apparmor: switch from file_perms to aa_perms

Signed-off-by: NJohn Johansen <john.johansen@canonical.com>

security/apparmor/domain.c

@@ -93,12 +93,12 @@ static int may_change_ptraced_domain(struct aa_profile *to_profile)
  *
  * Returns: permission set
  */
-static struct file_perms change_profile_perms(struct aa_profile *profile,
+static struct aa_perms change_profile_perms(struct aa_profile *profile,
 					    struct aa_ns *ns,
 					    const char *name, u32 request,
 					    unsigned int start)
 {
-	struct file_perms perms;
+	struct aa_perms perms;
 	struct path_cond cond = { };
 	unsigned int state;
 
@@ -342,7 +342,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 	struct aa_ns *ns;
 	char *buffer = NULL;
 	unsigned int state;
-	struct file_perms perms = {};
+	struct aa_perms perms = {};
 	struct path_cond cond = {
 		file_inode(bprm->file)->i_uid,
 		file_inode(bprm->file)->i_mode
@@ -400,7 +400,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 	/* find exec permissions for name */
 	state = aa_str_perms(profile->file.dfa, state, name, &cond, &perms);
 	if (ctx->onexec) {
-		struct file_perms cp;
+		struct aa_perms cp;
 		info = "change_profile onexec";
 		new_profile = aa_get_newest_profile(ctx->onexec);
 		if (!(perms.allow & AA_MAY_ONEXEC))
@@ -609,7 +609,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
 	struct aa_profile *profile, *previous_profile, *hat = NULL;
 	char *name = NULL;
 	int i;
-	struct file_perms perms = {};
+	struct aa_perms perms = {};
 	const char *target = NULL, *info = NULL;
 	int error = 0;
 
@@ -748,7 +748,7 @@ int aa_change_profile(const char *fqname, bool onexec,
 {
 	const struct cred *cred;
 	struct aa_profile *profile, *target = NULL;
-	struct file_perms perms = {};
+	struct aa_perms perms = {};
 	const char *info = NULL, *op;
 	int error = 0;
 	u32 request;

security/apparmor/file.c

@@ -19,8 +19,6 @@
 #include "include/path.h"
 #include "include/policy.h"
 
-struct file_perms nullperms;
-
 static u32 map_mask_to_chr_mask(u32 mask)
 {
 	u32 m = mask & PERMS_CHRS_MASK;
@@ -92,7 +90,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
  *
  * Returns: %0 or error on failure
  */
-int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
+int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
 		  const char *op, u32 request, const char *name,
 		  const char *target, kuid_t ouid, const char *info, int error)
 {
@@ -170,7 +168,7 @@ static u32 map_old_perms(u32 old)
 }
 
 /**
- * compute_perms - convert dfa compressed perms to internal perms
+ * aa_compute_fperms - convert dfa compressed perms to internal perms
  * @dfa: dfa to compute perms for   (NOT NULL)
  * @state: state in dfa
  * @cond:  conditions to consider  (NOT NULL)
@@ -180,17 +178,21 @@ static u32 map_old_perms(u32 old)
  *
  * Returns: computed permission set
  */
-static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
+struct aa_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state,
 				  struct path_cond *cond)
 {
-	struct file_perms perms;
+	struct aa_perms perms;
 
 	/* FIXME: change over to new dfa format
 	 * currently file perms are encoded in the dfa, new format
 	 * splits the permissions from the dfa.  This mapping can be
 	 * done at profile load
 	 */
-	perms.kill = 0;
+	perms.deny = 0;
+	perms.kill = perms.stop = 0;
+	perms.complain = perms.cond = 0;
+	perms.hide = 0;
+	perms.prompt = 0;
 
 	if (uid_eq(current_fsuid(), cond->uid)) {
 		perms.allow = map_old_perms(dfa_user_allow(dfa, state));
@@ -226,16 +228,11 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
  */
 unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
 			  const char *name, struct path_cond *cond,
-			  struct file_perms *perms)
+			  struct aa_perms *perms)
 {
 	unsigned int state;
-	if (!dfa) {
-		*perms = nullperms;
-		return DFA_NOMATCH;
-	}
-
 	state = aa_dfa_match(dfa, start, name);
-	*perms = compute_perms(dfa, state, cond);
+	*perms = aa_compute_fperms(dfa, state, cond);
 
 	return state;
 }
@@ -269,7 +266,7 @@ int aa_path_perm(const char *op, struct aa_profile *profile,
 		 struct path_cond *cond)
 {
 	char *buffer = NULL;
-	struct file_perms perms = {};
+	struct aa_perms perms = {};
 	const char *name, *info = NULL;
 	int error;
 
@@ -348,7 +345,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
 	};
 	char *buffer = NULL, *buffer2 = NULL;
 	const char *lname, *tname = NULL, *info = NULL;
-	struct file_perms lperms, perms;
+	struct aa_perms lperms, perms;
 	u32 request = AA_MAY_LINK;
 	unsigned int state;
 	int error;

security/apparmor/include/file.h

@@ -90,25 +90,6 @@ struct path_cond {
 	umode_t mode;
 };
 
-/* struct file_perms - file permission
- * @allow: mask of permissions that are allowed
- * @audit: mask of permissions to force an audit message for
- * @quiet: mask of permissions to quiet audit messages for
- * @kill: mask of permissions that when matched will kill the task
- * @xindex: exec transition index if @allow contains MAY_EXEC
- *
- * The @audit and @queit mask should be mutually exclusive.
- */
-struct file_perms {
-	u32 allow;
-	u32 audit;
-	u32 quiet;
-	u32 kill;
-	u16 xindex;
-};
-
-extern struct file_perms nullperms;
-
 #define COMBINED_PERM_MASK(X) ((X).allow | (X).audit | (X).quiet | (X).kill)
 
 /* FIXME: split perms from dfa and match this to description
@@ -159,7 +140,7 @@ static inline u16 dfa_map_xindex(u16 mask)
 #define dfa_other_xindex(dfa, state) \
 	dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
 
-int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
+int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
 		  const char *op, u32 request, const char *name,
 		  const char *target, kuid_t ouid, const char *info, int error);
 
@@ -182,9 +163,11 @@ struct aa_file_rules {
 	/* TODO: add delegate table */
 };
 
+struct aa_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state,
+				    struct path_cond *cond);
 unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
 			  const char *name, struct path_cond *cond,
-			  struct file_perms *perms);
+			  struct aa_perms *perms);
 
 int aa_path_perm(const char *op, struct aa_profile *profile,
 		 const struct path *path, int flags, u32 request,

security/apparmor/include/perms.h

@@ -88,7 +88,7 @@ struct aa_perms {
 };
 
 #define ALL_PERMS_MASK 0xffffffff
-
+extern struct aa_perms nullperms;
 extern struct aa_perms allperms;
 
 struct aa_profile;

security/apparmor/lib.c

@@ -24,6 +24,7 @@
 #include "include/perms.h"
 #include "include/policy.h"
 
+struct aa_perms nullperms;
 struct aa_perms allperms = { .allow = ALL_PERMS_MASK,
 			     .quiet = ALL_PERMS_MASK,
 			     .hide = ALL_PERMS_MASK };