/**
* aa_audit_policy - Do auditing of policy changes
+ * @profile: profile to check if it can manage policy
* @op: policy operation being performed
* @gfp: memory allocation flags
* @name: name of profile being manipulated (NOT NULL)
*
* Returns: the error to be returned after audit is done
*/
-static int audit_policy(int op, gfp_t gfp, const char *name, const char *info,
- int error)
+static int audit_policy(struct aa_profile *profile, int op, gfp_t gfp,
+ const char *name, const char *info, int error)
{
struct common_audit_data sa;
struct apparmor_audit_data aad = {0,};
aad.info = info;
aad.error = error;
- return aa_audit(AUDIT_APPARMOR_STATUS, __aa_current_profile(), gfp,
+ return aa_audit(AUDIT_APPARMOR_STATUS, profile, gfp,
&sa, NULL);
}
{
/* check if loading policy is locked out */
if (aa_g_lock_policy) {
- audit_policy(op, GFP_KERNEL, NULL, "policy_locked", -EACCES);
+ audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
+ "policy_locked", -EACCES);
return 0;
}
if (!policy_admin_capable()) {
- audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES);
+ audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
+ "not policy admin", -EACCES);
return 0;
}
/**
* aa_replace_profiles - replace profile(s) on the profile list
* @view: namespace load is viewed from
+ * @profile: profile that is attempting to load/replace policy
* @udata: serialized data stream (NOT NULL)
* @size: size of the serialized data stream
* @noreplace: true if only doing addition, no replacement allowed
/* released below */
ns = aa_prepare_ns(view, ns_name);
if (!ns) {
- error = audit_policy(op, GFP_KERNEL, ns_name,
+ error = audit_policy(__aa_current_profile(), op, GFP_KERNEL,
+ ns_name,
"failed to prepare namespace", -ENOMEM);
goto free;
}
list_del_init(&ent->list);
op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
- audit_policy(op, GFP_ATOMIC, ent->new->base.hname, NULL, error);
+ audit_policy(__aa_current_profile(), op, GFP_ATOMIC,
+ ent->new->base.hname, NULL, error);
if (ent->old) {
__replace_profile(ent->old, ent->new, 1);
/* audit cause of failure */
op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
- audit_policy(op, GFP_KERNEL, ent->new->base.hname, info, error);
+ audit_policy(__aa_current_profile(), op, GFP_KERNEL,
+ ent->new->base.hname, info, error);
/* audit status that rest of profiles in the atomic set failed too */
info = "valid profile in failed atomic policy load";
list_for_each_entry(tmp, &lh, list) {
continue;
}
op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
- audit_policy(op, GFP_KERNEL, tmp->new->base.hname, info, error);
+ audit_policy(__aa_current_profile(), op, GFP_KERNEL,
+ tmp->new->base.hname, info, error);
}
free:
list_for_each_entry_safe(ent, tmp, &lh, list) {
}
/* don't fail removal if audit fails */
- (void) audit_policy(OP_PROF_RM, GFP_KERNEL, name, info, error);
+ (void) audit_policy(__aa_current_profile(), OP_PROF_RM, GFP_KERNEL,
+ name, info, error);
aa_put_ns(ns);
aa_put_profile(profile);
return size;
aa_put_ns(ns);
fail:
- (void) audit_policy(OP_PROF_RM, GFP_KERNEL, name, info, error);
+ (void) audit_policy(__aa_current_profile(), OP_PROF_RM, GFP_KERNEL,
+ name, info, error);
return error;
}
projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff