admin/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2025-12-07 20:06:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

apparmor: combine common_audit_data and apparmor_audit_data

Browse Source 
Everywhere where common_audit_data is used apparmor audit_data is also
used. We can simplify the code and drop the use of the aad macro
everywhere by combining the two structures.

Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2022-09-14 00:20:12 -07:00
parent 79ddd4a7c5
commit bd7bd201ca
15 changed files with 254 additions and 242 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
security/apparmor/task.c
View File

@@ -205,18 +205,19 @@ static const char *audit_ptrace_mask(u32 mask)
static void audit_ptrace_cb(struct audit_buffer *ab, void *va)
{
struct common_audit_data *sa = va;
struct apparmor_audit_data *ad = aad(sa);
if (aad(sa)->request & AA_PTRACE_PERM_MASK) {
if (ad->request & AA_PTRACE_PERM_MASK) {
audit_log_format(ab, " requested_mask=\"%s\"",
audit_ptrace_mask(aad(sa)->request));
audit_ptrace_mask(ad->request));
if (aad(sa)->denied & AA_PTRACE_PERM_MASK) {
if (ad->denied & AA_PTRACE_PERM_MASK) {
audit_log_format(ab, " denied_mask=\"%s\"",
audit_ptrace_mask(aad(sa)->denied));
audit_ptrace_mask(ad->denied));
}
}
audit_log_format(ab, " peer=");
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
aa_label_xaudit(ab, labels_ns(ad->label), ad->peer,
FLAGS_NONE, GFP_ATOMIC);
}
@@ -224,51 +225,51 @@ static void audit_ptrace_cb(struct audit_buffer *ab, void *va)
/* TODO: conditionals */
static int profile_ptrace_perm(struct aa_profile *profile,
struct aa_label *peer, u32 request,
struct common_audit_data *sa)
struct apparmor_audit_data *ad)
{
struct aa_ruleset *rules = list_first_entry(&profile->rules,
typeof(*rules), list);
struct aa_perms perms = { };
aad(sa)->peer = peer;
ad->peer = peer;
aa_profile_match_label(profile, rules, peer, AA_CLASS_PTRACE, request,
&perms);
aa_apply_modes_to_perms(profile, &perms);
return aa_check_perms(profile, &perms, request, sa, audit_ptrace_cb);
return aa_check_perms(profile, &perms, request, ad, audit_ptrace_cb);
}
static int profile_tracee_perm(struct aa_profile *tracee,
struct aa_label *tracer, u32 request,
struct common_audit_data *sa)
struct apparmor_audit_data *ad)
{
if (profile_unconfined(tracee) || unconfined(tracer) ||
!ANY_RULE_MEDIATES(&tracee->rules, AA_CLASS_PTRACE))
return 0;
return profile_ptrace_perm(tracee, tracer, request, sa);
return profile_ptrace_perm(tracee, tracer, request, ad);
}
static int profile_tracer_perm(struct aa_profile *tracer,
struct aa_label *tracee, u32 request,
struct common_audit_data *sa)
struct apparmor_audit_data *ad)
{
if (profile_unconfined(tracer))
return 0;
if (ANY_RULE_MEDIATES(&tracer->rules, AA_CLASS_PTRACE))
return profile_ptrace_perm(tracer, tracee, request, sa);
return profile_ptrace_perm(tracer, tracee, request, ad);
/* profile uses the old style capability check for ptrace */
if (&tracer->label == tracee)
return 0;
aad(sa)->label = &tracer->label;
aad(sa)->peer = tracee;
aad(sa)->request = 0;
aad(sa)->error = aa_capable(&tracer->label, CAP_SYS_PTRACE,
ad->label = &tracer->label;
ad->peer = tracee;
ad->request = 0;
ad->error = aa_capable(&tracer->label, CAP_SYS_PTRACE,
CAP_OPT_NONE);
return aa_audit(AUDIT_APPARMOR_AUTO, tracer, sa, audit_ptrace_cb);
return aa_audit(AUDIT_APPARMOR_AUTO, tracer, ad, audit_ptrace_cb);
}
/**