
                        match_mnt_path_str(profile, path, buffer, dev_name,
                                           type, flags, data, binary, NULL));
        }
-       put_buffers(buffer, dev_buffer);
+
+out:
+       aa_put_buffer(buffer);
+       aa_put_buffer(dev_buffer);
        if (dev_path)
                path_put(dev_path);
 
@@ -594,10 +624,13 @@ int aa_umount(struct aa_label *label, struct vfsmount *mnt, int flags)
        AA_BUG(!label);
        AA_BUG(!mnt);
 
-       get_buffers(buffer);
+       buffer = aa_get_buffer();
+       if (!buffer)
+               return -ENOMEM;
+
        error = fn_for_each_confined(label, profile,
                        profile_umount(profile, &path, buffer));
-       put_buffers(buffer);
+       aa_put_buffer(buffer);
 
        return error;
 }
@@ -670,8 +703,12 @@ int aa_pivotroot(struct aa_label *label, const struct path *old_path,
        AA_BUG(!old_path);
        AA_BUG(!new_path);
 
-       get_buffers(old_buffer, new_buffer);
-       target = fn_label_build(label, profile, GFP_ATOMIC,
+       old_buffer = aa_get_buffer();
+       new_buffer = aa_get_buffer();
+       error = -ENOMEM;
+       if (!old_buffer || !new_buffer)
+               goto out;
+       target = fn_label_build(label, profile, GFP_KERNEL,
                        build_pivotroot(profile, new_path, new_buffer,
                                        old_path, old_buffer));
        if (!target) {
@@ -689,7 +726,8 @@ int aa_pivotroot(struct aa_label *label, const struct path *old_path,
                /* already audited error */
                error = PTR_ERR(target);
 out:
-       put_buffers(old_buffer, new_buffer);
+       aa_put_buffer(old_buffer);
+       aa_put_buffer(new_buffer);
 
        return error;
 
local clone of linux.git