diff options
| author | John Johansen <john.johansen@canonical.com> | 2023-07-23 02:30:33 -0700 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2025-01-18 06:47:12 -0800 |
| commit | 2e12c5f060176ede209673e4f63ea5d0e3c5814c (patch) | |
| tree | 1ba485036de4844ba0d4ff93230b41c605c20677 /security/apparmor/file.c | |
| parent | de4754c801f4ceefc6ce0d13480c506e0a91b449 (diff) | |
apparmor: add additional flags to extended permission.
This is a step towards merging the file and policy state machines.
With the switch to extended permissions the state machine's ACCEPT2
table became unused freeing it up to store state specific flags. The
first flags to be stored are FLAG_OWNER and FLAG other which paves the
way towards merging the file and policydb perms into a single
permission table.
Currently Lookups based on the objects ownership conditional will
still need separate fns, this will be address in a following patch.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/file.c')
| -rw-r--r-- | security/apparmor/file.c | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/security/apparmor/file.c b/security/apparmor/file.c index 81c54ffd63cb..6ce6547301dc 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -169,7 +169,8 @@ static int path_name(const char *op, const struct cred *subj_cred, struct aa_perms default_perms = {}; /** * aa_lookup_fperms - convert dfa compressed perms to internal perms - * @file_rules: the aa_policydb to lookup perms for (NOT NULL) + * @subj_uid: uid to use for subject owner test + * @rules: the aa_policydb to lookup perms for (NOT NULL) * @state: state in dfa * @cond: conditions to consider (NOT NULL) * @@ -177,18 +178,21 @@ struct aa_perms default_perms = {}; * * Returns: a pointer to a file permission set */ -struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules, - aa_state_t state, struct path_cond *cond) +struct aa_perms *aa_lookup_condperms(kuid_t subj_uid, struct aa_policydb *rules, + aa_state_t state, struct path_cond *cond) { - unsigned int index = ACCEPT_TABLE(file_rules->dfa)[state]; + unsigned int index = ACCEPT_TABLE(rules->dfa)[state]; - if (!(file_rules->perms)) + if (!(rules->perms)) return &default_perms; - if (uid_eq(current_fsuid(), cond->uid)) - return &(file_rules->perms[index]); + if ((ACCEPT_TABLE2(rules->dfa)[state] & ACCEPT_FLAG_OWNER)) { + if (uid_eq(subj_uid, cond->uid)) + return &(rules->perms[index]); + return &(rules->perms[index + 1]); + } - return &(file_rules->perms[index + 1]); + return &(rules->perms[index]); } /** @@ -207,7 +211,8 @@ aa_state_t aa_str_perms(struct aa_policydb *file_rules, aa_state_t start, { aa_state_t state; state = aa_dfa_match(file_rules->dfa, start, name); - *perms = *(aa_lookup_fperms(file_rules, state, cond)); + *perms = *(aa_lookup_condperms(current_fsuid(), file_rules, state, + cond)); return state; } |