apparmor: rename replacedby to proxy

static int aa_fs_seq_profile_open(struct inode *inode, struct file *file,

				  int (*show)(struct seq_file *, void *))

{

	struct aa_replacedby *r = aa_get_replacedby(inode->i_private);

	int error = single_open(file, show, r);

	struct aa_proxy *proxy = aa_get_proxy(inode->i_private);

	int error = single_open(file, show, proxy);

	if (error) {

		file->private_data = NULL;

		aa_put_replacedby(r);

		aa_put_proxy(proxy);

	}

	return error;

{

	struct seq_file *seq = (struct seq_file *) file->private_data;

	if (seq)

		aa_put_replacedby(seq->private);

		aa_put_proxy(seq->private);

	return single_release(inode, file);

}

static int aa_fs_seq_profname_show(struct seq_file *seq, void *v)

{

	struct aa_replacedby *r = seq->private;

	struct aa_profile *profile = aa_get_profile_rcu(&r->profile);

	struct aa_proxy *proxy = seq->private;

	struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile);

	seq_printf(seq, "%s\n", profile->base.name);

	aa_put_profile(profile);

static int aa_fs_seq_profmode_show(struct seq_file *seq, void *v)

{

	struct aa_replacedby *r = seq->private;

	struct aa_profile *profile = aa_get_profile_rcu(&r->profile);

	struct aa_proxy *proxy = seq->private;

	struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile);

	seq_printf(seq, "%s\n", aa_profile_mode_names[profile->mode]);

	aa_put_profile(profile);

static int aa_fs_seq_profattach_show(struct seq_file *seq, void *v)

{

	struct aa_replacedby *r = seq->private;

	struct aa_profile *profile = aa_get_profile_rcu(&r->profile);

	struct aa_proxy *proxy = seq->private;

	struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile);

	if (profile->attach)

		seq_printf(seq, "%s\n", profile->attach);

	else if (profile->xmatch)

static int aa_fs_seq_hash_show(struct seq_file *seq, void *v)

{

	struct aa_replacedby *r = seq->private;

	struct aa_profile *profile = aa_get_profile_rcu(&r->profile);

	struct aa_proxy *proxy = seq->private;

	struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile);

	unsigned int i, size = aa_hash_size();

	if (profile->hash) {

		__aa_fs_profile_rmdir(child);

	for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) {

		struct aa_replacedby *r;

		struct aa_proxy *proxy;

		if (!profile->dents[i])

			continue;

		r = d_inode(profile->dents[i])->i_private;

		proxy = d_inode(profile->dents[i])->i_private;

		securityfs_remove(profile->dents[i]);

		aa_put_replacedby(r);

		aa_put_proxy(proxy);

		profile->dents[i] = NULL;

	}

}

					  struct aa_profile *profile,

					  const struct file_operations *fops)

{

	struct aa_replacedby *r = aa_get_replacedby(profile->replacedby);

	struct aa_proxy *proxy = aa_get_proxy(profile->proxy);

	struct dentry *dent;

	dent = securityfs_create_file(name, S_IFREG | 0444, dir, r, fops);

	dent = securityfs_create_file(name, S_IFREG | 0444, dir, proxy, fops);

	if (IS_ERR(dent))

		aa_put_replacedby(r);

		aa_put_proxy(proxy);

	return dent;

}

		aa_clear_task_cxt_trans(cxt);

	/* be careful switching cxt->profile, when racing replacement it

	 * is possible that cxt->profile->replacedby->profile is the reference

	 * is possible that cxt->profile->proxy->profile is the reference

	 * keeping @profile valid, so make sure to get its reference before

	 * dropping the reference on cxt->profile */

	aa_get_profile(profile);

};

struct aa_replacedby {

struct aa_proxy {

	struct kref count;

	struct aa_profile __rcu *profile;

};

 * @rcu: rcu head used when removing from @list

 * @parent: parent of profile

 * @ns: namespace the profile is in

 * @replacedby: is set to the profile that replaced this profile

 * @proxy: is set to the profile that replaced this profile

 * @rename: optional profile name that this profile renamed

 * @attach: human readable attachment string

 * @xmatch: optional extended matching for unconfined executables names

 * used to determine profile attachment against unconfined tasks.  All other

 * attachments are determined by profile X transition rules.

