Merge tag 'apparmor-pr-2023-11-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
 "This adds initial support for mediating io_uring and userns creation.
  Adds a new restriction that tightens the use of change_profile, and a
  couple of optimizations to reduce performance bottle necks that have
  been found when retrieving the current task's secid and allocating
  work buffers.

  The majority of the patch set continues cleaning up and simplifying
  the code (fixing comments, removing now dead functions, and macros
  etc). Finally there are 4 bug fixes, with the regression fix having
  had a couple months of testing.

  Features:
   - optimize retrieving current task secid
   - add base io_uring mediation
   - add base userns mediation
   - improve buffer allocation
   - allow restricting unprivilege change_profile

  Cleanups:
   - Fix kernel doc comments
   - remove unused declarations
   - remove unused functions
   - remove unneeded #ifdef
   - remove unused macros
   - mark fns static
   - cleanup fn with unused return values
   - cleanup audit data
   - pass cred through to audit data
   - refcount the pdb instead of using duplicates
   - make SK_CTX macro an inline fn
   - some comment cleanups

  Bug fixes:
   - fix regression in mount mediation
   - fix invalid refenece
   - use passed in gfp flags
   - advertise avaiability of extended perms and disconnected.path"

* tag 'apparmor-pr-2023-11-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (39 commits)
  apparmor: Fix some kernel-doc comments
  apparmor: Fix one kernel-doc comment
  apparmor: Fix some kernel-doc comments
  apparmor: mark new functions static
  apparmor: Fix regression in mount mediation
  apparmor: cache buffers on percpu list if there is lock contention
  apparmor: add io_uring mediation
  apparmor: add user namespace creation mediation
  apparmor: allow restricting unprivileged change_profile
  apparmor: advertise disconnected.path is available
  apparmor: refcount the pdb
  apparmor: provide separate audit messages for file and policy checks
  apparmor: pass cred through to audit info.
  apparmor: rename audit_data->label to audit_data->subj_label
  apparmor: combine common_audit_data and apparmor_audit_data
  apparmor: rename SK_CTX() to aa_sock and make it an inline fn
  apparmor: Optimize retrieving current task secid
  apparmor: remove unused functions in policy_ns.c/.h
  apparmor: remove unneeded #ifdef in decompress_zstd()
  apparmor: fix invalid reference on profile->disconnected
  ...

1 files changed, 27 insertions, 27 deletions

diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index a630c951bb3b..4c198d273f09 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -27,7 +27,7 @@ struct aa_perms allperms = { .allow = ALL_PERMS_MASK,
 
 /**
  * aa_free_str_table - free entries str table
- * @str: the string table to free  (MAYBE NULL)
+ * @t: the string table to free  (MAYBE NULL)
  */
 void aa_free_str_table(struct aa_str_table *t)
 {
@@ -85,6 +85,7 @@ char *aa_split_fqname(char *fqname, char **ns_name)
 /**
  * skipn_spaces - Removes leading whitespace from @str.
  * @str: The string to be stripped.
+ * @n: length of str to parse, will stop at \0 if encountered before n
  *
  * Returns a pointer to the first non-whitespace character in @str.
  * if all whitespace will return NULL
@@ -143,10 +144,10 @@ const char *aa_splitn_fqname(const char *fqname, size_t n, const char **ns_name,
 void aa_info_message(const char *str)
 {
 	if (audit_enabled) {
-		DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
+		DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
 
-		aad(&sa)->info = str;
-		aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL);
+		ad.info = str;
+		aa_audit_msg(AUDIT_APPARMOR_STATUS, &ad, NULL);
 	}
 	printk(KERN_INFO "AppArmor: %s\n", str);
 }
@@ -281,21 +282,22 @@ void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
 static void aa_audit_perms_cb(struct audit_buffer *ab, void *va)
 {
 	struct common_audit_data *sa = va;
+	struct apparmor_audit_data *ad = aad(sa);
 
