From 754f209b811ac462e00ed0f79b48047c446f5c43 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 12 Nov 2020 10:07:25 -0800 Subject: apparmor: move fperm computation into policy_unpack fperm computation is only needed during policy_unpack so move the code there to isolate it fromt the run time code. Signed-off-by: John Johansen --- security/apparmor/file.c | 97 -------------------------------------- security/apparmor/include/file.h | 1 - security/apparmor/policy_unpack.c | 98 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 98 insertions(+), 98 deletions(-) (limited to 'security') diff --git a/security/apparmor/file.c b/security/apparmor/file.c index 710b7d7517eb..1227ae839154 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -174,103 +174,6 @@ static int path_name(const char *op, struct aa_label *label, return 0; } -/** - * map_old_perms - map old file perms layout to the new layout - * @old: permission set in old mapping - * - * Returns: new permission mapping - */ -static u32 map_old_perms(u32 old) -{ - u32 new = old & 0xf; - if (old & MAY_READ) - new |= AA_MAY_GETATTR | AA_MAY_OPEN; - if (old & MAY_WRITE) - new |= AA_MAY_SETATTR | AA_MAY_CREATE | AA_MAY_DELETE | - AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_OPEN; - if (old & 0x10) - new |= AA_MAY_LINK; - /* the old mapping lock and link_subset flags where overlaid - * and use was determined by part of a pair that they were in - */ - if (old & 0x20) - new |= AA_MAY_LOCK | AA_LINK_SUBSET; - if (old & 0x40) /* AA_EXEC_MMAP */ - new |= AA_EXEC_MMAP; - - return new; -} - -static void __aa_compute_fperms_allow(struct aa_perms *perms, - struct aa_dfa *dfa, - unsigned int state) -{ - perms->allow |= AA_MAY_GETATTR; - - /* change_profile wasn't determined by ownership in old mapping */ - if (ACCEPT_TABLE(dfa)[state] & 0x80000000) - perms->allow |= AA_MAY_CHANGE_PROFILE; - if (ACCEPT_TABLE(dfa)[state] & 0x40000000) - perms->allow |= AA_MAY_ONEXEC; -} - -static struct aa_perms __aa_compute_fperms_user(struct aa_dfa *dfa, - unsigned int state) -{ - struct aa_perms perms = { }; - - perms.allow = map_old_perms(dfa_user_allow(dfa, state)); - perms.audit = map_old_perms(dfa_user_audit(dfa, state)); - perms.quiet = map_old_perms(dfa_user_quiet(dfa, state)); - perms.xindex = dfa_user_xindex(dfa, state); - - __aa_compute_fperms_allow(&perms, dfa, state); - - return perms; -} - -static struct aa_perms __aa_compute_fperms_other(struct aa_dfa *dfa, - unsigned int state) -{ - struct aa_perms perms = { }; - - perms.allow = map_old_perms(dfa_other_allow(dfa, state)); - perms.audit = map_old_perms(dfa_other_audit(dfa, state)); - perms.quiet = map_old_perms(dfa_other_quiet(dfa, state)); - perms.xindex = dfa_other_xindex(dfa, state); - - __aa_compute_fperms_allow(&perms, dfa, state); - - return perms; -} - -/** - * aa_compute_fperms - convert dfa compressed perms to internal perms and store - * them so they can be retrieved later. - * @file_rules: a file_rules structure containing a dfa (NOT NULL) for which - * permissions will be computed (NOT NULL) - * - * TODO: convert from dfa + state to permission entry - */ -void aa_compute_fperms(struct aa_file_rules *file_rules) -{ - int state; - int state_count = file_rules->dfa->tables[YYTD_ID_BASE]->td_lolen; - - // DFAs are restricted from having a state_count of less than 2 - file_rules->fperms_table = kvzalloc( - state_count * 2 * sizeof(struct aa_perms), GFP_KERNEL); - - // Since fperms_table is initialized with zeroes via kvzalloc(), we can - // skip the trap state (state == 0) - for (state = 1; state < state_count; state++) { - file_rules->fperms_table[state * 2] = - __aa_compute_fperms_user(file_rules->dfa, state); - file_rules->fperms_table[state * 2 + 1] = - __aa_compute_fperms_other(file_rules->dfa, state); - } -} - /** * aa_lookup_fperms - convert dfa compressed perms to internal perms * @dfa: dfa to lookup perms for (NOT NULL) diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h index ab201d625a34..1f9e54aa1adf 100644 --- a/security/apparmor/include/file.h +++ b/security/apparmor/include/file.h @@ -184,7 +184,6 @@ struct aa_file_rules { struct aa_perms *fperms_table; }; -void aa_compute_fperms(struct aa_file_rules *file_rules); struct aa_perms *aa_lookup_fperms(struct aa_file_rules *file_rules, unsigned int state, struct path_cond *cond); unsigned int aa_str_perms(struct aa_file_rules *file_rules, unsigned int start, diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 70b7a35b5b96..c22c6815ff4b 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -669,6 +669,104 @@ static int datacmp(struct rhashtable_compare_arg *arg, const void *obj) return strcmp(data->key, *key); } +/** + * map_old_perms - map old file perms layout to the new layout + * @old: permission set in old mapping + * + * Returns: new permission mapping + */ +static u32 map_old_perms(u32 old) +{ + u32 new = old & 0xf; + + if (old & MAY_READ) + new |= AA_MAY_GETATTR | AA_MAY_OPEN; + if (old & MAY_WRITE) + new |= AA_MAY_SETATTR | AA_MAY_CREATE | AA_MAY_DELETE | + AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_OPEN; + if (old & 0x10) + new |= AA_MAY_LINK; + /* the old mapping lock and link_subset flags where overlaid + * and use was determined by part of a pair that they were in + */ + if (old & 0x20) + new |= AA_MAY_LOCK | AA_LINK_SUBSET; + if (old & 0x40) /* AA_EXEC_MMAP */ + new |= AA_EXEC_MMAP; + + return new; +} + +static void __aa_compute_fperms_allow(struct aa_perms *perms, + struct aa_dfa *dfa, + unsigned int state) +{ + perms->allow |= AA_MAY_GETATTR; + + /* change_profile wasn't determined by ownership in old mapping */ + if (ACCEPT_TABLE(dfa)[state] & 0x80000000) + perms->allow |= AA_MAY_CHANGE_PROFILE; + if (ACCEPT_TABLE(dfa)[state] & 0x40000000) + perms->allow |= AA_MAY_ONEXEC; +} + +static struct aa_perms __aa_compute_fperms_user(struct aa_dfa *dfa, + unsigned int state) +{ + struct aa_perms perms = { }; + + perms.allow = map_old_perms(dfa_user_allow(dfa, state)); + perms.audit = map_old_perms(dfa_user_audit(dfa, state)); + perms.quiet = map_old_perms(dfa_user_quiet(dfa, state)); + perms.xindex = dfa_user_xindex(dfa, state); + + __aa_compute_fperms_allow(&perms, dfa, state); + + return perms; +} + +static struct aa_perms __aa_compute_fperms_other(struct aa_dfa *dfa, + unsigned int state) +{ + struct aa_perms perms = { }; + + perms.allow = map_old_perms(dfa_other_allow(dfa, state)); + perms.audit = map_old_perms(dfa_other_audit(dfa, state)); + perms.quiet = map_old_perms(dfa_other_quiet(dfa, state)); + perms.xindex = dfa_other_xindex(dfa, state); + + __aa_compute_fperms_allow(&perms, dfa, state); + + return perms; +} + +/** + * aa_compute_fperms - convert dfa compressed perms to internal perms and store + * them so they can be retrieved later. + * @file_rules: a file_rules structure containing a dfa (NOT NULL) for which + * permissions will be computed (NOT NULL) + * + * TODO: convert from dfa + state to permission entry + */ +static void aa_compute_fperms(struct aa_file_rules *file_rules) +{ + int state; + int state_count = file_rules->dfa->tables[YYTD_ID_BASE]->td_lolen; + + // DFAs are restricted from having a state_count of less than 2 + file_rules->fperms_table = kvzalloc( + state_count * 2 * sizeof(struct aa_perms), GFP_KERNEL); + + // Since fperms_table is initialized with zeroes via kvzalloc(), we can + // skip the trap state (state == 0) + for (state = 1; state < state_count; state++) { + file_rules->fperms_table[state * 2] = + __aa_compute_fperms_user(file_rules->dfa, state); + file_rules->fperms_table[state * 2 + 1] = + __aa_compute_fperms_other(file_rules->dfa, state); + } +} + static u32 *aa_compute_xmatch_perms(struct aa_dfa *xmatch) { u32 *perms_table; -- cgit v1.2.3