Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
apparmor: combine common_audit_data and apparmor_audit_data
Everywhere where common_audit_data is used apparmor audit_data is also
used. We can simplify the code and drop the use of the aad macro
everywhere by combining the two structures.
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
+254
-242
+35
-35
security/apparmor/audit.c
+35
-35
security/apparmor/audit.c
···
85
85
/**
86
86
* audit_pre() - core AppArmor function.
87
87
* @ab: audit buffer to fill (NOT NULL)
88
-
* @ca: audit structure containing data to audit (NOT NULL)
88
+
* @va: audit structure containing data to audit (NOT NULL)
89
89
*
90
-
* Record common AppArmor audit data from @sa
90
+
* Record common AppArmor audit data from @va
91
91
*/
92
-
static void audit_pre(struct audit_buffer *ab, void *ca)
92
+
static void audit_pre(struct audit_buffer *ab, void *va)
93
93
{
94
-
struct common_audit_data *sa = ca;
94
+
struct apparmor_audit_data *ad = aad_of_va(va);
95
95
96
96
if (aa_g_audit_header) {
97
97
audit_log_format(ab, "apparmor=\"%s\"",
98
-
aa_audit_type[aad(sa)->type]);
98
+
aa_audit_type[ad->type]);
99
99
}
100
100
101
-
if (aad(sa)->op) {
102
-
audit_log_format(ab, " operation=\"%s\"", aad(sa)->op);
103
-
}
101
+
if (ad->op)
102
+
audit_log_format(ab, " operation=\"%s\"", ad->op);
104
103
105
-
if (aad(sa)->class)
104
+
if (ad->class)
106
105
audit_log_format(ab, " class=\"%s\"",
107
-
aad(sa)->class <= AA_CLASS_LAST ?
108
-
aa_class_names[aad(sa)->class] :
106
+
ad->class <= AA_CLASS_LAST ?
107
+
aa_class_names[ad->class] :
109
108
"unknown");
110
109
111
-
if (aad(sa)->info) {
112
-
audit_log_format(ab, " info=\"%s\"", aad(sa)->info);
113
-
if (aad(sa)->error)
114
-
audit_log_format(ab, " error=%d", aad(sa)->error);
110
+
if (ad->info) {
111
+
audit_log_format(ab, " info=\"%s\"", ad->info);
112
+
if (ad->error)
113
+
audit_log_format(ab, " error=%d", ad->error);
115
114
}
116
115
117
-
if (aad(sa)->label) {
118
-
struct aa_label *label = aad(sa)->label;
116
+
if (ad->label) {
117
+
struct aa_label *label = ad->label;
119
118
120
119
if (label_isprofile(label)) {
121
120
struct aa_profile *profile = labels_profile(label);
···
133
134
}
134
135
}
135
136
136
-
if (aad(sa)->name) {
137
+
if (ad->name) {
137
138
audit_log_format(ab, " name=");
138
-
audit_log_untrustedstring(ab, aad(sa)->name);
139
+
audit_log_untrustedstring(ab, ad->name);
139
140
}
140
141
}
141
142
142
143
/**
143
144
* aa_audit_msg - Log a message to the audit subsystem
144
145
* @type: audit type for the message
145
-
* @sa: audit event structure (NOT NULL)
146
+
* @ad: audit event structure (NOT NULL)
146
147
* @cb: optional callback fn for type specific fields (MAYBE NULL)
147
148
*/
148
-
void aa_audit_msg(int type, struct common_audit_data *sa,
149
+
void aa_audit_msg(int type, struct apparmor_audit_data *ad,
149
150
void (*cb) (struct audit_buffer *, void *))
150
151
{
151
-
aad(sa)->type = type;
152
-
common_lsm_audit(sa, audit_pre, cb);
152
+
ad->type = type;
153
+
common_lsm_audit(&ad->common, audit_pre, cb);
153
154
}
154
155
155
156
/**
156
157
* aa_audit - Log a profile based audit event to the audit subsystem
157
158
* @type: audit type for the message
158
159
* @profile: profile to check against (NOT NULL)
159
-
* @sa: audit event (NOT NULL)
160
+
* @ad: audit event (NOT NULL)
160
161
* @cb: optional callback fn for type specific fields (MAYBE NULL)
161
162
*
162
163
* Handle default message switching based off of audit mode flags
163
164
*
164
165
* Returns: error on failure
165
166
*/
166
-
int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
167
+
int aa_audit(int type, struct aa_profile *profile,
168
+
struct apparmor_audit_data *ad,
167
169
void (*cb) (struct audit_buffer *, void *))
168
170
{
169
171
AA_BUG(!profile);
170
172
171
173
if (type == AUDIT_APPARMOR_AUTO) {
172
-
if (likely(!aad(sa)->error)) {
174
+
if (likely(!ad->error)) {
173
175
if (AUDIT_MODE(profile) != AUDIT_ALL)
174
176
return 0;
175
177
type = AUDIT_APPARMOR_AUDIT;
···
182
182
if (AUDIT_MODE(profile) == AUDIT_QUIET ||
183
183
(type == AUDIT_APPARMOR_DENIED &&
184
184
AUDIT_MODE(profile) == AUDIT_QUIET_DENIED))
185
-
return aad(sa)->error;
185
+
return ad->error;
186
186
187
187
if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
188
188
type = AUDIT_APPARMOR_KILL;
189
189
190
-
aad(sa)->label = &profile->label;
190
+
ad->label = &profile->label;
191
191
192
-
aa_audit_msg(type, sa, cb);
192
+
aa_audit_msg(type, ad, cb);
193
193
194
-
if (aad(sa)->type == AUDIT_APPARMOR_KILL)
194
+
if (ad->type == AUDIT_APPARMOR_KILL)
195
195
(void)send_sig_info(SIGKILL, NULL,
196
-
sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ?
