diff options
author | John Johansen <john.johansen@canonical.com> | 2018-03-03 01:59:02 -0800 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2018-03-13 17:25:49 -0700 |
commit | b9590ad4c4f2fedc364016613f2af74ea7758bea (patch) | |
tree | 580811b3b62f4f5ba5ae2ab14e28cc27b1e0b72a /security/apparmor | |
parent | 56974a6fcfef69ee0825bd66ed13e92070ac5224 (diff) |
apparmor: remove POLICY_MEDIATES_SAFE
The unpack code now makes sure every profile has a dfa so the safe
version of POLICY_MEDIATES is no longer needed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor')
-rw-r--r-- | security/apparmor/apparmorfs.c | 2 | ||||
-rw-r--r-- | security/apparmor/include/policy.h | 12 |
2 files changed, 2 insertions, 12 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 10d16e3abed9..701cb3e5ec3b 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -619,7 +619,7 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms, tmp = aa_compute_fperms(dfa, state, &cond); } } else if (profile->policy.dfa) { - if (!PROFILE_MEDIATES_SAFE(profile, *match_str)) + if (!PROFILE_MEDIATES(profile, *match_str)) return; /* no change to current perms */ dfa = profile->policy.dfa; state = aa_dfa_match_len(dfa, profile->policy.start[0], diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index ffe12a2366e0..ab64c6b5db5a 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -214,17 +214,7 @@ static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p) return labels_profile(aa_get_newest_label(&p->label)); } -#define PROFILE_MEDIATES(P, T) ((P)->policy.start[(T)]) -/* safe version of POLICY_MEDIATES for full range input */ -static inline unsigned int PROFILE_MEDIATES_SAFE(struct aa_profile *profile, - unsigned char class) -{ - if (profile->policy.dfa) - return aa_dfa_match_len(profile->policy.dfa, - profile->policy.start[0], &class, 1); - return 0; -} - +#define PROFILE_MEDIATES(P, T) ((P)->policy.start[(unsigned char) (T)]) static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile, u16 AF) { unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET); |