 *

 * The @replacedby struct is write protected by the profile lock.

 * The @proxy struct is write protected by the profile lock.

 *

 * Profiles have a hierarchy where hats and children profiles keep

 * a reference to their parent.

	struct aa_profile __rcu *parent;

	struct aa_ns *ns;

	struct aa_replacedby *replacedby;

	struct aa_proxy *proxy;

	const char *rename;

	const char *attach;

extern enum profile_mode aa_g_profile_mode;

void __aa_update_replacedby(struct aa_profile *orig, struct aa_profile *new);

void __aa_update_proxy(struct aa_profile *orig, struct aa_profile *new);

void aa_add_profile(struct aa_policy *common, struct aa_profile *profile);

void aa_free_replacedby_kref(struct kref *kref);

void aa_free_proxy_kref(struct kref *kref);

struct aa_profile *aa_alloc_profile(const char *name);

struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat);

void aa_free_profile(struct aa_profile *profile);

		return NULL;

	if (profile_is_stale(p))

		return aa_get_profile_rcu(&p->replacedby->profile);

		return aa_get_profile_rcu(&p->proxy->profile);

	return aa_get_profile(p);

}

		kref_put(&p->count, aa_free_profile_kref);

}

static inline struct aa_replacedby *aa_get_replacedby(struct aa_replacedby *p)

static inline struct aa_proxy *aa_get_proxy(struct aa_proxy *p)

{

	if (p)

		kref_get(&(p->count));

	return p;

}

static inline void aa_put_replacedby(struct aa_replacedby *p)

static inline void aa_put_proxy(struct aa_proxy *p)

{

	if (p)

		kref_put(&p->count, aa_free_replacedby_kref);

		kref_put(&p->count, aa_free_proxy_kref);

}

static inline int AUDIT_MODE(struct aa_profile *profile)

/* requires profile list write lock held */

void __aa_update_replacedby(struct aa_profile *orig, struct aa_profile *new)

void __aa_update_proxy(struct aa_profile *orig, struct aa_profile *new)

{

	struct aa_profile *tmp;

	tmp = rcu_dereference_protected(orig->replacedby->profile,

	tmp = rcu_dereference_protected(orig->proxy->profile,

					mutex_is_locked(&orig->ns->lock));

	rcu_assign_pointer(orig->replacedby->profile, aa_get_profile(new));

	rcu_assign_pointer(orig->proxy->profile, aa_get_profile(new));

	orig->flags |= PFLAG_STALE;

	aa_put_profile(tmp);

}

	/* release any children lists first */

	__aa_profile_list_release(&profile->base.profiles);

	/* released by free_profile */

	__aa_update_replacedby(profile, profile->ns->unconfined);

	__aa_update_proxy(profile, profile->ns->unconfined);

	__aa_fs_profile_rmdir(profile);

	__list_remove_profile(profile);

}

}

static void free_replacedby(struct aa_replacedby *r)

static void free_proxy(struct aa_proxy *p)

{

	if (r) {

	if (p) {

		/* r->profile will not be updated any more as r is dead */

		aa_put_profile(rcu_dereference_protected(r->profile, true));

		kzfree(r);

		aa_put_profile(rcu_dereference_protected(p->profile, true));

		kzfree(p);

	}

}

void aa_free_replacedby_kref(struct kref *kref)

void aa_free_proxy_kref(struct kref *kref)

{

	struct aa_replacedby *r = container_of(kref, struct aa_replacedby,

					       count);

	free_replacedby(r);

	struct aa_proxy *p = container_of(kref, struct aa_proxy, count);

	free_proxy(p);

