tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

apparmor: move dfa perm macros into policy_unpack

Now that the permission remapping macros aren't needed anywhere except
during profile unpack, move them.

Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen b06a62eb 3c076531

+49 -51
-51
security/apparmor/include/file.h
··· 109 109 110 110 #define COMBINED_PERM_MASK(X) ((X).allow | (X).audit | (X).quiet | (X).kill) 111 111 112 - /* FIXME: split perms from dfa and match this to description 113 - * also add delegation info. 114 - */ 115 - static inline u16 dfa_map_xindex(u16 mask) 116 - { 117 - u16 old_index = (mask >> 10) & 0xf; 118 - u16 index = 0; 119 - 120 - if (mask & 0x100) 121 - index |= AA_X_UNSAFE; 122 - if (mask & 0x200) 123 - index |= AA_X_INHERIT; 124 - if (mask & 0x80) 125 - index |= AA_X_UNCONFINED; 126 - 127 - if (old_index == 1) { 128 - index |= AA_X_UNCONFINED; 129 - } else if (old_index == 2) { 130 - index |= AA_X_NAME; 131 - } else if (old_index == 3) { 132 - index |= AA_X_NAME | AA_X_CHILD; 133 - } else if (old_index) { 134 - index |= AA_X_TABLE; 135 - index |= old_index - 4; 136 - } 137 - 138 - return index; 139 - } 140 - 141 - /* 142 - * map old dfa inline permissions to new format 143 - */ 144 - #define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \ 145 - ((ACCEPT_TABLE(dfa)[state]) & 0x80000000)) 146 - #define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f) 147 - #define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f) 148 - #define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f) 149 - #define dfa_user_xindex(dfa, state) \ 150 - (dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff)) 151 - 152 - #define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \ 153 - 0x7f) | \ 154 - ((ACCEPT_TABLE(dfa)[state]) & 0x80000000)) 155 - #define dfa_other_xbits(dfa, state) \ 156 - ((((ACCEPT_TABLE(dfa)[state]) >> 7) >> 14) & 0x7f) 157 - #define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f) 158 - #define dfa_other_quiet(dfa, state) \ 159 - ((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f) 160 - #define dfa_other_xindex(dfa, state) \ 161 - dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff) 162 - 163 112 int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, 164 113 const char *op, u32 request, const char *name, 165 114 const char *target, struct aa_label *tlabel, kuid_t ouid,
+49
security/apparmor/policy_unpack.c
··· 671 671 return strcmp(data->key, *key); 672 672 } 673 673 674 + /* remap old accept table embedded permissions to separate permission table */ 675 + static u16 dfa_map_xindex(u16 mask) 676 + { 677 + u16 old_index = (mask >> 10) & 0xf; 678 + u16 index = 0; 679 + 680 + if (mask & 0x100) 681 + index |= AA_X_UNSAFE; 682 + if (mask & 0x200) 683 + index |= AA_X_INHERIT; 684 + if (mask & 0x80) 685 + index |= AA_X_UNCONFINED; 686 + 687 + if (old_index == 1) { 688 + index |= AA_X_UNCONFINED; 689 + } else if (old_index == 2) { 690 + index |= AA_X_NAME; 691 + } else if (old_index == 3) { 692 + index |= AA_X_NAME | AA_X_CHILD; 693 + } else if (old_index) { 694 + index |= AA_X_TABLE; 695 + index |= old_index - 4; 696 + } 697 + 698 + return index; 699 + } 700 + 701 + /* 702 + * map old dfa inline permissions to new format 703 + */ 704 + #define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \ 705 + ((ACCEPT_TABLE(dfa)[state]) & 0x80000000)) 706 + #define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f) 707 + #define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f) 708 + #define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f) 709 + #define dfa_user_xindex(dfa, state) \ 710 + (dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff)) 711 + 712 + #define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \ 713 + 0x7f) | \ 714 + ((ACCEPT_TABLE(dfa)[state]) & 0x80000000)) 715 + #define dfa_other_xbits(dfa, state) \ 716 + ((((ACCEPT_TABLE(dfa)[state]) >> 7) >> 14) & 0x7f) 717 + #define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f) 718 + #define dfa_other_quiet(dfa, state) \ 719 + ((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f) 720 + #define dfa_other_xindex(dfa, state) \ 721 + dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff) 722 + 674 723 /** 675 724 * map_old_perms - map old file perms layout to the new layout 676 725 * @old: permission set in old mapping