apparmor: compute file permissions on profile load

Rather than computing file permissions for each file access, file
permissions can be computed once on profile load and stored for lookup.

Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

1 files changed, 12 insertions, 3 deletions

diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index 029cb20e322d..ab201d625a34 100644
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -181,11 +181,13 @@ struct aa_file_rules {
 	/* struct perms perms; */
 	struct aa_domain trans;
 	/* TODO: add delegate table */
+	struct aa_perms *fperms_table;
 };
 
-struct aa_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state,
-				    struct path_cond *cond);
-unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
+void aa_compute_fperms(struct aa_file_rules *file_rules);
+struct aa_perms *aa_lookup_fperms(struct aa_file_rules *file_rules,
+				 unsigned int state, struct path_cond *cond);
+unsigned int aa_str_perms(struct aa_file_rules *file_rules, unsigned int start,
 			  const char *name, struct path_cond *cond,
 			  struct aa_perms *perms);
 
@@ -204,10 +206,17 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
 
 void aa_inherit_files(const struct cred *cred, struct files_struct *files);
 
+static inline void aa_free_fperms_table(struct aa_perms *fperms_table)
+{
+	if (fperms_table)
+		kvfree(fperms_table);
+}
+
 static inline void aa_free_file_rules(struct aa_file_rules *rules)
 {
 	aa_put_dfa(rules->dfa);
 	aa_free_domain_entries(&rules->trans);
+	aa_free_fperms_table(rules->fperms_table);
 }
 
 /**