diff options
author | John Johansen <john.johansen@canonical.com> | 2017-06-09 14:59:51 -0700 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2017-06-10 17:11:42 -0700 |
commit | 190a95189eb9e2233ed71a85cd6dd0c8efc9d392 (patch) | |
tree | 0c00b379aab9d3aa641db9d108393c0dc8549abf /security/apparmor/lsm.c | |
parent | 290f458a4f16f9cf6cb6562b249e69fe1c3c3a07 (diff) | |
download | lwn-190a95189eb9e2233ed71a85cd6dd0c8efc9d392.tar.gz lwn-190a95189eb9e2233ed71a85cd6dd0c8efc9d392.zip |
apparmor: move aa_file_perm() to use labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/lsm.c')
-rw-r--r-- | security/apparmor/lsm.c | 24 |
1 files changed, 3 insertions, 21 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index bf28b48bf6dd..011fbb009663 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -433,7 +433,7 @@ static int apparmor_file_alloc_security(struct file *file) /* freed by apparmor_file_free_security */ struct aa_label *label = begin_current_label_crit_section(); - file->f_security = aa_alloc_file_ctx(GFP_KERNEL); + file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL); if (!file_ctx(file)) error = -ENOMEM; end_current_label_crit_section(label); @@ -448,33 +448,15 @@ static void apparmor_file_free_security(struct file *file) static int common_file_perm(const char *op, struct file *file, u32 mask) { - struct aa_file_ctx *fctx = file->f_security; - struct aa_label *label, *flabel; + struct aa_label *label; int error = 0; /* don't reaudit files closed during inheritance */ if (file->f_path.dentry == aa_null.dentry) return -EACCES; - flabel = aa_cred_raw_label(file->f_cred); - AA_BUG(!flabel); - - if (!file->f_path.mnt || - !path_mediated_fs(file->f_path.dentry)) - return 0; - label = __begin_current_label_crit_section(); - - /* revalidate access, if task is unconfined, or the cached cred - * doesn't match or if the request is for more permissions than - * was granted. - * - * Note: the test for !unconfined(fprofile) is to handle file - * delegation from unconfined tasks - */ - if (!unconfined(label) && !unconfined(flabel) && - ((flabel != label) || (mask & ~fctx->allow))) - error = aa_file_perm(op, labels_profile(label), file, mask); + error = aa_file_perm(op, label, file, mask); __end_current_label_crit_section(label); return error; |