summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2018-03-03 01:59:02 -0800
committerJohn Johansen <john.johansen@canonical.com>2018-03-13 17:25:49 -0700
commitb9590ad4c4f2fedc364016613f2af74ea7758bea (patch)
tree580811b3b62f4f5ba5ae2ab14e28cc27b1e0b72a
parent56974a6fcfef69ee0825bd66ed13e92070ac5224 (diff)
downloadlwn-b9590ad4c4f2fedc364016613f2af74ea7758bea.tar.gz
lwn-b9590ad4c4f2fedc364016613f2af74ea7758bea.zip
apparmor: remove POLICY_MEDIATES_SAFE
The unpack code now makes sure every profile has a dfa so the safe version of POLICY_MEDIATES is no longer needed. Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r--security/apparmor/apparmorfs.c2
-rw-r--r--security/apparmor/include/policy.h12
2 files changed, 2 insertions, 12 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 10d16e3abed9..701cb3e5ec3b 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -619,7 +619,7 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
tmp = aa_compute_fperms(dfa, state, &cond);
}
} else if (profile->policy.dfa) {
- if (!PROFILE_MEDIATES_SAFE(profile, *match_str))
+ if (!PROFILE_MEDIATES(profile, *match_str))
return; /* no change to current perms */
dfa = profile->policy.dfa;
state = aa_dfa_match_len(dfa, profile->policy.start[0],
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index ffe12a2366e0..ab64c6b5db5a 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -214,17 +214,7 @@ static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
return labels_profile(aa_get_newest_label(&p->label));
}
-#define PROFILE_MEDIATES(P, T) ((P)->policy.start[(T)])
-/* safe version of POLICY_MEDIATES for full range input */
-static inline unsigned int PROFILE_MEDIATES_SAFE(struct aa_profile *profile,
- unsigned char class)
-{
- if (profile->policy.dfa)
- return aa_dfa_match_len(profile->policy.dfa,
- profile->policy.start[0], &class, 1);
- return 0;
-}
-
+#define PROFILE_MEDIATES(P, T) ((P)->policy.start[(unsigned char) (T)])
static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
u16 AF) {
unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);