projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 56974a6)
apparmor: remove POLICY_MEDIATES_SAFE
authorJohn Johansen <john.johansen@canonical.com>
Sat, 3 Mar 2018 09:59:02 +0000 (01:59 -0800)
committerJohn Johansen <john.johansen@canonical.com>
Wed, 14 Mar 2018 00:25:49 +0000 (17:25 -0700)
The unpack code now makes sure every profile has a dfa so the safe
version of POLICY_MEDIATES is no longer needed.

Signed-off-by: John Johansen <john.johansen@canonical.com>
security/apparmor/apparmorfs.c patch | blob | history
security/apparmor/include/policy.h patch | blob | history

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 10d16e3abed97938997c7bf09b7ddc5db668db1a..701cb3e5ec3b92f4c4a595c5d7e62fc2edc96d51 100644 (file)
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -619,7 +619,7 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
                        tmp = aa_compute_fperms(dfa, state, &cond);
                }
        } else if (profile->policy.dfa) {
-               if (!PROFILE_MEDIATES_SAFE(profile, *match_str))
+               if (!PROFILE_MEDIATES(profile, *match_str))
                        return; /* no change to current perms */
                dfa = profile->policy.dfa;
                state = aa_dfa_match_len(dfa, profile->policy.start[0],
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index ffe12a2366e00267387b27f84d63ac95b81258e8..ab64c6b5db5aca7aaae1b16a800d48c7499bc498 100644 (file)
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -214,17 +214,7 @@ static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
        return labels_profile(aa_get_newest_label(&p->label));
 }
 
-#define PROFILE_MEDIATES(P, T)  ((P)->policy.start[(T)])
-/* safe version of POLICY_MEDIATES for full range input */
-static inline unsigned int PROFILE_MEDIATES_SAFE(struct aa_profile *profile,
-                                                unsigned char class)
-{
-       if (profile->policy.dfa)
-               return aa_dfa_match_len(profile->policy.dfa,
-                                       profile->policy.start[0], &class, 1);
-       return 0;
-}
-
+#define PROFILE_MEDIATES(P, T)  ((P)->policy.start[(unsigned char) (T)])
 static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
                                               u16 AF) {
        unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
John Crispins staging tree