UBUNTU: SAUCE: apparmor4.0.0 [79/90]: apparmor: cleanup: refactor file_perm() to provide semantics of some checks

BugLink: http://bugs.launchpad.net/bugs/2028253

Provide semantics for some checks being done in file_perm(). This is
a preparatory patch for improvements to both permission caching and
delegation, where the check will become more involved.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 90580e2fd42b8e8c8e03d9554b8a36139436d4e8
https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next)
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>

security/apparmor/file.c

@@ -769,6 +769,19 @@ static int __file_mqueue_perm(const char *op, const struct cred *subj_cred,
 	return error;
 }
 
+/* wrapper fn to indicate semantics of the check */
+bool __subj_label_is_cached(struct aa_label *subj_label,
+			    struct aa_label *obj_label)
+{
+	return aa_label_is_subset(obj_label, subj_label);
+}
+
+/* for now separate fn to indicate semantics of the check */
+bool __file_is_delegated(struct aa_label *obj_label)
+{
+	return unconfined(obj_label);
+}
+
 /**
  * aa_file_perm - do permission revalidation check & audit for @file
  * @op: operation being checked
@@ -806,8 +819,8 @@ int aa_file_perm(const char *op, const struct cred *subj_cred,
 	 *       delegation from unconfined tasks
 	 */
 	denied = request & ~fctx->allow;
-	if (unconfined(label) || unconfined(flabel) ||
-	    (!denied && aa_label_is_subset(flabel, label))) {
+	if (unconfined(label) || __file_is_delegated(flabel) ||
+	    (!denied && __subj_label_is_cached(label, flabel))) {
 		rcu_read_unlock();
 		goto done;
 	}