-	if (aad(sa)->request) {
+	if (ad->request) {
 		audit_log_format(ab, " requested_mask=");
-		aa_audit_perm_mask(ab, aad(sa)->request, aa_file_perm_chrs,
+		aa_audit_perm_mask(ab, ad->request, aa_file_perm_chrs,
 				   PERMS_CHRS_MASK, aa_file_perm_names,
 				   PERMS_NAMES_MASK);
 	}
-	if (aad(sa)->denied) {
+	if (ad->denied) {
 		audit_log_format(ab, "denied_mask=");
-		aa_audit_perm_mask(ab, aad(sa)->denied, aa_file_perm_chrs,
+		aa_audit_perm_mask(ab, ad->denied, aa_file_perm_chrs,
 				   PERMS_CHRS_MASK, aa_file_perm_names,
 				   PERMS_NAMES_MASK);
 	}
 	audit_log_format(ab, " peer=");
-	aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
+	aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,
 				      FLAGS_NONE, GFP_ATOMIC);
 }
 
@@ -339,8 +341,8 @@ void aa_profile_match_label(struct aa_profile *profile,
 	/* TODO: doesn't yet handle extended types */
 	aa_state_t state;
 
-	state = aa_dfa_next(rules->policy.dfa,
-			    rules->policy.start[AA_CLASS_LABEL],
+	state = aa_dfa_next(rules->policy->dfa,
+			    rules->policy->start[AA_CLASS_LABEL],
 			    type);
 	aa_label_match(profile, rules, label, state, false, request, perms);
 }
@@ -349,21 +351,20 @@ void aa_profile_match_label(struct aa_profile *profile,
 /* currently unused */
 int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
 			  u32 request, int type, u32 *deny,
-			  struct common_audit_data *sa)
+			  struct apparmor_audit_data *ad)
 {
 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
 						    typeof(*rules), list);
 	struct aa_perms perms;
 
-	aad(sa)->label = &profile->label;
-	aad(sa)->peer = &target->label;
-	aad(sa)->request = request;
+	ad->peer = &target->label;
+	ad->request = request;
 
 	aa_profile_match_label(profile, rules, &target->label, type, request,
 			       &perms);
 	aa_apply_modes_to_perms(profile, &perms);
 	*deny |= request & perms.deny;
-	return aa_check_perms(profile, &perms, request, sa, aa_audit_perms_cb);
+	return aa_check_perms(profile, &perms, request, ad, aa_audit_perms_cb);
 }
 
 /**
@@ -371,8 +372,7 @@ int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
  * @profile: profile being checked
  * @perms: perms computed for the request
  * @request: requested perms
- * @deny: Returns: explicit deny set
- * @sa: initialized audit structure (MAY BE NULL if not auditing)
+ * @ad: initialized audit structure (MAY BE NULL if not auditing)
  * @cb: callback fn for type specific fields (MAY BE NULL)
  *
  * Returns: 0 if permission else error code
@@ -385,7 +385,7 @@ int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
  *	 with a positive value.
  */
 int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
-		   u32 request, struct common_audit_data *sa,
+		   u32 request, struct apparmor_audit_data *ad,
 		   void (*cb)(struct audit_buffer *, void *))
 {
 	int type, error;
@@ -394,7 +394,7 @@ int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
 	if (likely(!denied)) {
 		/* mask off perms that are not being force audited */
 		request &= perms->audit;
-		if (!request || !sa)
+		if (!request || !ad)
 			return 0;
 
 		type = AUDIT_APPARMOR_AUDIT;
@@ -413,16 +413,16 @@ int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
 			error = -ENOENT;
 
 		denied &= ~perms->quiet;
-		if (!sa || !denied)
+		if (!ad || !denied)
 			return error;
 	}
 
-	if (sa) {
-		aad(sa)->label = &profile->label;
-		aad(sa)->request = request;
-		aad(sa)->denied = denied;
-		aad(sa)->error = error;
-		aa_audit_msg(type, sa, cb);
+	if (ad) {
+		ad->subj_label = &profile->label;
+		ad->request = request;
+		ad->denied = denied;
+		ad->error = error;
+		aa_audit_msg(type, ad, cb);
 	}
 
 	if (type == AUDIT_APPARMOR_ALLOWED)