summaryrefslogtreecommitdiff
path: root/security/apparmor/lsm.c
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-06-09 14:59:51 -0700
committerJohn Johansen <john.johansen@canonical.com>2017-06-10 17:11:42 -0700
commit190a95189eb9e2233ed71a85cd6dd0c8efc9d392 (patch)
tree0c00b379aab9d3aa641db9d108393c0dc8549abf /security/apparmor/lsm.c
parent290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 (diff)
downloadlwn-190a95189eb9e2233ed71a85cd6dd0c8efc9d392.tar.gz
lwn-190a95189eb9e2233ed71a85cd6dd0c8efc9d392.zip
apparmor: move aa_file_perm() to use labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/lsm.c')
-rw-r--r--security/apparmor/lsm.c24
1 files changed, 3 insertions, 21 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index bf28b48bf6dd..011fbb009663 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -433,7 +433,7 @@ static int apparmor_file_alloc_security(struct file *file)
/* freed by apparmor_file_free_security */
struct aa_label *label = begin_current_label_crit_section();
- file->f_security = aa_alloc_file_ctx(GFP_KERNEL);
+ file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL);
if (!file_ctx(file))
error = -ENOMEM;
end_current_label_crit_section(label);
@@ -448,33 +448,15 @@ static void apparmor_file_free_security(struct file *file)
static int common_file_perm(const char *op, struct file *file, u32 mask)
{
- struct aa_file_ctx *fctx = file->f_security;
- struct aa_label *label, *flabel;
+ struct aa_label *label;
int error = 0;
/* don't reaudit files closed during inheritance */
if (file->f_path.dentry == aa_null.dentry)
return -EACCES;
- flabel = aa_cred_raw_label(file->f_cred);
- AA_BUG(!flabel);
-
- if (!file->f_path.mnt ||
- !path_mediated_fs(file->f_path.dentry))
- return 0;
-
label = __begin_current_label_crit_section();
-
- /* revalidate access, if task is unconfined, or the cached cred
- * doesn't match or if the request is for more permissions than
- * was granted.
- *
- * Note: the test for !unconfined(fprofile) is to handle file
- * delegation from unconfined tasks
- */
- if (!unconfined(label) && !unconfined(flabel) &&
- ((flabel != label) || (mask & ~fctx->allow)))
- error = aa_file_perm(op, labels_profile(label), file, mask);
+ error = aa_file_perm(op, label, file, mask);
__end_current_label_crit_section(label);
return error;