Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
apparmor: cleanup: refactor file_perm() to doc semantics of some checks
Provide semantics, via fn names, for some checks being done in
file_perm(). This is a preparatory patch for improvements to both
permission caching and delegation, where the check will become more
involved.
Signed-off-by: John Johansen <john.johansen@canonical.com>
+15
-2
+15
-2
security/apparmor/file.c
+15
-2
security/apparmor/file.c
···
557
557
return error;
558
558
}
559
559
560
+
/* wrapper fn to indicate semantics of the check */
561
+
static bool __subj_label_is_cached(struct aa_label *subj_label,
562
+
struct aa_label *obj_label)
563
+
{
564
+
return aa_label_is_subset(obj_label, subj_label);
565
+
}
566
+
567
+
/* for now separate fn to indicate semantics of the check */
568
+
static bool __file_is_delegated(struct aa_label *obj_label)
569
+
{
570
+
return unconfined(obj_label);
571
+
}
572
+
560
573
/**
561
574
* aa_file_perm - do permission revalidation check & audit for @file
562
575
* @op: operation being checked
···
607
594
* delegation from unconfined tasks
608
595
*/
609
596
denied = request & ~fctx->allow;
610
-
if (unconfined(label) || unconfined(flabel) ||
611
-
(!denied && aa_label_is_subset(flabel, label))) {
597
+
if (unconfined(label) || __file_is_delegated(flabel) ||
598
+
(!denied && __subj_label_is_cached(label, flabel))) {
612
599
rcu_read_unlock();
613
600
goto done;
614
601
}