Just add the labels to the tree to make sure insertions and deletions into the rb tree are working.
Signed-off-by: John Johansen <john.johan...@canonical.com> --- security/apparmor/policy.c | 53 +++++++++++++++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 17 deletions(-) diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index 1d80595..9d946ce 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -1100,6 +1100,26 @@ static void share_name(struct aa_profile *old, struct aa_profile *new) new->base.name = old->base.name; } +/* Update to newest version of parent after previous replacements + * Returns: unrefcount newest version of parent + */ +static struct aa_profile *update_to_newest_parent(struct aa_profile *new) +{ + struct aa_profile *parent, *newest; + parent = rcu_dereference_protected(new->parent, + mutex_is_locked(&new->ns->lock)); + newest = aa_get_newest_profile(parent); + + /* parent replaced in this atomic set? */ + if (newest != parent) { + aa_put_profile(parent); + rcu_assign_pointer(new->parent, newest); + } else + aa_put_profile(newest); + + return newest; +} + /** * aa_replace_profiles - replace profile(s) on the profile list * @udata: serialized data stream (NOT NULL) @@ -1215,6 +1235,9 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace) if (ent->old) { share_name(ent->old, ent->new); __replace_profile(ent->old, ent->new, 1); + aa_label_replace(&ns->labels, &ent->old->label, + &ent->new->label); + __aa_labelset_invalidate_all(ns, ent->old); if (ent->rename) { /* aafs interface uses replacedby */ rcu_assign_pointer(ent->new->replacedby->profile, @@ -1226,28 +1249,22 @@ ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace) rcu_assign_pointer(ent->new->replacedby->profile, aa_get_profile(ent->new)); __replace_profile(ent->rename, ent->new, 0); - } else if (ent->new->parent) { - struct aa_profile *parent, *newest; - parent = rcu_dereference_protected(ent->new->parent, - mutex_is_locked(&ns->lock)); - newest = aa_get_newest_profile(parent); + } else { + struct aa_label *l; + struct list_head *lh; - /* parent replaced in this atomic set? */ - if (newest != parent) { - aa_get_profile(newest); - aa_put_profile(parent); - rcu_assign_pointer(ent->new->parent, newest); + if (rcu_access_pointer(ent->new->parent)) { + struct aa_profile *parent; + parent = update_to_newest_parent(ent->new); + lh = &parent->base.profiles; } else - aa_put_profile(newest); - /* aafs interface uses replacedby */ - rcu_assign_pointer(ent->new->replacedby->profile, - aa_get_profile(ent->new)); - __list_add_profile(&parent->base.profiles, ent->new); - } else { + lh = &ns->base.profiles; /* aafs interface uses replacedby */ rcu_assign_pointer(ent->new->replacedby->profile, aa_get_profile(ent->new)); - __list_add_profile(&ns->base.profiles, ent->new); + __list_add_profile(lh, ent->new); + l = aa_label_insert(&ns->labels, &ent->new->label); + aa_put_label(l); } aa_load_ent_free(ent); } @@ -1330,6 +1347,8 @@ ssize_t aa_remove_profiles(char *fqname, size_t size) } name = profile->base.hname; __remove_profile(profile); + aa_label_remove(&ns->labels, &profile->label); + __aa_labelset_invalidate_all(ns, profile); mutex_unlock(&ns->lock); } -- 1.8.1.2 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor