1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 * AppArmor security module
4
 *
5
 * This file contains AppArmor policy manipulation functions
6
 *
7
 * Copyright (C) 1998-2008 Novell/SUSE
8
 * Copyright 2009-2010 Canonical Ltd.
9
 *
10
 * AppArmor policy is based around profiles, which contain the rules a
11
 * task is confined by.  Every task in the system has a profile attached
12
 * to it determined either by matching "unconfined" tasks against the
13
 * visible set of profiles or by following a profiles attachment rules.
14
 *
15
 * Each profile exists in a profile namespace which is a container of
16
 * visible profiles.  Each namespace contains a special "unconfined" profile,
17
 * which doesn't enforce any confinement on a task beyond DAC.
18
 *
19
 * Namespace and profile names can be written together in either
20
 * of two syntaxes.
21
 *	:namespace:profile - used by kernel interfaces for easy detection
22
 *	namespace://profile - used by policy
23
 *
24
 * Profile names can not start with : or @ or ^ and may not contain \0
25
 *
26
 * Reserved profile names
27
 *	unconfined - special automatically generated unconfined profile
28
 *	inherit - special name to indicate profile inheritance
29
 *	null-XXXX-YYYY - special automatically generated learning profiles
30
 *
31
 * Namespace names may not start with / or @ and may not contain \0 or :
32
 * Reserved namespace names
33
 *	user-XXXX - user defined profiles
34
 *
35
 * a // in a profile or namespace name indicates a hierarchical name with the
36
 * name before the // being the parent and the name after the child.
37
 *
38
 * Profile and namespace hierarchies serve two different but similar purposes.
39
 * The namespace contains the set of visible profiles that are considered
40
 * for attachment.  The hierarchy of namespaces allows for virtualizing
41
 * the namespace so that for example a chroot can have its own set of profiles
42
 * which may define some local user namespaces.
43
 * The profile hierarchy severs two distinct purposes,
44
 * -  it allows for sub profiles or hats, which allows an application to run
45
 *    subprograms under its own profile with different restriction than it
46
 *    self, and not have it use the system profile.
47
 *    eg. if a mail program starts an editor, the policy might make the
48
 *        restrictions tighter on the editor tighter than the mail program,
49
 *        and definitely different than general editor restrictions
50
 * - it allows for binary hierarchy of profiles, so that execution history
51
 *   is preserved.  This feature isn't exploited by AppArmor reference policy
52
 *   but is allowed.  NOTE: this is currently suboptimal because profile
53
 *   aliasing is not currently implemented so that a profile for each
54
 *   level must be defined.
55
 *   eg. /bin/bash///bin/ls as a name would indicate /bin/ls was started
56
 *       from /bin/bash
57
 *
58
 *   A profile or namespace name that can contain one or more // separators
59
 *   is referred to as an hname (hierarchical).
60
 *   eg.  /bin/bash//bin/ls
61
 *
62
 *   An fqname is a name that may contain both namespace and profile hnames.
63
 *   eg. :ns:/bin/bash//bin/ls
64
 *
65
 * NOTES:
66
 *   - locking of profile lists is currently fairly coarse.  All profile
67
 *     lists within a namespace use the namespace lock.
68
 * FIXME: move profile lists to using rcu_lists
69
 */
70

71
#include <linux/slab.h>
72
#include <linux/spinlock.h>
73
#include <linux/string.h>
74
#include <linux/cred.h>
75
#include <linux/rculist.h>
76
#include <linux/user_namespace.h>
77

78
#include "include/apparmor.h"
79
#include "include/capability.h"
80
#include "include/cred.h"
81
#include "include/file.h"
82
#include "include/ipc.h"
83
#include "include/match.h"
84
#include "include/path.h"
85
#include "include/policy.h"
86
#include "include/policy_ns.h"
87
#include "include/policy_unpack.h"
88
#include "include/resource.h"
89

90
int unprivileged_userns_apparmor_policy = 1;
91
int aa_unprivileged_unconfined_restricted;
92

93
const char *const aa_profile_mode_names[] = {
94
	"enforce",
95
	"complain",
96
	"kill",
97
	"unconfined",
98
	"user",
99
};
100

101

102
static void aa_free_pdb(struct aa_policydb *pdb)
103
{
104
	if (pdb) {
105
		aa_put_dfa(pdb->dfa);
106
		kvfree(pdb->perms);
107
		aa_free_str_table(&pdb->trans);
108
		kfree(pdb);
109
	}
110
}
111

112
/**
113
 * aa_pdb_free_kref - free aa_policydb by kref (called by aa_put_pdb)
114
 * @kref: kref callback for freeing of a dfa  (NOT NULL)
115
 */
116
void aa_pdb_free_kref(struct kref *kref)
117
{
118
	struct aa_policydb *pdb = container_of(kref, struct aa_policydb, count);
119

120
	aa_free_pdb(pdb);
121
}
122

123

124
struct aa_policydb *aa_alloc_pdb(gfp_t gfp)
125
{
126
	struct aa_policydb *pdb = kzalloc(sizeof(struct aa_policydb), gfp);
127

128
	if (!pdb)
129
		return NULL;
130

131
	kref_init(&pdb->count);
132

133
	return pdb;
134
}
135

136

137
/**
138
 * __add_profile - add a profiles to list and label tree
139
 * @list: list to add it to  (NOT NULL)
140
 * @profile: the profile to add  (NOT NULL)
141
 *
142
 * refcount @profile, should be put by __list_remove_profile
143
 *
144
 * Requires: namespace lock be held, or list not be shared
145
 */
146
static void __add_profile(struct list_head *list, struct aa_profile *profile)
147
{
148
	struct aa_label *l;
149

150
	AA_BUG(!list);
151
	AA_BUG(!profile);
152
	AA_BUG(!profile->ns);
153
	AA_BUG(!mutex_is_locked(&profile->ns->lock));
154

155
	list_add_rcu(&profile->base.list, list);
156
	/* get list reference */
157
	aa_get_profile(profile);
158
	l = aa_label_insert(&profile->ns->labels, &profile->label);
159
	AA_BUG(l != &profile->label);
160
	aa_put_label(l);
161
}
162

163
/**
164
 * __list_remove_profile - remove a profile from the list it is on
165
 * @profile: the profile to remove  (NOT NULL)
166
 *
167
 * remove a profile from the list, warning generally removal should
168
 * be done with __replace_profile as most profile removals are
169
 * replacements to the unconfined profile.
170
 *
171
 * put @profile list refcount
172
 *
173
 * Requires: namespace lock be held, or list not have been live
174
 */
175
static void __list_remove_profile(struct aa_profile *profile)
176
{
177
	AA_BUG(!profile);
178
	AA_BUG(!profile->ns);
179
	AA_BUG(!mutex_is_locked(&profile->ns->lock));
180

181
	list_del_rcu(&profile->base.list);
182
	aa_put_profile(profile);
183
}
184

185
/**
186
 * __remove_profile - remove old profile, and children
187
 * @profile: profile to be replaced  (NOT NULL)
188
 *
189
 * Requires: namespace list lock be held, or list not be shared
190
 */
191
static void __remove_profile(struct aa_profile *profile)
192
{
193
	AA_BUG(!profile);
194
	AA_BUG(!profile->ns);
195
	AA_BUG(!mutex_is_locked(&profile->ns->lock));
196

197
	/* release any children lists first */
198
	__aa_profile_list_release(&profile->base.profiles);
199
	/* released by free_profile */
200
	aa_label_remove(&profile->label);
201
	__aafs_profile_rmdir(profile);
202
	__list_remove_profile(profile);
203
}
204

205
/**
206
 * __aa_profile_list_release - remove all profiles on the list and put refs
207
 * @head: list of profiles  (NOT NULL)
208
 *
209
 * Requires: namespace lock be held
210
 */
211
void __aa_profile_list_release(struct list_head *head)
212
{
213
	struct aa_profile *profile, *tmp;
214
	list_for_each_entry_safe(profile, tmp, head, base.list)
215
		__remove_profile(profile);
216
}
217

218
/**
219
 * aa_free_data - free a data blob
220
 * @ptr: data to free
221
 * @arg: unused
222
 */
223
static void aa_free_data(void *ptr, void *arg)
224
{
225
	struct aa_data *data = ptr;
226

227
	kvfree_sensitive(data->data, data->size);
228
	kfree_sensitive(data->key);
229
	kfree_sensitive(data);
230
}
231

232
static void free_attachment(struct aa_attachment *attach)
233
{
234
	int i;
235

236
	for (i = 0; i < attach->xattr_count; i++)
237
		kfree_sensitive(attach->xattrs[i]);
238
	kfree_sensitive(attach->xattrs);
239
	aa_put_pdb(attach->xmatch);
240
}
241

242
static void free_ruleset(struct aa_ruleset *rules)
243
{
244
	int i;
245

246
	if (!rules)
247
	  return;
248

249
	aa_put_pdb(rules->file);
250
	aa_put_pdb(rules->policy);
251
	aa_free_cap_rules(&rules->caps);
252
	aa_free_rlimit_rules(&rules->rlimits);
253

254
	for (i = 0; i < rules->secmark_count; i++)
255
		kfree_sensitive(rules->secmark[i].label);
256
	kfree_sensitive(rules->secmark);
257
	kfree_sensitive(rules);
258
}
259

260
struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp)
261
{
262
	struct aa_ruleset *rules;
263

264
	rules = kzalloc(sizeof(*rules), gfp);
265

266
	return rules;
267
}
268

269
/**
270
 * aa_free_profile - free a profile
271
 * @profile: the profile to free  (MAYBE NULL)
272
 *
273
 * Free a profile, its hats and null_profile. All references to the profile,
274
 * its hats and null_profile must have been put.
275
 *
276
 * If the profile was referenced from a task context, free_profile() will
277
 * be called from an rcu callback routine, so we must not sleep here.
278
 */
279
void aa_free_profile(struct aa_profile *profile)
280
{
281
	struct rhashtable *rht;
282

283
	AA_DEBUG(DEBUG_POLICY, "%s(%p)\n", __func__, profile);
284

285
	if (!profile)
286
		return;
287

288
	/* free children profiles */
289
	aa_policy_destroy(&profile->base);
290
	aa_put_profile(rcu_access_pointer(profile->parent));
291

292
	aa_put_ns(profile->ns);
293
	kfree_sensitive(profile->rename);
294
	kfree_sensitive(profile->disconnected);
295

296
	free_attachment(&profile->attach);
297

298
	/*
299
	 * at this point there are no tasks that can have a reference
300
	 * to rules
301
	 */
302
	for (int i = 0; i < profile->n_rules; i++)
303
		free_ruleset(profile->label.rules[i]);
304

305
	kfree_sensitive(profile->dirname);
306

307
	if (profile->data) {
308
		rht = profile->data;
309
		profile->data = NULL;
310
		rhashtable_free_and_destroy(rht, aa_free_data, NULL);
311
		kfree_sensitive(rht);
312
	}
313

314
	kfree_sensitive(profile->hash);
315
	aa_put_loaddata(profile->rawdata);
316
	aa_label_destroy(&profile->label);
317

318
	kfree_sensitive(profile);
319
}
320

321
/**
322
 * aa_alloc_profile - allocate, initialize and return a new profile
323
 * @hname: name of the profile  (NOT NULL)
324
 * @proxy: proxy to use OR null if to allocate a new one
325
 * @gfp: allocation type
326
 *
327
 * Returns: refcount profile or NULL on failure
328
 */
329
struct aa_profile *aa_alloc_profile(const char *hname, struct aa_proxy *proxy,
330
				    gfp_t gfp)
331
{
332
	struct aa_profile *profile;
333

334
	/* freed by free_profile - usually through aa_put_profile
335
	 * this adds space for a single ruleset in the rules section of the
336
	 * label
337
	 */
338
	profile = kzalloc(struct_size(profile, label.rules, 1), gfp);
339
	if (!profile)
340
		return NULL;
341

342
	if (!aa_policy_init(&profile->base, NULL, hname, gfp))
343
		goto fail;
344
	if (!aa_label_init(&profile->label, 1, gfp))
345
		goto fail;
346

347
	/* allocate the first ruleset, but leave it empty */
348
	profile->label.rules[0] = aa_alloc_ruleset(gfp);
349
	if (!profile->label.rules[0])
350
		goto fail;
351
	profile->n_rules = 1;
352

353
	/* update being set needed by fs interface */
354
	if (!proxy) {
355
		proxy = aa_alloc_proxy(&profile->label, gfp);
356
		if (!proxy)
357
			goto fail;
358
	} else
359
		aa_get_proxy(proxy);
360
	profile->label.proxy = proxy;
361

362
	profile->label.hname = profile->base.hname;
363
	profile->label.flags |= FLAG_PROFILE;
364
	profile->label.vec[0] = profile;
365

366
	profile->signal = SIGKILL;
367
	/* refcount released by caller */
368
	return profile;
369

370
fail:
371
	aa_free_profile(profile);
372

373
	return NULL;
374
}
375

376
static inline bool ANY_RULE_MEDIATES(struct aa_profile *profile,
377
				     unsigned char class)
378
{
379
	int i;
380

381
	for (i = 0; i < profile->n_rules; i++) {
382
		if (RULE_MEDIATES(profile->label.rules[i], class))
383
			return true;
384
	}
385
	return false;
386
}
387

388
/* set of rules that are mediated by unconfined */
389
static int unconfined_mediates[] = { AA_CLASS_NS, AA_CLASS_IO_URING, 0 };
390

391
/* must be called after profile rulesets and start information is setup */
392
void aa_compute_profile_mediates(struct aa_profile *profile)
393
{
394
	int c;
395

396
	if (profile_unconfined(profile)) {
397
		int *pos;
398

399
		for (pos = unconfined_mediates; *pos; pos++) {
400
			if (ANY_RULE_MEDIATES(profile, *pos))
401
				profile->label.mediates |= ((u64) 1) << AA_CLASS_NS;
402
		}
403
		return;
404
	}
405
	for (c = 0; c <= AA_CLASS_LAST; c++) {
406
		if (ANY_RULE_MEDIATES(profile, c))
407
			profile->label.mediates |= ((u64) 1) << c;
408
	}
409
}
410

411
/* TODO: profile accounting - setup in remove */
412

413
/**
414
 * __strn_find_child - find a profile on @head list using substring of @name
415
 * @head: list to search  (NOT NULL)
416
 * @name: name of profile (NOT NULL)
417
 * @len: length of @name substring to match
418
 *
419
 * Requires: rcu_read_lock be held
420
 *
421
 * Returns: unrefcounted profile ptr, or NULL if not found
422
 */
423
static struct aa_profile *__strn_find_child(struct list_head *head,
424
					    const char *name, int len)
425
{
426
	return (struct aa_profile *)__policy_strn_find(head, name, len);
427
}
428

429
/**
430
 * __find_child - find a profile on @head list with a name matching @name
431
 * @head: list to search  (NOT NULL)
432
 * @name: name of profile (NOT NULL)
433
 *
434
 * Requires: rcu_read_lock be held
435
 *
436
 * Returns: unrefcounted profile ptr, or NULL if not found
437
 */
438
static struct aa_profile *__find_child(struct list_head *head, const char *name)
439
{
440
	return __strn_find_child(head, name, strlen(name));
441
}
442

443
/**
444
 * aa_find_child - find a profile by @name in @parent
445
 * @parent: profile to search  (NOT NULL)
446
 * @name: profile name to search for  (NOT NULL)
447
 *
448
 * Returns: a refcounted profile or NULL if not found
449
 */
450
struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
451
{
452
	struct aa_profile *profile;
453

454
	rcu_read_lock();
455
	do {
456
		profile = __find_child(&parent->base.profiles, name);
457
	} while (profile && !aa_get_profile_not0(profile));
458
	rcu_read_unlock();
459

460
	/* refcount released by caller */
461
	return profile;
462
}
463

464
/**
465
 * __lookup_parent - lookup the parent of a profile of name @hname
466
 * @ns: namespace to lookup profile in  (NOT NULL)
467
 * @hname: hierarchical profile name to find parent of  (NOT NULL)
468
 *
469
 * Lookups up the parent of a fully qualified profile name, the profile
470
 * that matches hname does not need to exist, in general this
471
 * is used to load a new profile.
472
 *
473
 * Requires: rcu_read_lock be held
474
 *
475
 * Returns: unrefcounted policy or NULL if not found
476
 */
477
static struct aa_policy *__lookup_parent(struct aa_ns *ns,
478
					 const char *hname)
479
{
480
	struct aa_policy *policy;
481
	struct aa_profile *profile = NULL;
482
	char *split;
483

484
	policy = &ns->base;
485

486
	for (split = strstr(hname, "//"); split;) {
487
		profile = __strn_find_child(&policy->profiles, hname,
488
					    split - hname);
489
		if (!profile)
490
			return NULL;
491
		policy = &profile->base;
492
		hname = split + 2;
493
		split = strstr(hname, "//");
494
	}
495
	if (!profile)
496
		return &ns->base;
497
	return &profile->base;
498
}
499

500
/**
501
 * __create_missing_ancestors - create place holders for missing ancestors
502
 * @ns: namespace to lookup profile in (NOT NULL)
503
 * @hname: hierarchical profile name to find parent of (NOT NULL)
504
 * @gfp: type of allocation.
505
 *
506
 * Requires: ns mutex lock held
507
 *
508
 * Return: unrefcounted parent policy on success or %NULL if error creating
509
 *          place holder profiles.
510
 */
511
static struct aa_policy *__create_missing_ancestors(struct aa_ns *ns,
512
						    const char *hname,
513
						    gfp_t gfp)
514
{
515
	struct aa_policy *policy;
516
	struct aa_profile *parent, *profile = NULL;
517
	char *split;
518

519
	AA_BUG(!ns);
520
	AA_BUG(!hname);
521

522
	policy = &ns->base;
523

524
	for (split = strstr(hname, "//"); split;) {
525
		parent = profile;
526
		profile = __strn_find_child(&policy->profiles, hname,
527
					    split - hname);
528
		if (!profile) {
529
			const char *name = kstrndup(hname, split - hname,
530
						    gfp);
531
			if (!name)
532
				return NULL;
533
			profile = aa_alloc_null(parent, name, gfp);
534
			kfree(name);
535
			if (!profile)
536
				return NULL;
537
			if (!parent)
538
				profile->ns = aa_get_ns(ns);
539
		}
540
		policy = &profile->base;
541
		hname = split + 2;
542
		split = strstr(hname, "//");
543
	}
544
	if (!profile)
545
		return &ns->base;
546
	return &profile->base;
547
}
548