}

/**

	kzfree(profile->dirname);

	aa_put_dfa(profile->xmatch);

	aa_put_dfa(profile->policy.dfa);

	aa_put_replacedby(profile->replacedby);

	aa_put_proxy(profile->proxy);

	kzfree(profile->hash);

	kzfree(profile);

	if (!profile)

		return NULL;

	profile->replacedby = kzalloc(sizeof(struct aa_replacedby), GFP_KERNEL);

	if (!profile->replacedby)

	profile->proxy = kzalloc(sizeof(struct aa_proxy), GFP_KERNEL);

	if (!profile->proxy)

		goto fail;

	kref_init(&profile->replacedby->count);

	kref_init(&profile->proxy->count);

	if (!aa_policy_init(&profile->base, NULL, hname))

		goto fail;

	return profile;

fail:

	kzfree(profile->replacedby);

	kzfree(profile->proxy);

	kzfree(profile);

	return NULL;

 * __replace_profile - replace @old with @new on a list

 * @old: profile to be replaced  (NOT NULL)

 * @new: profile to replace @old with  (NOT NULL)

 * @share_replacedby: transfer @old->replacedby to @new

 * @share_proxy: transfer @old->proxy to @new

 *

 * Will duplicate and refcount elements that @new inherits from @old

 * and will inherit @old children.

 * Requires: namespace list lock be held, or list not be shared

 */

static void __replace_profile(struct aa_profile *old, struct aa_profile *new,

			      bool share_replacedby)

			      bool share_proxy)

{

	struct aa_profile *child, *tmp;

			p = __find_child(&new->base.profiles, child->base.name);

			if (p) {

				/* @p replaces @child  */

				__replace_profile(child, p, share_replacedby);

				__replace_profile(child, p, share_proxy);

				continue;

			}

		struct aa_profile *parent = aa_deref_parent(old);

		rcu_assign_pointer(new->parent, aa_get_profile(parent));

	}

	__aa_update_replacedby(old, new);

	if (share_replacedby) {

		aa_put_replacedby(new->replacedby);

		new->replacedby = aa_get_replacedby(old->replacedby);

	} else if (!rcu_access_pointer(new->replacedby->profile))

		/* aafs interface uses replacedby */

		rcu_assign_pointer(new->replacedby->profile,

	__aa_update_proxy(old, new);

	if (share_proxy) {

		aa_put_proxy(new->proxy);

		new->proxy = aa_get_proxy(old->proxy);

	} else if (!rcu_access_pointer(new->proxy->profile))

		/* aafs interface uses proxy */

		rcu_assign_pointer(new->proxy->profile,

				   aa_get_profile(new));

	__aa_fs_profile_migrate_dents(old, new);

		if (ent->old) {

			__replace_profile(ent->old, ent->new, 1);

			if (ent->rename) {

				/* aafs interface uses replacedby */

				struct aa_replacedby *r = ent->new->replacedby;

				/* aafs interface uses proxy */

				struct aa_proxy *r = ent->new->proxy;

				rcu_assign_pointer(r->profile,

						   aa_get_profile(ent->new));

				__replace_profile(ent->rename, ent->new, 0);

			}

		} else if (ent->rename) {

			/* aafs interface uses replacedby */

			rcu_assign_pointer(ent->new->replacedby->profile,

			/* aafs interface uses proxy */

			rcu_assign_pointer(ent->new->proxy->profile,

					   aa_get_profile(ent->new));

			__replace_profile(ent->rename, ent->new, 0);

		} else if (ent->new->parent) {

				rcu_assign_pointer(ent->new->parent, newest);

				aa_put_profile(parent);

			}

			/* aafs interface uses replacedby */

			rcu_assign_pointer(ent->new->replacedby->profile,

			/* aafs interface uses proxy */

			rcu_assign_pointer(ent->new->proxy->profile,

					   aa_get_profile(ent->new));

			__list_add_profile(&newest->base.profiles, ent->new);

			aa_put_profile(newest);

		} else {

			/* aafs interface uses replacedby */

			rcu_assign_pointer(ent->new->replacedby->profile,

			/* aafs interface uses proxy */

			rcu_assign_pointer(ent->new->proxy->profile,

					   aa_get_profile(ent->new));

			__list_add_profile(&ns->base.profiles, ent->new);

		}

	__ns_list_release(&ns->sub_ns);

	if (ns->parent)

		__aa_update_replacedby(ns->unconfined, ns->parent->unconfined);

		__aa_update_proxy(ns->unconfined, ns->parent->unconfined);

	__aa_fs_ns_rmdir(ns);

	mutex_unlock(&ns->lock);

}