197
-
sa->u.tsk : current);
196
+
ad->common.type == LSM_AUDIT_DATA_TASK &&
197
+
ad->common.u.tsk ? ad->common.u.tsk : current);
198
198
199
-
if (aad(sa)->type == AUDIT_APPARMOR_ALLOWED)
200
-
return complain_error(aad(sa)->error);
199
+
if (ad->type == AUDIT_APPARMOR_ALLOWED)
200
+
return complain_error(ad->error);
201
201
202
-
return aad(sa)->error;
202
+
return ad->error;
203
203
}
204
204
205
205
struct aa_audit_rule {
+12
-12
security/apparmor/capability.c
+12
-12
security/apparmor/capability.c
···
51
51
52
52
/**
53
53
* audit_caps - audit a capability
54
-
* @sa: audit data
54
+
* @as: audit data
55
55
* @profile: profile being tested for confinement (NOT NULL)
56
56
* @cap: capability tested
57
57
* @error: error code returned by test
···
59
59
* Do auditing of capability and handle, audit/complain/kill modes switching
60
60
* and duplicate message elimination.
61
61
*
62
-
* Returns: 0 or sa->error on success, error code on failure
62
+
* Returns: 0 or ad->error on success, error code on failure
63
63
*/
64
-
static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile,
64
+
static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile,
65
65
int cap, int error)
66
66
{
67
67
struct aa_ruleset *rules = list_first_entry(&profile->rules,
···
69
69
struct audit_cache *ent;
70
70
int type = AUDIT_APPARMOR_AUTO;
71
71
72
-
aad(sa)->error = error;
72
+
ad->error = error;
73
73
74
74
if (likely(!error)) {
75
75
/* test if auditing is being forced */
···
101
101
}
102
102
put_cpu_var(audit_cache);
103
103
104
-
return aa_audit(type, profile, sa, audit_cb);
104
+
return aa_audit(type, profile, ad, audit_cb);
105
105
}
106
106
107
107
/**
···
109
109
* @profile: profile being enforced (NOT NULL, NOT unconfined)
110
110
* @cap: capability to test if allowed
111
111
* @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated
112
-
* @sa: audit data (MAY BE NULL indicating no auditing)
112
+
* @ad: audit data (MAY BE NULL indicating no auditing)
113
113
*
114
114
* Returns: 0 if allowed else -EPERM
115
115
*/
116
116
static int profile_capable(struct aa_profile *profile, int cap,
117
-
unsigned int opts, struct common_audit_data *sa)
117
+
unsigned int opts, struct apparmor_audit_data *ad)
118
118
{
119
119
struct aa_ruleset *rules = list_first_entry(&profile->rules,
120
120
typeof(*rules), list);
···
132
132
/* audit the cap request in complain mode but note that it
133
133
* should be optional.
134
134
*/
135
-
aad(sa)->info = "optional: no audit";
135
+
ad->info = "optional: no audit";
136
136
}
137
137
138
-
return audit_caps(sa, profile, cap, error);
138
+
return audit_caps(ad, profile, cap, error);
139
139
}
140
140
141
141
/**
···
152
152
{
153
153
struct aa_profile *profile;
154
154
int error = 0;
155
-
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, AA_CLASS_CAP, OP_CAPABLE);
155
+
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_CAP, AA_CLASS_CAP, OP_CAPABLE);
156
156
157
-
sa.u.cap = cap;
157
+
ad.common.u.cap = cap;
158
158
error = fn_for_each_confined(label, profile,
159
-
profile_capable(profile, cap, opts, &sa));
159
+
profile_capable(profile, cap, opts, &ad));
160
160
161
161
return error;
162
162
}
+32
-32
security/apparmor/file.c
+32
-32
security/apparmor/file.c
···
44
44
static void file_audit_cb(struct audit_buffer *ab, void *va)
45
45
{
46
46
struct common_audit_data *sa = va;
47
+
struct apparmor_audit_data *ad = aad(sa);
47
48
kuid_t fsuid = current_fsuid();
48
49
char str[10];
49
50
50
-
if (aad(sa)->request & AA_AUDIT_FILE_MASK) {
51
+
if (ad->request & AA_AUDIT_FILE_MASK) {
51
52
aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
52
-
map_mask_to_chr_mask(aad(sa)->request));
53
+
map_mask_to_chr_mask(ad->request));
53
54
audit_log_format(ab, " requested_mask=\"%s\"", str);
54
55
}
55
-
if (aad(sa)->denied & AA_AUDIT_FILE_MASK) {
56
+
if (ad->denied & AA_AUDIT_FILE_MASK) {
56
57
aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
57
-
map_mask_to_chr_mask(aad(sa)->denied));
58
+
map_mask_to_chr_mask(ad->denied));
58
59
audit_log_format(ab, " denied_mask=\"%s\"", str);
59
60
}
60
-
if (aad(sa)->request & AA_AUDIT_FILE_MASK) {
61
+
if (ad->request & AA_AUDIT_FILE_MASK) {
61
62
audit_log_format(ab, " fsuid=%d",
62
63
from_kuid(&init_user_ns, fsuid));
63
64
audit_log_format(ab, " ouid=%d",
64
-
from_kuid(&init_user_ns, aad(sa)->fs.ouid));
65
+
from_kuid(&init_user_ns, ad->fs.ouid));
65
66
}
66
67
67
-
if (aad(sa)->peer) {
68
+
if (ad->peer) {
68
69
audit_log_format(ab, " target=");
69
-
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
70
+
aa_label_xaudit(ab, labels_ns(ad->label), ad->peer,
70
71
FLAG_VIEW_SUBNS, GFP_KERNEL);
71
-
} else if (aad(sa)->fs.target) {
72
+
} else if (ad->fs.target) {
72
73
audit_log_format(ab, " target=");
73
-
audit_log_untrustedstring(ab, aad(sa)->fs.target);
74
+
audit_log_untrustedstring(ab, ad->fs.target);
74
75
}
75
76
}
76
77
···
96
95
kuid_t ouid, const char *info, int error)
97
96
{
98
97
int type = AUDIT_APPARMOR_AUTO;
99
-
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, AA_CLASS_FILE, op);
98
+
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_TASK, AA_CLASS_FILE, op);
100
99
101
-
sa.u.tsk = NULL;
102
-
aad(&sa)->request = request;
103
-
aad(&sa)->name = name;
104
-
aad(&sa)->fs.target = target;
105
-
aad(&sa)->peer = tlabel;
106
-
aad(&sa)->fs.ouid = ouid;
107
-
aad(&sa)->info = info;
108
-
aad(&sa)->error = error;
109
-
sa.u.tsk = NULL;
100
+
ad.request = request;
101
+
ad.name = name;
102
+
ad.fs.target = target;
103
+
ad.peer = tlabel;
104
+
ad.fs.ouid = ouid;
105
+
ad.info = info;
106
+
ad.error = error;
107
+
ad.common.u.tsk = NULL;
110
108
111
-
if (likely(!aad(&sa)->error)) {
109
+
if (likely(!ad.error)) {
112
110
u32 mask = perms->audit;
113
111
114
112
if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
115
113
mask = 0xffff;
116
114
117
115
/* mask off perms that are not being force audited */
118
-
aad(&sa)->request &= mask;
116
+
ad.request &= mask;
119
117
120
-
if (likely(!aad(&sa)->request))
118
+
if (likely(!ad.request))
121
119
return 0;
122
120
type = AUDIT_APPARMOR_AUDIT;
123
121
} else {
124
122
/* only report permissions that were denied */
125
-
aad(&sa)->request = aad(&sa)->request & ~perms->allow;
126
-
AA_BUG(!aad(&sa)->request);
123
+
ad.request = ad.request & ~perms->allow;
124
+
AA_BUG(!ad.request);
127
125
128
-
if (aad(&sa)->request & perms->kill)
126
+
if (ad.request & perms->kill)
129
127
type = AUDIT_APPARMOR_KILL;
130
128
131
129
/* quiet known rejects, assumes quiet and kill do not overlap */
132
-
if ((aad(&sa)->request & perms->quiet) &&
130
+
if ((ad.request & perms->quiet) &&
133
131
AUDIT_MODE(profile) != AUDIT_NOQUIET &&
134
132
AUDIT_MODE(profile) != AUDIT_ALL)
135
-
aad(&sa)->request &= ~perms->quiet;
133
+
ad.request &= ~perms->quiet;
136
134
137
-
if (!aad(&sa)->request)
138
-
return aad(&sa)->error;
135
+
if (!ad.request)
136
+
return ad.error;
139
137
}
140
138
141
-
aad(&sa)->denied = aad(&sa)->request & ~perms->allow;
142
-
return aa_audit(type, profile, &sa, file_audit_cb);
139
+
ad.denied = ad.request & ~perms->allow;
140
+
return aa_audit(type, profile, &ad, file_audit_cb);
143
141
}
144
142
145
143
static int path_name(const char *op, struct aa_label *label,
+17
-15
security/apparmor/include/audit.h
+17
-15
security/apparmor/include/audit.h
···
152
152
unsigned long flags;
153
153
} mnt;
154
154
};
155
+
156
+
struct common_audit_data common;
155
157
};
156
158
157
159
/* macros for dealing with apparmor_audit_data structure */
158
-
#define aad(SA) ((SA)->apparmor_audit_data)
160
+
#define aad(SA) (container_of(SA, struct apparmor_audit_data, common))
161
+
#define aad_of_va(VA) aad((struct common_audit_data *)(VA))
162
+
159
163
#define DEFINE_AUDIT_DATA(NAME, T, C, X) \
160
164
/* TODO: cleanup audit init so we don't need _aad = {0,} */ \
161
-
struct apparmor_audit_data NAME ## _aad = { \
165
+
struct apparmor_audit_data NAME = { \
162
166
.class = (C), \
163
167
.op = (X), \
164
-
}; \
165
-
struct common_audit_data NAME = \
166
-
{ \
167
-
.type = (T), \
168
-
.u.tsk = NULL, \
169
-
}; \
170
-
NAME.apparmor_audit_data = &(NAME ## _aad)
168
+
.common.type = (T), \
169
+
.common.u.tsk = NULL, \
170
+
.common.apparmor_audit_data = &NAME, \
171
+
};
171
172
172
-
void aa_audit_msg(int type, struct common_audit_data *sa,
173
+
void aa_audit_msg(int type, struct apparmor_audit_data *ad,
173
174
void (*cb) (struct audit_buffer *, void *));
174
-
int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
175
+
int aa_audit(int type, struct aa_profile *profile,
176
+
struct apparmor_audit_data *ad,
175
177
void (*cb) (struct audit_buffer *, void *));
176
178
177
-
#define aa_audit_error(ERROR, SA, CB) \
179
+
#define aa_audit_error(ERROR, AD, CB) \
178
180
({ \
179
-
aad((SA))->error = (ERROR); \
180
-
aa_audit_msg(AUDIT_APPARMOR_ERROR, (SA), (CB)); \
181
-
aad((SA))->error; \
181
+
(AD)->error = (ERROR); \
182
+
aa_audit_msg(AUDIT_APPARMOR_ERROR, (AD), (CB)); \
183
+
(AD)->error; \
182
184
})
183
185
184
186
+7
-6
security/apparmor/include/net.h
+7
-6
security/apparmor/include/net.h
···
65
65
LSM_AUDIT_DATA_NONE, \
66
66
AA_CLASS_NET, \
67
67
OP); \
68
-
NAME.u.net = &(NAME ## _net); \
69
-
aad(&NAME)->net.type = (T); \
70
-
aad(&NAME)->net.protocol = (P)
68
+
NAME.common.u.net = &(NAME ## _net); \
69
+
NAME.net.type = (T); \
70
+
NAME.net.protocol = (P)
71
71
72
72
#define DEFINE_AUDIT_SK(NAME, OP, SK) \
73
73
DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \
···
94
94
extern struct aa_sfs_entry aa_sfs_entry_network[];
95
95
96
96
void audit_net_cb(struct audit_buffer *ab, void *va);
97
-
int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
97
+
int aa_profile_af_perm(struct aa_profile *profile,
98
+
struct apparmor_audit_data *ad,
98
99
u32 request, u16 family, int type);
99
100
int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
100
101
int type, int protocol);
101
102
static inline int aa_profile_af_sk_perm(struct aa_profile *profile,
102
-
struct common_audit_data *sa,
103
+
struct apparmor_audit_data *ad,
103
104
u32 request,
104
105
struct sock *sk)
105
106
{
106
-
return aa_profile_af_perm(profile, sa, request, sk->sk_family,
107
+
return aa_profile_af_perm(profile, ad, request, sk->sk_family,
107
108
sk->sk_type);
108
109
}
109
110
int aa_sk_perm(const char *op, u32 request, struct sock *sk);
+2
-2
security/apparmor/include/perms.h
+2
-2
security/apparmor/include/perms.h
···
212
212
int type, u32 request, struct aa_perms *perms);
213
213
int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
214
214
u32 request, int type, u32 *deny,
215
-
struct common_audit_data *sa);
215
+
struct apparmor_audit_data *ad);
216
216
int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
217
-
u32 request, struct common_audit_data *sa,
217
+
u32 request, struct apparmor_audit_data *ad,
218
218
void (*cb)(struct audit_buffer *, void *));
219
219
#endif /* __AA_PERM_H */
+20
-19
security/apparmor/ipc.c
+20
-19
security/apparmor/ipc.c
···
52
52
static void audit_signal_cb(struct audit_buffer *ab, void *va)
53
53
{
54
54
struct common_audit_data *sa = va;
55
+
struct apparmor_audit_data *ad = aad(sa);
55
56
56
-
if (aad(sa)->request & AA_SIGNAL_PERM_MASK) {
57
+
if (ad->request & AA_SIGNAL_PERM_MASK) {
57
58
audit_log_format(ab, " requested_mask=\"%s\"",
58
-
audit_signal_mask(aad(sa)->request));
59
-
if (aad(sa)->denied & AA_SIGNAL_PERM_MASK) {
59
+
audit_signal_mask(ad->request));
60
+
if (ad->denied & AA_SIGNAL_PERM_MASK) {
60
61
audit_log_format(ab, " denied_mask=\"%s\"",
61
-
audit_signal_mask(aad(sa)->denied));
62
+
audit_signal_mask(ad->denied));
62
63
}
63
64
}
64
-
if (aad(sa)->signal == SIGUNKNOWN)
65
+
if (ad->signal == SIGUNKNOWN)
65
66
audit_log_format(ab, "signal=unknown(%d)",
66
-
aad(sa)->unmappedsig);
67
-
else if (aad(sa)->signal < MAXMAPPED_SIGNAME)
68
-
audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]);
67
+
ad->unmappedsig);
68
+
else if (ad->signal < MAXMAPPED_SIGNAME)
69
+
audit_log_format(ab, " signal=%s", sig_names[ad->signal]);
69
70
else
70
71
audit_log_format(ab, " signal=rtmin+%d",
71
-
aad(sa)->signal - SIGRT_BASE);
72
+
ad->signal - SIGRT_BASE);
72
73
audit_log_format(ab, " peer=");
73
-
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
74
+
aa_label_xaudit(ab, labels_ns(ad->label), ad->peer,
74
75
FLAGS_NONE, GFP_ATOMIC);
75
76
}
76
77
77
78
static int profile_signal_perm(struct aa_profile *profile,
78
79
struct aa_label *peer, u32 request,
79
-
struct common_audit_data *sa)
80
+
struct apparmor_audit_data *ad)
80
81
{
81
82
struct aa_ruleset *rules = list_first_entry(&profile->rules,
82
83
typeof(*rules), list);
···
88
87
!ANY_RULE_MEDIATES(&profile->rules, AA_CLASS_SIGNAL))
89
88
return 0;
90
89
91
-
aad(sa)->peer = peer;
90
+
ad->peer = peer;
92
91
/* TODO: secondary cache check <profile, profile, perm> */
93
92
state = aa_dfa_next(rules->policy.dfa,
94
93
rules->policy.start[AA_CLASS_SIGNAL],
95
-
aad(sa)->signal);
94
+
ad->signal);
96
95
aa_label_match(profile, rules, peer, state, false, request, &perms);
97
96
aa_apply_modes_to_perms(profile, &perms);
98
-
return aa_check_perms(profile, &perms, request, sa, audit_signal_cb);
97
+
return aa_check_perms(profile, &perms, request, ad, audit_signal_cb);
99
98
}
100
99
101
100
int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig)
102
101
{
103
102
struct aa_profile *profile;
104
-
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_SIGNAL, OP_SIGNAL);
103
+
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_SIGNAL, OP_SIGNAL);
105
104
106
-
aad(&sa)->signal = map_signal_num(sig);
107
-
aad(&sa)->unmappedsig = sig;
105
+
ad.signal = map_signal_num(sig);
106
+
ad.unmappedsig = sig;
108
107
return xcheck_labels(sender, target, profile,
109
-
profile_signal_perm(profile, target, MAY_WRITE, &sa),
110
-
profile_signal_perm(profile, sender, MAY_READ, &sa));
108
+
profile_signal_perm(profile, target, MAY_WRITE, &ad),
109
+
profile_signal_perm(profile, sender, MAY_READ, &ad));
111
110
}
+24
-23
security/apparmor/lib.c
+24
-23
security/apparmor/lib.c
···
144
144
void aa_info_message(const char *str)
145
145
{
146
146
if (audit_enabled) {
147
-
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
147
+
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
148
148
149
-
aad(&sa)->info = str;
150
-
aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL);
149
+
ad.info = str;
150
+
aa_audit_msg(AUDIT_APPARMOR_STATUS, &ad, NULL);
151
151
}
152
152
printk(KERN_INFO "AppArmor: %s\n", str);
153
153
}
···
282
282
static void aa_audit_perms_cb(struct audit_buffer *ab, void *va)
283
283
{
284
284
struct common_audit_data *sa = va;
285
+
struct apparmor_audit_data *ad = aad(sa);
285
286
286
-
if (aad(sa)->request) {
287
+
if (ad->request) {
287
288
audit_log_format(ab, " requested_mask=");
288
-
aa_audit_perm_mask(ab, aad(sa)->request, aa_file_perm_chrs,
289
+
aa_audit_perm_mask(ab, ad->request, aa_file_perm_chrs,
289
290
PERMS_CHRS_MASK, aa_file_perm_names,
290
291
PERMS_NAMES_MASK);
291
292
}
292
-
if (aad(sa)->denied) {
293
+
if (ad->denied) {
293
294
audit_log_format(ab, "denied_mask=");
294
-
aa_audit_perm_mask(ab, aad(sa)->denied, aa_file_perm_chrs,
295
+
aa_audit_perm_mask(ab, ad->denied, aa_file_perm_chrs,
295
296
PERMS_CHRS_MASK, aa_file_perm_names,
296
297
PERMS_NAMES_MASK);
297
298
}
298
299
audit_log_format(ab, " peer=");
299
-
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
300
+
aa_label_xaudit(ab, labels_ns(ad->label), ad->peer,
300
301
FLAGS_NONE, GFP_ATOMIC);
301
302
}
302
303
···
351
350
/* currently unused */
352
351
int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
353
352
u32 request, int type, u32 *deny,
354
-
struct common_audit_data *sa)
353
+
struct apparmor_audit_data *ad)
355
354
{
356
355
struct aa_ruleset *rules = list_first_entry(&profile->rules,
357
356
typeof(*rules), list);
358
357
struct aa_perms perms;
359
358
360
-
aad(sa)->label = &profile->label;
361
-
aad(sa)->peer = &target->label;
362
-
aad(sa)->request = request;
359
+
ad->label = &profile->label;
360
+
ad->peer = &target->label;
361
+
ad->request = request;
363
362
364
363
aa_profile_match_label(profile, rules, &target->label, type, request,
365
364
&perms);
366
365
aa_apply_modes_to_perms(profile, &perms);
367
366
*deny |= request & perms.deny;
368
-
return aa_check_perms(profile, &perms, request, sa, aa_audit_perms_cb);
367
+
return aa_check_perms(profile, &perms, request, ad, aa_audit_perms_cb);
369
368
}
370
369
371
370
/**
···
373
372
* @profile: profile being checked
374
373
* @perms: perms computed for the request
375
374
* @request: requested perms
376
-
* @sa: initialized audit structure (MAY BE NULL if not auditing)
375
+
* @ad: initialized audit structure (MAY BE NULL if not auditing)
377
376
* @cb: callback fn for type specific fields (MAY BE NULL)
378
377
*
379
378
* Returns: 0 if permission else error code
···
386
385
* with a positive value.
387
386
*/
388
387
int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
389
-
u32 request, struct common_audit_data *sa,
388
+
u32 request, struct apparmor_audit_data *ad,
390
389
void (*cb)(struct audit_buffer *, void *))
391
390
{
392
391
int type, error;
···
395
394
if (likely(!denied)) {
396
395
/* mask off perms that are not being force audited */
397
396
request &= perms->audit;
398
-
if (!request || !sa)
397
+
if (!request || !ad)
399
398
return 0;
400
399
401
400
type = AUDIT_APPARMOR_AUDIT;
···
414
413
error = -ENOENT;
415
414
416
415
denied &= ~perms->quiet;
417
-
if (!sa || !denied)
416
+
if (!ad || !denied)
418
417
return error;
419
418
}
420
419
421
-
if (sa) {
422
-
aad(sa)->label = &profile->label;
423
-
aad(sa)->request = request;
424
-
aad(sa)->denied = denied;
425
-
aad(sa)->error = error;
426
-
aa_audit_msg(type, sa, cb);
420
+
if (ad) {
421
+
ad->label = &profile->label;
422
+
ad->request = request;
423
+
ad->denied = denied;
424
+
ad->error = error;
425
+
aa_audit_msg(type, ad, cb);
427
426
}
428
427
429
428
if (type == AUDIT_APPARMOR_ALLOWED)
+6
-6
security/apparmor/lsm.c
+6
-6
security/apparmor/lsm.c
···
662
662
char *command, *largs = NULL, *args = value;
663
663
size_t arg_size;
664
664
int error;
665
-
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE,
665
+
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE,
666
666
OP_SETPROCATTR);
667
667
668
668
if (size == 0)
···
722
722
return error;
723
723
724
724
fail:
725
-
aad(&sa)->label = begin_current_label_crit_section();
726
-
aad(&sa)->info = name;
727
-
aad(&sa)->error = error = -EINVAL;
728
-
aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
729
-
end_current_label_crit_section(aad(&sa)->label);
725
+
ad.label = begin_current_label_crit_section();
726
+
ad.info = name;
727
+
ad.error = error = -EINVAL;
728
+
aa_audit_msg(AUDIT_APPARMOR_DENIED, &ad, NULL);
729
+
end_current_label_crit_section(ad.label);
730
730
goto out;
731
731
}
732
732
+21
-20
security/apparmor/mount.c
+21
-20
security/apparmor/mount.c
···
86
86