549
/**
550
 * __lookupn_profile - lookup the profile matching @hname
551
 * @base: base list to start looking up profile name from  (NOT NULL)
552
 * @hname: hierarchical profile name  (NOT NULL)
553
 * @n: length of @hname
554
 *
555
 * Requires: rcu_read_lock be held
556
 *
557
 * Returns: unrefcounted profile pointer or NULL if not found
558
 *
559
 * Do a relative name lookup, recursing through profile tree.
560
 */
561
static struct aa_profile *__lookupn_profile(struct aa_policy *base,
562
					    const char *hname, size_t n)
563
{
564
	struct aa_profile *profile = NULL;
565
	const char *split;
566

567
	for (split = strnstr(hname, "//", n); split;
568
	     split = strnstr(hname, "//", n)) {
569
		profile = __strn_find_child(&base->profiles, hname,
570
					    split - hname);
571
		if (!profile)
572
			return NULL;
573

574
		base = &profile->base;
575
		n -= split + 2 - hname;
576
		hname = split + 2;
577
	}
578

579
	if (n)
580
		return __strn_find_child(&base->profiles, hname, n);
581
	return NULL;
582
}
583

584
static struct aa_profile *__lookup_profile(struct aa_policy *base,
585
					   const char *hname)
586
{
587
	return __lookupn_profile(base, hname, strlen(hname));
588
}
589

590
/**
591
 * aa_lookupn_profile - find a profile by its full or partial name
592
 * @ns: the namespace to start from (NOT NULL)
593
 * @hname: name to do lookup on.  Does not contain namespace prefix (NOT NULL)
594
 * @n: size of @hname
595
 *
596
 * Returns: refcounted profile or NULL if not found
597
 */
598
struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
599
				      size_t n)
600
{
601
	struct aa_profile *profile;
602

603
	rcu_read_lock();
604
	do {
605
		profile = __lookupn_profile(&ns->base, hname, n);
606
	} while (profile && !aa_get_profile_not0(profile));
607
	rcu_read_unlock();
608

609
	/* the unconfined profile is not in the regular profile list */
610
	if (!profile && strncmp(hname, "unconfined", n) == 0)
611
		profile = aa_get_newest_profile(ns->unconfined);
612

613
	/* refcount released by caller */
614
	return profile;
615
}
616

617
struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
618
					const char *fqname, size_t n)
619
{
620
	struct aa_profile *profile;
621
	struct aa_ns *ns;
622
	const char *name, *ns_name;
623
	size_t ns_len;
624

625
	name = aa_splitn_fqname(fqname, n, &ns_name, &ns_len);
626
	if (ns_name) {
627
		ns = aa_lookupn_ns(labels_ns(base), ns_name, ns_len);
628
		if (!ns)
629
			return NULL;
630
	} else
631
		ns = aa_get_ns(labels_ns(base));
632

633
	if (name)
634
		profile = aa_lookupn_profile(ns, name, n - (name - fqname));
635
	else if (ns)
636
		/* default profile for ns, currently unconfined */
637
		profile = aa_get_newest_profile(ns->unconfined);
638
	else
639
		profile = NULL;
640
	aa_put_ns(ns);
641

642
	return profile;
643
}
644

645

646
struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
647
				 gfp_t gfp)
648
{
649
	struct aa_profile *profile;
650
	struct aa_ruleset *rules;
651

652
	profile = aa_alloc_profile(name, NULL, gfp);
653
	if (!profile)
654
		return NULL;
655

656
	/* TODO: ideally we should inherit abi from parent */
657
	profile->label.flags |= FLAG_NULL;
658
	profile->attach.xmatch = aa_get_pdb(nullpdb);
659
	rules = profile->label.rules[0];
660
	rules->file = aa_get_pdb(nullpdb);
661
	rules->policy = aa_get_pdb(nullpdb);
662
	aa_compute_profile_mediates(profile);
663

664
	if (parent) {
665
		profile->path_flags = parent->path_flags;
666
		/* override/inherit what is mediated from parent */
667
		profile->label.mediates = parent->label.mediates;
668
		/* released on free_profile */
669
		rcu_assign_pointer(profile->parent, aa_get_profile(parent));
670
		profile->ns = aa_get_ns(parent->ns);
671
	}
672

673
	return profile;
674
}
675

676
/**
677
 * aa_new_learning_profile - create or find a null-X learning profile
678
 * @parent: profile that caused this profile to be created (NOT NULL)
679
 * @hat: true if the null- learning profile is a hat
680
 * @base: name to base the null profile off of
681
 * @gfp: type of allocation
682
 *
683
 * Find/Create a null- complain mode profile used in learning mode.  The
684
 * name of the profile is unique and follows the format of parent//null-XXX.
685
 * where XXX is based on the @name or if that fails or is not supplied
686
 * a unique number
687
 *
688
 * null profiles are added to the profile list but the list does not
689
 * hold a count on them so that they are automatically released when
690
 * not in use.
691
 *
692
 * Returns: new refcounted profile else NULL on failure
693
 */
694
struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat,
695
					   const char *base, gfp_t gfp)
696
{
697
	struct aa_profile *p, *profile;
698
	const char *bname;
699
	char *name = NULL;
700

701
	AA_BUG(!parent);
702

703
	if (base) {
704
		name = kmalloc(strlen(parent->base.hname) + 8 + strlen(base),
705
			       gfp);
706
		if (name) {
707
			sprintf(name, "%s//null-%s", parent->base.hname, base);
708
			goto name;
709
		}
710
		/* fall through to try shorter uniq */
711
	}
712

713
	name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, gfp);
714
	if (!name)
715
		return NULL;
716
	sprintf(name, "%s//null-%x", parent->base.hname,
717
		atomic_inc_return(&parent->ns->uniq_null));
718

719
name:
720
	/* lookup to see if this is a dup creation */
721
	bname = basename(name);
722
	profile = aa_find_child(parent, bname);
723
	if (profile)
724
		goto out;
725

726
	profile = aa_alloc_null(parent, name, gfp);
727
	if (!profile)
728
		goto fail;
729
	profile->mode = APPARMOR_COMPLAIN;
730
	if (hat)
731
		profile->label.flags |= FLAG_HAT;
732

733
	mutex_lock_nested(&profile->ns->lock, profile->ns->level);
734
	p = __find_child(&parent->base.profiles, bname);
735
	if (p) {
736
		aa_free_profile(profile);
737
		profile = aa_get_profile(p);
738
	} else {
739
		__add_profile(&parent->base.profiles, profile);
740
	}
741
	mutex_unlock(&profile->ns->lock);
742

743
	/* refcount released by caller */
744
out:
745
	kfree(name);
746

747
	return profile;
748

749
fail:
750
	kfree(name);
751
	aa_free_profile(profile);
752
	return NULL;
753
}
754

755
/**
756
 * replacement_allowed - test to see if replacement is allowed
757
 * @profile: profile to test if it can be replaced  (MAYBE NULL)
758
 * @noreplace: true if replacement shouldn't be allowed but addition is okay
759
 * @info: Returns - info about why replacement failed (NOT NULL)
760
 *
761
 * Returns: %0 if replacement allowed else error code
762
 */
763
static int replacement_allowed(struct aa_profile *profile, int noreplace,
764
			       const char **info)
765
{
766
	if (profile) {
767
		if (profile->label.flags & FLAG_IMMUTIBLE) {
768
			*info = "cannot replace immutable profile";
769
			return -EPERM;
770
		} else if (noreplace) {
771
			*info = "profile already exists";
772
			return -EEXIST;
773
		}
774
	}
775
	return 0;
776
}
777

778
/* audit callback for net specific fields */
779
static void audit_cb(struct audit_buffer *ab, void *va)
780
{
781
	struct common_audit_data *sa = va;
782
	struct apparmor_audit_data *ad = aad(sa);
783

784
	if (ad->iface.ns) {
785
		audit_log_format(ab, " ns=");
786
		audit_log_untrustedstring(ab, ad->iface.ns);
787
	}
788
}
789

790
/**
791
 * audit_policy - Do auditing of policy changes
792
 * @subj_label: label to check if it can manage policy
793
 * @op: policy operation being performed
794
 * @ns_name: name of namespace being manipulated
795
 * @name: name of profile being manipulated (NOT NULL)
796
 * @info: any extra information to be audited (MAYBE NULL)
797
 * @error: error code
798
 *
799
 * Returns: the error to be returned after audit is done
800
 */
801
static int audit_policy(struct aa_label *subj_label, const char *op,
802
			const char *ns_name, const char *name,
803
			const char *info, int error)
804
{
805
	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, op);
806

807
	ad.iface.ns = ns_name;
808
	ad.name = name;
809
	ad.info = info;
810
	ad.error = error;
811
	ad.subj_label = subj_label;
812

813
	aa_audit_msg(AUDIT_APPARMOR_STATUS, &ad, audit_cb);
814

815
	return error;
816
}
817

818
/* don't call out to other LSMs in the stack for apparmor policy admin
819
 * permissions
820
 */
821
static int policy_ns_capable(const struct cred *subj_cred,
822
			     struct aa_label *label,
823
			     struct user_namespace *userns, int cap)
824
{
825
	int err;
826

827
	/* check for MAC_ADMIN cap in cred */
828
	err = cap_capable(subj_cred, userns, cap, CAP_OPT_NONE);
829
	if (!err)
830
		err = aa_capable(subj_cred, label, cap, CAP_OPT_NONE);
831

832
	return err;
833
}
834

835
/**
836
 * aa_policy_view_capable - check if viewing policy in at @ns is allowed
837
 * @subj_cred: cred of subject
838
 * @label: label that is trying to view policy in ns
839
 * @ns: namespace being viewed by @label (may be NULL if @label's ns)
840
 *
841
 * Returns: true if viewing policy is allowed
842
 *
843
 * If @ns is NULL then the namespace being viewed is assumed to be the
844
 * tasks current namespace.
845
 */
846
bool aa_policy_view_capable(const struct cred *subj_cred,
847
			     struct aa_label *label, struct aa_ns *ns)
848
{
849
	struct user_namespace *user_ns = subj_cred->user_ns;
850
	struct aa_ns *view_ns = labels_view(label);
851
	bool root_in_user_ns = uid_eq(current_euid(), make_kuid(user_ns, 0)) ||
852
			       in_egroup_p(make_kgid(user_ns, 0));
853
	bool response = false;
854
	if (!ns)
855
		ns = view_ns;
856

857
	if (root_in_user_ns && aa_ns_visible(view_ns, ns, true) &&
858
	    (user_ns == &init_user_ns ||
859
	     (unprivileged_userns_apparmor_policy != 0 &&
860
	      user_ns->level == view_ns->level)))
861
		response = true;
862

863
	return response;
864
}
865

866
bool aa_policy_admin_capable(const struct cred *subj_cred,
867
			     struct aa_label *label, struct aa_ns *ns)
868
{
869
	struct user_namespace *user_ns = subj_cred->user_ns;
870
	bool capable = policy_ns_capable(subj_cred, label, user_ns,
871
					 CAP_MAC_ADMIN) == 0;
872

873
	AA_DEBUG(DEBUG_POLICY, "cap_mac_admin? %d\n", capable);
874
	AA_DEBUG(DEBUG_POLICY, "policy locked? %d\n", aa_g_lock_policy);
875

876
	return aa_policy_view_capable(subj_cred, label, ns) && capable &&
877
		!aa_g_lock_policy;
878
}
879

880
bool aa_current_policy_view_capable(struct aa_ns *ns)
881
{
882
	struct aa_label *label;
883
	bool needput, res;
884

885
	label = __begin_current_label_crit_section(&needput);
886
	res = aa_policy_view_capable(current_cred(), label, ns);
887
	__end_current_label_crit_section(label, needput);
888

889
	return res;
890
}
891

892
bool aa_current_policy_admin_capable(struct aa_ns *ns)
893
{
894
	struct aa_label *label;
895
	bool needput, res;
896

897
	label = __begin_current_label_crit_section(&needput);
898
	res = aa_policy_admin_capable(current_cred(), label, ns);
899
	__end_current_label_crit_section(label, needput);
900

901
	return res;
902
}
903

904
/**
905
 * aa_may_manage_policy - can the current task manage policy
906
 * @subj_cred: subjects cred
907
 * @label: label to check if it can manage policy
908
 * @ns: namespace being managed by @label (may be NULL if @label's ns)
909
 * @mask: contains the policy manipulation operation being done
910
 *
911
 * Returns: 0 if the task is allowed to manipulate policy else error
912
 */
913
int aa_may_manage_policy(const struct cred *subj_cred, struct aa_label *label,
914
			 struct aa_ns *ns, u32 mask)
915
{
916
	const char *op;
917

