From 4fff70a487720bf0142266f8a4f23e634f4dd706 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Fri, 19 Jan 2024 01:23:55 -0800 Subject: [PATCH] UBUNTU: SAUCE: apparmor4.0.0 [79/90]: apparmor: cleanup: refactor file_perm() to provide semantics of some checks BugLink: http://bugs.launchpad.net/bugs/2028253 Provide semantics for some checks being done in file_perm(). This is a preparatory patch for improvements to both permission caching and delegation, where the check will become more involved. Signed-off-by: John Johansen (cherry picked from commit 90580e2fd42b8e8c8e03d9554b8a36139436d4e8 https://git.launchpad.net/~apparmor-dev/ubuntu-kernel-next) Signed-off-by: Paolo Pisati --- security/apparmor/file.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/security/apparmor/file.c b/security/apparmor/file.c index 1dbd42dd039b..ba0562c21de0 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -769,6 +769,19 @@ static int __file_mqueue_perm(const char *op, const struct cred *subj_cred, return error; } +/* wrapper fn to indicate semantics of the check */ +bool __subj_label_is_cached(struct aa_label *subj_label, + struct aa_label *obj_label) +{ + return aa_label_is_subset(obj_label, subj_label); +} + +/* for now separate fn to indicate semantics of the check */ +bool __file_is_delegated(struct aa_label *obj_label) +{ + return unconfined(obj_label); +} + /** * aa_file_perm - do permission revalidation check & audit for @file * @op: operation being checked @@ -806,8 +819,8 @@ int aa_file_perm(const char *op, const struct cred *subj_cred, * delegation from unconfined tasks */ denied = request & ~fctx->allow; - if (unconfined(label) || unconfined(flabel) || - (!denied && aa_label_is_subset(flabel, label))) { + if (unconfined(label) || __file_is_delegated(flabel) || + (!denied && __subj_label_is_cached(label, flabel))) { rcu_read_unlock(); goto done; }