static void audit_cb(struct audit_buffer *ab, void *va)
87
87
{
88
88
struct common_audit_data *sa = va;
89
+
struct apparmor_audit_data *ad = aad(sa);
89
90
90
-
if (aad(sa)->mnt.type) {
91
+
if (ad->mnt.type) {
91
92
audit_log_format(ab, " fstype=");
92
-
audit_log_untrustedstring(ab, aad(sa)->mnt.type);
93
+
audit_log_untrustedstring(ab, ad->mnt.type);
93
94
}
94
-
if (aad(sa)->mnt.src_name) {
95
+
if (ad->mnt.src_name) {
95
96
audit_log_format(ab, " srcname=");
96
-
audit_log_untrustedstring(ab, aad(sa)->mnt.src_name);
97
+
audit_log_untrustedstring(ab, ad->mnt.src_name);
97
98
}
98
-
if (aad(sa)->mnt.trans) {
99
+
if (ad->mnt.trans) {
99
100
audit_log_format(ab, " trans=");
100
-
audit_log_untrustedstring(ab, aad(sa)->mnt.trans);
101
+
audit_log_untrustedstring(ab, ad->mnt.trans);
101
102
}
102
-
if (aad(sa)->mnt.flags) {
103
+
if (ad->mnt.flags) {
103
104
audit_log_format(ab, " flags=\"");
104
-
audit_mnt_flags(ab, aad(sa)->mnt.flags);
105
+
audit_mnt_flags(ab, ad->mnt.flags);
105
106
audit_log_format(ab, "\"");
106
107
}
107
-
if (aad(sa)->mnt.data) {
108
+
if (ad->mnt.data) {
108
109
audit_log_format(ab, " options=");
109
-
audit_log_untrustedstring(ab, aad(sa)->mnt.data);
110
+
audit_log_untrustedstring(ab, ad->mnt.data);
110
111
}
111
112
}
112
113
···
135
134
struct aa_perms *perms, const char *info, int error)
136
135
{
137
136
int audit_type = AUDIT_APPARMOR_AUTO;
138
-
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op);
137
+
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op);
139
138
140
139
if (likely(!error)) {
141
140
u32 mask = perms->audit;
···
166
165
return error;
167
166
}
168
167
169
-
aad(&sa)->name = name;
170
-
aad(&sa)->mnt.src_name = src_name;
171
-
aad(&sa)->mnt.type = type;
172
-
aad(&sa)->mnt.trans = trans;
173
-
aad(&sa)->mnt.flags = flags;
168
+
ad.name = name;
169
+
ad.mnt.src_name = src_name;
170
+
ad.mnt.type = type;
171
+
ad.mnt.trans = trans;
172
+
ad.mnt.flags = flags;
174
173
if (data && (perms->audit & AA_AUDIT_DATA))
175
-
aad(&sa)->mnt.data = data;
176
-
aad(&sa)->info = info;
177
-
aad(&sa)->error = error;
174
+
ad.mnt.data = data;
175
+
ad.info = info;
176
+
ad.error = error;
178
177
179
-
return aa_audit(audit_type, profile, &sa, audit_cb);
178
+
return aa_audit(audit_type, profile, &ad, audit_cb);
180
179
}
181
180
182
181
/**
+23
-21
security/apparmor/net.c
+23
-21
security/apparmor/net.c
···
71
71
void audit_net_cb(struct audit_buffer *ab, void *va)
72
72
{
73
73
struct common_audit_data *sa = va;
74
+
struct apparmor_audit_data *ad = aad(sa);
74
75
75
76
if (address_family_names[sa->u.net->family])
76
77
audit_log_format(ab, " family=\"%s\"",
···
79
78
else
80
79
audit_log_format(ab, " family=\"unknown(%d)\"",
81
80
sa->u.net->family);
82
-
if (sock_type_names[aad(sa)->net.type])
81
+
if (sock_type_names[ad->net.type])
83
82
audit_log_format(ab, " sock_type=\"%s\"",
84
-
sock_type_names[aad(sa)->net.type]);
83
+
sock_type_names[ad->net.type]);
85
84
else
86
85
audit_log_format(ab, " sock_type=\"unknown(%d)\"",
87
-
aad(sa)->net.type);
88
-
audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
86
+
ad->net.type);
87
+
audit_log_format(ab, " protocol=%d", ad->net.protocol);
89
88
90
-
if (aad(sa)->request & NET_PERMS_MASK) {
89
+
if (ad->request & NET_PERMS_MASK) {
91
90
audit_log_format(ab, " requested_mask=");
92
-
aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
91
+
aa_audit_perm_mask(ab, ad->request, NULL, 0,
93
92
net_mask_names, NET_PERMS_MASK);
94
93
95
-
if (aad(sa)->denied & NET_PERMS_MASK) {
94
+
if (ad->denied & NET_PERMS_MASK) {
96
95
audit_log_format(ab, " denied_mask=");
97
-
aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
96
+
aa_audit_perm_mask(ab, ad->denied, NULL, 0,
98
97
net_mask_names, NET_PERMS_MASK);
99
98
}
100
99
}
101
-
if (aad(sa)->peer) {
100
+
if (ad->peer) {
102
101
audit_log_format(ab, " peer=");
103
-
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
102
+
aa_label_xaudit(ab, labels_ns(ad->label), ad->peer,
104
103
FLAGS_NONE, GFP_ATOMIC);
105
104
}
106
105
}
107
106
108
107
/* Generic af perm */
109
-
int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
110
-
u32 request, u16 family, int type)
108
+
int aa_profile_af_perm(struct aa_profile *profile,
109
+
struct apparmor_audit_data *ad, u32 request, u16 family,
110
+
int type)
111
111
{
112
112
struct aa_ruleset *rules = list_first_entry(&profile->rules,
113
113
typeof(*rules), list);
···
132
130
perms = *aa_lookup_perms(&rules->policy, state);
133
131
aa_apply_modes_to_perms(profile, &perms);
134
132
135
-
return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
133
+
return aa_check_perms(profile, &perms, request, ad, audit_net_cb);
136
134
}
137
135
138
136
int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
139
137
int type, int protocol)
140
138
{
141
139
struct aa_profile *profile;
142
-
DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);
140
+
DEFINE_AUDIT_NET(ad, op, NULL, family, type, protocol);
143
141
144
142
return fn_for_each_confined(label, profile,
145
-
aa_profile_af_perm(profile, &sa, request, family,
143
+
aa_profile_af_perm(profile, &ad, request, family,
146
144
type));
147
145
}
148
146
···
157
155
158
156
if (ctx->label != kernel_t && !unconfined(label)) {
159
157
struct aa_profile *profile;
160
-
DEFINE_AUDIT_SK(sa, op, sk);
158
+
DEFINE_AUDIT_SK(ad, op, sk);
161
159
162
160
error = fn_for_each_confined(label, profile,
163
-
aa_profile_af_sk_perm(profile, &sa, request, sk));
161
+
aa_profile_af_sk_perm(profile, &ad, request, sk));
164
162
}
165
163
166
164
return error;
···
216
214
}
217
215
218
216
static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid,
219
-
struct common_audit_data *sa)
217
+
struct apparmor_audit_data *ad)
220
218
{
221
219
int i, ret;
222
220
struct aa_perms perms = { };
···
247
245
248
246
aa_apply_modes_to_perms(profile, &perms);
249
247
250
-
return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
248
+
return aa_check_perms(profile, &perms, request, ad, audit_net_cb);
251
249
}
252
250
253
251
int apparmor_secmark_check(struct aa_label *label, char *op, u32 request,
254
252
u32 secid, const struct sock *sk)
255
253
{
256
254
struct aa_profile *profile;
257
-
DEFINE_AUDIT_SK(sa, op, sk);
255
+
DEFINE_AUDIT_SK(ad, op, sk);
258
256
259
257
return fn_for_each_confined(label, profile,
260
258
aa_secmark_perm(profile, request, secid,
261
-
&sa));
259
+
&ad));
262
260
}
263
261
#endif
+10
-9
security/apparmor/policy.c
+10
-9
security/apparmor/policy.c
···
723
723
static void audit_cb(struct audit_buffer *ab, void *va)
724
724
{
725
725
struct common_audit_data *sa = va;
726
+
struct apparmor_audit_data *ad = aad(sa);
726
727
727
-
if (aad(sa)->iface.ns) {
728
+
if (ad->iface.ns) {
728
729
audit_log_format(ab, " ns=");
729
-
audit_log_untrustedstring(ab, aad(sa)->iface.ns);
730
+
audit_log_untrustedstring(ab, ad->iface.ns);
730
731
}
731
732
}
732
733
···
746
745
const char *ns_name, const char *name,
747
746
const char *info, int error)
748
747
{
749
-
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, op);
748
+
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, op);
750
749
751
-
aad(&sa)->iface.ns = ns_name;
752
-
aad(&sa)->name = name;
753
-
aad(&sa)->info = info;
754
-
aad(&sa)->error = error;
755
-
aad(&sa)->label = label;
750
+
ad.iface.ns = ns_name;
751
+
ad.name = name;
752
+
ad.info = info;
753
+
ad.error = error;
754
+
ad.label = label;
756
755
757
-
aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, audit_cb);
756
+
aa_audit_msg(AUDIT_APPARMOR_STATUS, &ad, audit_cb);
758
757
759
758
return error;
760
759
}
+15
-14
security/apparmor/policy_unpack.c
+15
-14
security/apparmor/policy_unpack.c
···
34
34
static void audit_cb(struct audit_buffer *ab, void *va)
35
35
{
36
36
struct common_audit_data *sa = va;
37
+
struct apparmor_audit_data *ad = aad(sa);
37
38
38
-
if (aad(sa)->iface.ns) {
39
+
if (ad->iface.ns) {
39
40
audit_log_format(ab, " ns=");
40
-
audit_log_untrustedstring(ab, aad(sa)->iface.ns);
41
+
audit_log_untrustedstring(ab, ad->iface.ns);
41
42
}
42
-
if (aad(sa)->name) {
43
+
if (ad->name) {
43
44
audit_log_format(ab, " name=");
44
-
audit_log_untrustedstring(ab, aad(sa)->name);
45
+
audit_log_untrustedstring(ab, ad->name);
45
46
}
46
-
if (aad(sa)->iface.pos)
47
-
audit_log_format(ab, " offset=%ld", aad(sa)->iface.pos);
47
+
if (ad->iface.pos)
48
+
audit_log_format(ab, " offset=%ld", ad->iface.pos);
48
49
}
49
50
50
51
/**
···
64
63
int error)
65
64
{
66
65
struct aa_profile *profile = labels_profile(aa_current_raw_label());
67
-
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
66
+
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
68
67
if (e)
69
-
aad(&sa)->iface.pos = e->pos - e->start;
70
-
aad(&sa)->iface.ns = ns_name;
68
+
ad.iface.pos = e->pos - e->start;
69
+
ad.iface.ns = ns_name;
71
70
if (new)
72
-
aad(&sa)->name = new->base.hname;
71
+
ad.name = new->base.hname;
73
72
else
74
-
aad(&sa)->name = name;
75
-
aad(&sa)->info = info;
76
-
aad(&sa)->error = error;
73
+
ad.name = name;
74
+
ad.info = info;
75
+
ad.error = error;
77
76
78
-
return aa_audit(AUDIT_APPARMOR_STATUS, profile, &sa, audit_cb);
77
+
return aa_audit(AUDIT_APPARMOR_STATUS, profile, &ad, audit_cb);
79
78
}
80
79
81
80
void __aa_loaddata_update(struct aa_loaddata *data, long revision)
+12
-11
security/apparmor/resource.c
+12
-11
security/apparmor/resource.c
···
30
30
static void audit_cb(struct audit_buffer *ab, void *va)
31
31
{
32
32
struct common_audit_data *sa = va;