918
	if (mask & AA_MAY_REMOVE_POLICY)
919
		op = OP_PROF_RM;
920
	else if (mask & AA_MAY_REPLACE_POLICY)
921
		op = OP_PROF_REPL;
922
	else
923
		op = OP_PROF_LOAD;
924

925
	/* check if loading policy is locked out */
926
	if (aa_g_lock_policy)
927
		return audit_policy(label, op, NULL, NULL, "policy_locked",
928
				    -EACCES);
929

930
	if (!aa_policy_admin_capable(subj_cred, label, ns))
931
		return audit_policy(label, op, NULL, NULL, "not policy admin",
932
				    -EACCES);
933

934
	/* TODO: add fine grained mediation of policy loads */
935
	return 0;
936
}
937

938
static struct aa_profile *__list_lookup_parent(struct list_head *lh,
939
					       struct aa_profile *profile)
940
{
941
	const char *base = basename(profile->base.hname);
942
	long len = base - profile->base.hname;
943
	struct aa_load_ent *ent;
944

945
	/* parent won't have trailing // so remove from len */
946
	if (len <= 2)
947
		return NULL;
948
	len -= 2;
949

950
	list_for_each_entry(ent, lh, list) {
951
		if (ent->new == profile)
952
			continue;
953
		if (strncmp(ent->new->base.hname, profile->base.hname, len) ==
954
		    0 && ent->new->base.hname[len] == 0)
955
			return ent->new;
956
	}
957

958
	return NULL;
959
}
960

961
/**
962
 * __replace_profile - replace @old with @new on a list
963
 * @old: profile to be replaced  (NOT NULL)
964
 * @new: profile to replace @old with  (NOT NULL)
965
 *
966
 * Will duplicate and refcount elements that @new inherits from @old
967
 * and will inherit @old children.
968
 *
969
 * refcount @new for list, put @old list refcount
970
 *
971
 * Requires: namespace list lock be held, or list not be shared
972
 */
973
static void __replace_profile(struct aa_profile *old, struct aa_profile *new)
974
{
975
	struct aa_profile *child, *tmp;
976

977
	if (!list_empty(&old->base.profiles)) {
978
		LIST_HEAD(lh);
979
		list_splice_init_rcu(&old->base.profiles, &lh, synchronize_rcu);
980

981
		list_for_each_entry_safe(child, tmp, &lh, base.list) {
982
			struct aa_profile *p;
983

984
			list_del_init(&child->base.list);
985
			p = __find_child(&new->base.profiles, child->base.name);
986
			if (p) {
987
				/* @p replaces @child  */
988
				__replace_profile(child, p);
989
				continue;
990
			}
991

992
			/* inherit @child and its children */
993
			/* TODO: update hname of inherited children */
994
			/* list refcount transferred to @new */
995
			p = aa_deref_parent(child);
996
			rcu_assign_pointer(child->parent, aa_get_profile(new));
997
			list_add_rcu(&child->base.list, &new->base.profiles);
998
			aa_put_profile(p);
999
		}
1000
	}
1001

1002
	if (!rcu_access_pointer(new->parent)) {
1003
		struct aa_profile *parent = aa_deref_parent(old);
1004
		rcu_assign_pointer(new->parent, aa_get_profile(parent));
1005
	}
1006
	aa_label_replace(&old->label, &new->label);
1007
	/* migrate dents must come after label replacement b/c update */
1008
	__aafs_profile_migrate_dents(old, new);
1009

1010
	if (list_empty(&new->base.list)) {
1011
		/* new is not on a list already */
1012
		list_replace_rcu(&old->base.list, &new->base.list);
1013
		aa_get_profile(new);
1014
		aa_put_profile(old);
1015
	} else
1016
		__list_remove_profile(old);
1017
}
1018

1019
/**
1020
 * __lookup_replace - lookup replacement information for a profile
1021
 * @ns: namespace the lookup occurs in
1022
 * @hname: name of profile to lookup
1023
 * @noreplace: true if not replacing an existing profile
1024
 * @p: Returns - profile to be replaced
1025
 * @info: Returns - info string on why lookup failed
1026
 *
1027
 * Returns: profile to replace (no ref) on success else ptr error
1028
 */
1029
static int __lookup_replace(struct aa_ns *ns, const char *hname,
1030
			    bool noreplace, struct aa_profile **p,
1031
			    const char **info)
1032
{
1033
	*p = aa_get_profile(__lookup_profile(&ns->base, hname));
1034
	if (*p) {
1035
		int error = replacement_allowed(*p, noreplace, info);
1036
		if (error) {
1037
			*info = "profile can not be replaced";
1038
			return error;
1039
		}
1040
	}
1041

1042
	return 0;
1043
}
1044

1045
static void share_name(struct aa_profile *old, struct aa_profile *new)
1046
{
1047
	aa_put_str(new->base.hname);
1048
	aa_get_str(old->base.hname);
1049
	new->base.hname = old->base.hname;
1050
	new->base.name = old->base.name;
1051
	new->label.hname = old->label.hname;
1052
}
1053

1054
/* Update to newest version of parent after previous replacements
1055
 * Returns: unrefcount newest version of parent
1056
 */
1057
static struct aa_profile *update_to_newest_parent(struct aa_profile *new)
1058
{
1059
	struct aa_profile *parent, *newest;
1060

1061
	parent = rcu_dereference_protected(new->parent,
1062
					   mutex_is_locked(&new->ns->lock));
1063
	newest = aa_get_newest_profile(parent);
1064

1065
	/* parent replaced in this atomic set? */
1066
	if (newest != parent) {
1067
		aa_put_profile(parent);
1068
		rcu_assign_pointer(new->parent, newest);
1069
	} else
1070
		aa_put_profile(newest);
1071

1072
	return newest;
1073
}
1074

1075
/**
1076
 * aa_replace_profiles - replace profile(s) on the profile list
1077
 * @policy_ns: namespace load is occurring on
1078
 * @label: label that is attempting to load/replace policy
1079
 * @mask: permission mask
1080
 * @udata: serialized data stream  (NOT NULL)
1081
 *
1082
 * unpack and replace a profile on the profile list and uses of that profile
1083
 * by any task creds via invalidating the old version of the profile, which
1084
 * tasks will notice to update their own cred.  If the profile does not exist
1085
 * on the profile list it is added.
1086
 *
1087
 * Returns: size of data consumed else error code on failure.
1088
 */
1089
ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
1090
			    u32 mask, struct aa_loaddata *udata)
1091
{
1092
	const char *ns_name = NULL, *info = NULL;
1093
	struct aa_ns *ns = NULL;
1094
	struct aa_load_ent *ent, *tmp;
1095
	struct aa_loaddata *rawdata_ent;
1096
	const char *op;
1097
	ssize_t count, error;
1098
	LIST_HEAD(lh);
1099

