mk-rootfs.sh

hc

2023-12-11 072de836f53be56a70cecf70b43ae43b7ce17376

 kernel/security/apparmor/policy.c
..
..
@@ -1,3 +1,4 @@
1
+// SPDX-License-Identifier: GPL-2.0-only
1
2
 /*
2
3
  * AppArmor security module
3
4
  *
..
..
@@ -5,12 +6,6 @@
5
6
  *
6
7
  * Copyright (C) 1998-2008 Novell/SUSE
7
8
  * Copyright 2009-2010 Canonical Ltd.
8
- *
9
- * This program is free software; you can redistribute it and/or
10
- * modify it under the terms of the GNU General Public License as
11
- * published by the Free Software Foundation, version 2 of the
12
- * License.
13
- *
14
9
  *
15
10
  * AppArmor policy is based around profiles, which contain the rules a
16
11
  * task is confined by.  Every task in the system has a profile attached
..
..
@@ -192,9 +187,9 @@
192
187
 {
193
188
 	struct aa_data *data = ptr;
194
189
 
195
-	kzfree(data->data);
196
-	kzfree(data->key);
197
-	kzfree(data);
190
+	kfree_sensitive(data->data);
191
+	kfree_sensitive(data->key);
192
+	kfree_sensitive(data);
198
193
 }
199
194
 
200
195
 /**
..
..
@@ -222,16 +217,19 @@
222
217
 	aa_put_profile(rcu_access_pointer(profile->parent));
223
218
 
224
219
 	aa_put_ns(profile->ns);
225
-	kzfree(profile->rename);
220
+	kfree_sensitive(profile->rename);
226
221
 
227
222
 	aa_free_file_rules(&profile->file);
228
223
 	aa_free_cap_rules(&profile->caps);
229
224
 	aa_free_rlimit_rules(&profile->rlimits);
230
225
 
231
226
 	for (i = 0; i < profile->xattr_count; i++)
232
-		kzfree(profile->xattrs[i]);
233
-	kzfree(profile->xattrs);
234
-	kzfree(profile->dirname);
227
+		kfree_sensitive(profile->xattrs[i]);
228
+	kfree_sensitive(profile->xattrs);
229
+	for (i = 0; i < profile->secmark_count; i++)
230
+		kfree_sensitive(profile->secmark[i].label);
231
+	kfree_sensitive(profile->secmark);
232
+	kfree_sensitive(profile->dirname);
235
233
 	aa_put_dfa(profile->xmatch);
236
234
 	aa_put_dfa(profile->policy.dfa);
237
235
 
..
..
@@ -239,13 +237,14 @@
239
237
 		rht = profile->data;
240
238
 		profile->data = NULL;
241
239
 		rhashtable_free_and_destroy(rht, aa_free_data, NULL);
242
-		kzfree(rht);
240
+		kfree_sensitive(rht);
243
241
 	}
244
242
 
245
-	kzfree(profile->hash);
243
+	kfree_sensitive(profile->hash);
246
244
 	aa_put_loaddata(profile->rawdata);
245
+	aa_label_destroy(&profile->label);
247
246
 
248
-	kzfree(profile);
247
+	kfree_sensitive(profile);
249
248
 }
250
249
 
251
250
 /**
..
..
@@ -584,7 +583,7 @@
584
583
 {
585
584
 	if (profile) {
586
585
 		if (profile->label.flags & FLAG_IMMUTIBLE) {
587
-			*info = "cannot replace immutible profile";
586
+			*info = "cannot replace immutable profile";
588
587
 			return -EPERM;
589
588
 		} else if (noreplace) {
590
589
 			*info = "profile already exists";
..
..
@@ -858,7 +857,7 @@
858
857
 ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
859
858
 			    u32 mask, struct aa_loaddata *udata)
860
859
 {
861
-	const char *ns_name, *info = NULL;
860
+	const char *ns_name = NULL, *info = NULL;
862
861
 	struct aa_ns *ns = NULL;
863
862
 	struct aa_load_ent *ent, *tmp;
864
863
 	struct aa_loaddata *rawdata_ent;
..
..
@@ -1045,6 +1044,7 @@
1045
1044
 out:
1046
1045
 	aa_put_ns(ns);
1047
1046
 	aa_put_loaddata(udata);
1047
+	kfree(ns_name);
1048
1048
 
1049
1049
 	if (error)
1050
1050
 		return error;