33
+
struct apparmor_audit_data *ad = aad(sa);
33
34
34
35
audit_log_format(ab, " rlimit=%s value=%lu",
35
-
rlim_names[aad(sa)->rlim.rlim], aad(sa)->rlim.max);
36
-
if (aad(sa)->peer) {
36
+
rlim_names[ad->rlim.rlim], ad->rlim.max);
37
+
if (ad->peer) {
37
38
audit_log_format(ab, " peer=");
38
-
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
39
+
aa_label_xaudit(ab, labels_ns(ad->label), ad->peer,
39
40
FLAGS_NONE, GFP_ATOMIC);
40
41
}
41
42
}
···
50
49
* @info: info being auditing
51
50
* @error: error value
52
51
*
53
-
* Returns: 0 or sa->error else other error code on failure
52
+
* Returns: 0 or ad->error else other error code on failure
54
53
*/
55
54
static int audit_resource(struct aa_profile *profile, unsigned int resource,
56
55
unsigned long value, struct aa_label *peer,
57
56
const char *info, int error)
58
57
{
59
-
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_RLIMITS,
58
+
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_RLIMITS,
60
59
OP_SETRLIMIT);
61
60
62
-
aad(&sa)->rlim.rlim = resource;
63
-
aad(&sa)->rlim.max = value;
64
-
aad(&sa)->peer = peer;
65
-
aad(&sa)->info = info;
66
-
aad(&sa)->error = error;
61
+
ad.rlim.rlim = resource;
62
+
ad.rlim.max = value;
63
+
ad.peer = peer;
64
+
ad.info = info;
65
+
ad.error = error;
67
66
68
-
return aa_audit(AUDIT_APPARMOR_AUTO, profile, &sa, audit_cb);
67
+
return aa_audit(AUDIT_APPARMOR_AUTO, profile, &ad, audit_cb);
69
68
}
70
69
71
70
/**
+18
-17
security/apparmor/task.c
+18
-17
security/apparmor/task.c
···
205
205
static void audit_ptrace_cb(struct audit_buffer *ab, void *va)
206
206
{
207
207
struct common_audit_data *sa = va;
208
+
struct apparmor_audit_data *ad = aad(sa);
208
209
209
-
if (aad(sa)->request & AA_PTRACE_PERM_MASK) {
210
+
if (ad->request & AA_PTRACE_PERM_MASK) {
210
211
audit_log_format(ab, " requested_mask=\"%s\"",
211
-
audit_ptrace_mask(aad(sa)->request));
212
+
audit_ptrace_mask(ad->request));
212
213
213
-
if (aad(sa)->denied & AA_PTRACE_PERM_MASK) {
214
+
if (ad->denied & AA_PTRACE_PERM_MASK) {
214
215
audit_log_format(ab, " denied_mask=\"%s\"",
215
-
audit_ptrace_mask(aad(sa)->denied));
216
+
audit_ptrace_mask(ad->denied));
216
217
}
217
218
}
218
219
audit_log_format(ab, " peer=");
219
-
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
220
+
aa_label_xaudit(ab, labels_ns(ad->label), ad->peer,
220
221
FLAGS_NONE, GFP_ATOMIC);
221
222
}
222
223
···
225
224
/* TODO: conditionals */
226
225
static int profile_ptrace_perm(struct aa_profile *profile,
227
226
struct aa_label *peer, u32 request,
228
-
struct common_audit_data *sa)
227
+
struct apparmor_audit_data *ad)
229
228
{
230
229
struct aa_ruleset *rules = list_first_entry(&profile->rules,
231
230
typeof(*rules), list);
232
231
struct aa_perms perms = { };
233
232
234
-
aad(sa)->peer = peer;
233
+
ad->peer = peer;
235
234
aa_profile_match_label(profile, rules, peer, AA_CLASS_PTRACE, request,
236
235
&perms);
237
236
aa_apply_modes_to_perms(profile, &perms);
238
-
return aa_check_perms(profile, &perms, request, sa, audit_ptrace_cb);
237
+
return aa_check_perms(profile, &perms, request, ad, audit_ptrace_cb);
239
238
}
240
239
241
240
static int profile_tracee_perm(struct aa_profile *tracee,
242
241
struct aa_label *tracer, u32 request,
243
-
struct common_audit_data *sa)
242
+
struct apparmor_audit_data *ad)
244
243
{
245
244
if (profile_unconfined(tracee) || unconfined(tracer) ||
246
245
!ANY_RULE_MEDIATES(&tracee->rules, AA_CLASS_PTRACE))
247
246
return 0;
248
247
249
-
return profile_ptrace_perm(tracee, tracer, request, sa);
248
+
return profile_ptrace_perm(tracee, tracer, request, ad);
250
249
}
251
250
252
251
static int profile_tracer_perm(struct aa_profile *tracer,
253
252
struct aa_label *tracee, u32 request,
254
-
struct common_audit_data *sa)
253
+
struct apparmor_audit_data *ad)
255
254
{
256
255
if (profile_unconfined(tracer))
257
256
return 0;
258
257
259
258
if (ANY_RULE_MEDIATES(&tracer->rules, AA_CLASS_PTRACE))
260
-
return profile_ptrace_perm(tracer, tracee, request, sa);
259
+
return profile_ptrace_perm(tracer, tracee, request, ad);
261
260
262
261
/* profile uses the old style capability check for ptrace */
263
262
if (&tracer->label == tracee)
264
263
return 0;
265
264
266
-
aad(sa)->label = &tracer->label;
267
-
aad(sa)->peer = tracee;
268
-
aad(sa)->request = 0;
269
-
aad(sa)->error = aa_capable(&tracer->label, CAP_SYS_PTRACE,
265
+
ad->label = &tracer->label;
266
+
ad->peer = tracee;
267
+
ad->request = 0;
268
+
ad->error = aa_capable(&tracer->label, CAP_SYS_PTRACE,
270
269
CAP_OPT_NONE);
271
270
272
-
return aa_audit(AUDIT_APPARMOR_AUTO, tracer, sa, audit_ptrace_cb);
271
+
return aa_audit(AUDIT_APPARMOR_AUTO, tracer, ad, audit_ptrace_cb);
273
272
}
274
273
275
274
/**