1100
	op = mask & AA_MAY_REPLACE_POLICY ? OP_PROF_REPL : OP_PROF_LOAD;
1101
	aa_get_loaddata(udata);
1102
	/* released below */
1103
	error = aa_unpack(udata, &lh, &ns_name);
1104
	if (error)
1105
		goto out;
1106

1107
	/* ensure that profiles are all for the same ns
1108
	 * TODO: update locking to remove this constraint. All profiles in
1109
	 *       the load set must succeed as a set or the load will
1110
	 *       fail. Sort ent list and take ns locks in hierarchy order
1111
	 */
1112
	count = 0;
1113
	list_for_each_entry(ent, &lh, list) {
1114
		if (ns_name) {
1115
			if (ent->ns_name &&
1116
			    strcmp(ent->ns_name, ns_name) != 0) {
1117
				info = "policy load has mixed namespaces";
1118
				error = -EACCES;
1119
				goto fail;
1120
			}
1121
		} else if (ent->ns_name) {
1122
			if (count) {
1123
				info = "policy load has mixed namespaces";
1124
				error = -EACCES;
1125
				goto fail;
1126
			}
1127
			ns_name = ent->ns_name;
1128
		} else
1129
			count++;
1130
	}
1131
	if (ns_name) {
1132
		ns = aa_prepare_ns(policy_ns ? policy_ns : labels_ns(label),
1133
				   ns_name);
1134
		if (IS_ERR(ns)) {
1135
			op = OP_PROF_LOAD;
1136
			info = "failed to prepare namespace";
1137
			error = PTR_ERR(ns);
1138
			ns = NULL;
1139
			ent = NULL;
1140
			goto fail;
1141
		}
1142
	} else
1143
		ns = aa_get_ns(policy_ns ? policy_ns : labels_ns(label));
1144

1145
	mutex_lock_nested(&ns->lock, ns->level);
1146
	/* check for duplicate rawdata blobs: space and file dedup */
1147
	if (!list_empty(&ns->rawdata_list)) {
1148
		list_for_each_entry(rawdata_ent, &ns->rawdata_list, list) {
1149
			if (aa_rawdata_eq(rawdata_ent, udata)) {
1150
				struct aa_loaddata *tmp;
1151

1152
				tmp = __aa_get_loaddata(rawdata_ent);
1153
				/* check we didn't fail the race */
1154
				if (tmp) {
1155
					aa_put_loaddata(udata);
1156
					udata = tmp;
1157
					break;
1158
				}
1159
			}
1160
		}
1161
	}
1162
	/* setup parent and ns info */
1163
	list_for_each_entry(ent, &lh, list) {
1164
		struct aa_policy *policy;
1165
		struct aa_profile *p;
1166

1167
		if (aa_g_export_binary)
1168
			ent->new->rawdata = aa_get_loaddata(udata);
1169
		error = __lookup_replace(ns, ent->new->base.hname,
1170
					 !(mask & AA_MAY_REPLACE_POLICY),
1171
					 &ent->old, &info);
1172
		if (error)
1173
			goto fail_lock;
1174

1175
		if (ent->new->rename) {
1176
			error = __lookup_replace(ns, ent->new->rename,
1177
						!(mask & AA_MAY_REPLACE_POLICY),
1178
						&ent->rename, &info);
1179
			if (error)
1180
				goto fail_lock;
1181
		}
1182

1183
		/* released when @new is freed */
1184
		ent->new->ns = aa_get_ns(ns);
1185

1186
		if (ent->old || ent->rename)
1187
			continue;
1188

1189
		/* no ref on policy only use inside lock */
1190
		p = NULL;
1191
		policy = __lookup_parent(ns, ent->new->base.hname);
1192
		if (!policy) {
1193
			/* first check for parent in the load set */
1194
			p = __list_lookup_parent(&lh, ent->new);
1195
			if (!p) {
1196
				/*
1197
				 * fill in missing parent with null
1198
				 * profile that doesn't have
1199
				 * permissions. This allows for
1200
				 * individual profile loading where
1201
				 * the child is loaded before the
1202
				 * parent, and outside of the current
1203
				 * atomic set. This unfortunately can
1204
				 * happen with some userspaces.  The
1205
				 * null profile will be replaced once
1206
				 * the parent is loaded.
1207
				 */
1208
				policy = __create_missing_ancestors(ns,
1209
							ent->new->base.hname,
1210
							GFP_KERNEL);
1211
				if (!policy) {
1212
					error = -ENOENT;
1213
					info = "parent does not exist";
1214
					goto fail_lock;
1215
				}
1216
			}
1217
		}
1218
		if (!p && policy != &ns->base)
1219
			/* released on profile replacement or free_profile */
1220
			p = (struct aa_profile *) policy;
1221
		rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
1222
	}
1223

1224
	/* create new fs entries for introspection if needed */
1225
	if (!udata->dents[AAFS_LOADDATA_DIR] && aa_g_export_binary) {
1226
		error = __aa_fs_create_rawdata(ns, udata);
1227
		if (error) {
1228
			info = "failed to create raw_data dir and files";
1229
			ent = NULL;
1230
			goto fail_lock;
1231
		}
1232
	}
1233
	list_for_each_entry(ent, &lh, list) {
1234
		if (!ent->old) {
1235
			struct dentry *parent;
1236
			if (rcu_access_pointer(ent->new->parent)) {
1237
				struct aa_profile *p;
1238
				p = aa_deref_parent(ent->new);
1239
				parent = prof_child_dir(p);
1240
			} else
1241
				parent = ns_subprofs_dir(ent->new->ns);
1242
			error = __aafs_profile_mkdir(ent->new, parent);
1243
		}
1244

1245
		if (error) {
1246
			info = "failed to create";
1247
			goto fail_lock;
1248
		}
1249
	}
1250

1251
	/* Done with checks that may fail - do actual replacement */
1252
	__aa_bump_ns_revision(ns);
1253
	if (aa_g_export_binary)
1254
		__aa_loaddata_update(udata, ns->revision);
1255
	list_for_each_entry_safe(ent, tmp, &lh, list) {
1256
		list_del_init(&ent->list);
1257
		op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
1258

1259
		if (ent->old && ent->old->rawdata == ent->new->rawdata &&
1260
		    ent->new->rawdata) {
1261
			/* dedup actual profile replacement */
1262
			audit_policy(label, op, ns_name, ent->new->base.hname,
1263
				     "same as current profile, skipping",
1264
				     error);
1265
			/* break refcount cycle with proxy. */
1266
			aa_put_proxy(ent->new->label.proxy);
1267
			ent->new->label.proxy = NULL;
1268
			goto skip;
1269
		}
1270

1271
		/*
1272
		 * TODO: finer dedup based on profile range in data. Load set
1273
		 * can differ but profile may remain unchanged
1274
		 */
1275
		audit_policy(label, op, ns_name, ent->new->base.hname, NULL,
1276
			     error);
1277

1278
		if (ent->old) {
1279
			share_name(ent->old, ent->new);
1280
			__replace_profile(ent->old, ent->new);
1281
		} else {
1282
			struct list_head *lh;
1283

1284
			if (rcu_access_pointer(ent->new->parent)) {
1285
				struct aa_profile *parent;
1286

1287
				parent = update_to_newest_parent(ent->new);
1288
				lh = &parent->base.profiles;
1289
			} else
1290
				lh = &ns->base.profiles;
1291
			__add_profile(lh, ent->new);
1292
		}
1293
	skip:
1294
		aa_load_ent_free(ent);
1295
	}
1296
	__aa_labelset_update_subtree(ns);
1297
	mutex_unlock(&ns->lock);
1298

1299
out:
1300
	aa_put_ns(ns);
1301
	aa_put_loaddata(udata);
1302
	kfree(ns_name);
1303

1304
	if (error)
1305
		return error;
1306
	return udata->size;
1307

1308
fail_lock:
1309
	mutex_unlock(&ns->lock);
1310

1311
	/* audit cause of failure */
1312
	op = (ent && !ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
1313
fail:
1314
	  audit_policy(label, op, ns_name, ent ? ent->new->base.hname : NULL,
1315
		       info, error);
1316
	/* audit status that rest of profiles in the atomic set failed too */
1317
	info = "valid profile in failed atomic policy load";
1318
	list_for_each_entry(tmp, &lh, list) {
1319
		if (tmp == ent) {
1320
			info = "unchecked profile in failed atomic policy load";
1321
			/* skip entry that caused failure */
1322
			continue;
1323
		}
1324
		op = (!tmp->old) ? OP_PROF_LOAD : OP_PROF_REPL;
1325
		audit_policy(label, op, ns_name, tmp->new->base.hname, info,
1326
			     error);
1327
	}
1328
	list_for_each_entry_safe(ent, tmp, &lh, list) {
1329
		list_del_init(&ent->list);
1330
		aa_load_ent_free(ent);
1331
	}
1332

1333
	goto out;
1334
}
1335

1336
/**
1337
 * aa_remove_profiles - remove profile(s) from the system
1338
 * @policy_ns: namespace the remove is being done from
1339
 * @subj: label attempting to remove policy
1340
 * @fqname: name of the profile or namespace to remove  (NOT NULL)
1341
 * @size: size of the name
1342
 *
1343
 * Remove a profile or sub namespace from the current namespace, so that
1344
 * they can not be found anymore and mark them as replaced by unconfined
1345
 *
1346
 * NOTE: removing confinement does not restore rlimits to preconfinement values
1347
 *
1348
 * Returns: size of data consume else error code if fails
1349
 */
1350
ssize_t aa_remove_profiles(struct aa_ns *policy_ns, struct aa_label *subj,
1351
			   char *fqname, size_t size)
1352
{
1353
	struct aa_ns *ns = NULL;
1354
	struct aa_profile *profile = NULL;
1355
	const char *name = fqname, *info = NULL;
1356
	const char *ns_name = NULL;
1357
	ssize_t error = 0;
1358

1359
	if (*fqname == 0) {
1360
		info = "no profile specified";
1361
		error = -ENOENT;
1362
		goto fail;
1363
	}
1364

1365
	if (fqname[0] == ':') {
1366
		size_t ns_len;
1367

1368
		name = aa_splitn_fqname(fqname, size, &ns_name, &ns_len);
1369
		/* released below */
1370
		ns = aa_lookupn_ns(policy_ns ? policy_ns : labels_ns(subj),
1371
				   ns_name, ns_len);
1372
		if (!ns) {
1373
			info = "namespace does not exist";
1374
			error = -ENOENT;
1375
			goto fail;
1376
		}
1377
	} else
1378
		/* released below */
1379
		ns = aa_get_ns(policy_ns ? policy_ns : labels_ns(subj));
1380

1381
	if (!name) {
1382
		/* remove namespace - can only happen if fqname[0] == ':' */
1383
		mutex_lock_nested(&ns->parent->lock, ns->parent->level);
1384
		__aa_bump_ns_revision(ns);
1385
		__aa_remove_ns(ns);
1386
		mutex_unlock(&ns->parent->lock);
1387
	} else {
1388
		/* remove profile */
1389
		mutex_lock_nested(&ns->lock, ns->level);
1390
		profile = aa_get_profile(__lookup_profile(&ns->base, name));
1391
		if (!profile) {
1392
			error = -ENOENT;
1393
			info = "profile does not exist";
1394
			goto fail_ns_lock;
1395
		}
1396
		name = profile->base.hname;
1397
		__aa_bump_ns_revision(ns);
1398
		__remove_profile(profile);
1399
		__aa_labelset_update_subtree(ns);
1400
		mutex_unlock(&ns->lock);
1401
	}
1402

1403
	/* don't fail removal if audit fails */
1404
	(void) audit_policy(subj, OP_PROF_RM, ns_name, name, info,
1405
			    error);
1406
	aa_put_ns(ns);
1407
	aa_put_profile(profile);
1408
	return size;
1409

1410
fail_ns_lock:
1411
	mutex_unlock(&ns->lock);
1412
	aa_put_ns(ns);
1413

1414
fail:
1415
	(void) audit_policy(subj, OP_PROF_RM, ns_name, name, info,
1416
			    error);
1417
	return error;
1418
}
1419

1420