apparmor: preparse for state being more than just an integer

tjh.dev / kernel

fork atom

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork atom

apparmor: preparse for state being more than just an integer

Convert from an unsigned int to a state_t for state position. This is
a step in prepping for the state position carrying some additional
flags, and a limited form of backtracking to support variables.

Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 3 years ago 33fc95d8 e844fe9b

+101 -102

15 changed files

expand all collapse all

security

apparmor

apparmorfs.c

domain.c

file.c

include

file.h

label.h

lib.h

match.h

policy.h

ipc.c

label.c

lib.c

match.c

mount.c

net.c

policy_unpack.c

+1 -1

security/apparmor/apparmorfs.c

reviewed

··· 613 613 { 614 614 struct aa_perms tmp = { }; 615 615 struct aa_dfa *dfa; 616 616 - unsigned int state = 0; 616 616 + aa_state_t state = DFA_NOMATCH; 617 617 618 618 if (profile_unconfined(profile)) 619 619 return;

+13 -12

security/apparmor/domain.c

reviewed

··· 95 95 * If a subns profile is not to be matched should be prescreened with 96 96 * visibility test. 97 97 */ 98 98 - static inline unsigned int match_component(struct aa_profile *profile, 99 99 - struct aa_profile *tp, 100 100 - bool stack, unsigned int state) 98 98 + static inline aa_state_t match_component(struct aa_profile *profile, 99 99 + struct aa_profile *tp, 100 100 + bool stack, aa_state_t state) 101 101 { 102 102 const char *ns_name; 103 103 ··· 132 132 */ 133 133 static int label_compound_match(struct aa_profile *profile, 134 134 struct aa_label *label, bool stack, 135 135 - unsigned int state, bool subns, u32 request, 135 135 + aa_state_t state, bool subns, u32 request, 136 136 struct aa_perms *perms) 137 137 { 138 138 struct aa_profile *tp; ··· 192 192 */ 193 193 static int label_components_match(struct aa_profile *profile, 194 194 struct aa_label *label, bool stack, 195 195 - unsigned int start, bool subns, u32 request, 195 195 + aa_state_t start, bool subns, u32 request, 196 196 struct aa_perms *perms) 197 197 { 198 198 struct aa_profile *tp; 199 199 struct label_it i; 200 200 struct aa_perms tmp; 201 201 struct path_cond cond = { }; 202 202 - unsigned int state = 0; 202 202 + aa_state_t state = 0; 203 203 204 204 /* find first subcomponent to test */ 205 205 label_for_each(i, label, tp) { ··· 252 252 * Returns: the state the match finished in, may be the none matching state 253 253 */ 254 254 static int label_match(struct aa_profile *profile, struct aa_label *label, 255 255 - bool stack, unsigned int state, bool subns, u32 request, 255 255 + bool stack, aa_state_t state, bool subns, u32 request, 256 256 struct aa_perms *perms) 257 257 { 258 258 int error; ··· 286 286 */ 287 287 static int change_profile_perms(struct aa_profile *profile, 288 288 struct aa_label *target, bool stack, 289 289 - u32 request, unsigned int start, 289 289 + u32 request, aa_state_t start, 290 290 struct aa_perms *perms) 291 291 { 292 292 if (profile_unconfined(profile)) { ··· 308 308 * Returns: number of extended attributes that matched, or < 0 on error 309 309 */ 310 310 static int aa_xattrs_match(const struct linux_binprm *bprm, 311 311 - struct aa_profile *profile, unsigned int state) 311 311 + struct aa_profile *profile, aa_state_t state) 312 312 { 313 313 int i; 314 314 ssize_t size; ··· 416 416 * match. 417 417 */ 418 418 if (profile->xmatch.dfa) { 419 419 - unsigned int state, count; 419 419 + unsigned int count; 420 420 + aa_state_t state; 420 421 u32 index, perm; 421 422 422 423 state = aa_dfa_leftmatch(profile->xmatch.dfa, ··· 632 631 { 633 632 struct aa_label *new = NULL; 634 633 const char *info = NULL, *name = NULL, *target = NULL; 635 635 - unsigned int state = profile->file.start[AA_CLASS_FILE]; 634 634 + aa_state_t state = profile->file.start[AA_CLASS_FILE]; 636 635 struct aa_perms perms = {}; 637 636 bool nonewprivs = false; 638 637 int error = 0; ··· 728 727 char *buffer, struct path_cond *cond, 729 728 bool *secure_exec) 730 729 { 731 731 - unsigned int state = profile->file.start[AA_CLASS_FILE]; 730 730 + aa_state_t state = profile->file.start[AA_CLASS_FILE]; 732 731 struct aa_perms perms = {}; 733 732 const char *xname = NULL, *info = "change_profile onexec"; 734 733 int error = -EACCES;

+6 -6

security/apparmor/file.c

reviewed

··· 186 186 */ 187 187 struct aa_perms default_perms = {}; 188 188 struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules, 189 189 - unsigned int state, struct path_cond *cond) 189 189 + aa_state_t state, struct path_cond *cond) 190 190 { 191 191 unsigned int index = ACCEPT_TABLE(file_rules->dfa)[state]; 192 192 ··· 209 209 * 210 210 * Returns: the final state in @dfa when beginning @start and walking @name 211 211 */ 212 212 - unsigned int aa_str_perms(struct aa_policydb *file_rules, unsigned int start, 213 213 - const char *name, struct path_cond *cond, 214 214 - struct aa_perms *perms) 212 212 + aa_state_t aa_str_perms(struct aa_policydb *file_rules, aa_state_t start, 213 213 + const char *name, struct path_cond *cond, 214 214 + struct aa_perms *perms) 215 215 { 216 216 - unsigned int state; 216 216 + aa_state_t state; 217 217 state = aa_dfa_match(file_rules->dfa, start, name); 218 218 *perms = *(aa_lookup_fperms(file_rules, state, cond)); 219 219 ··· 320 320 struct aa_perms lperms = {}, perms; 321 321 const char *info = NULL; 322 322 u32 request = AA_MAY_LINK; 323 323 - unsigned int state; 323 323 + aa_state_t state; 324 324 int error; 325 325 326 326 error = path_name(OP_LINK, &profile->label, link, profile->path_flags,

+4 -4

security/apparmor/include/file.h

reviewed

··· 166 166 const char *info, int error); 167 167 168 168 struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules, 169 169 - unsigned int state, struct path_cond *cond); 170 170 - unsigned int aa_str_perms(struct aa_policydb *file_rules, unsigned int start, 171 171 - const char *name, struct path_cond *cond, 172 172 - struct aa_perms *perms); 169 169 + aa_state_t state, struct path_cond *cond); 170 170 + aa_state_t aa_str_perms(struct aa_policydb *file_rules, aa_state_t start, 171 171 + const char *name, struct path_cond *cond, 172 172 + struct aa_perms *perms); 173 173 174 174 int __aa_path_perm(const char *op, struct aa_profile *profile, 175 175 const char *name, u32 request, struct path_cond *cond,

+3 -3

security/apparmor/include/label.h

reviewed

··· 333 333 static inline const char *aa_label_strn_split(const char *str, int n) 334 334 { 335 335 const char *pos; 336 336 - unsigned int state; 336 336 + aa_state_t state; 337 337 338 338 state = aa_dfa_matchn_until(stacksplitdfa, DFA_START, str, n, &pos); 339 339 if (!ACCEPT_TABLE(stacksplitdfa)[state]) ··· 345 345 static inline const char *aa_label_str_split(const char *str) 346 346 { 347 347 const char *pos; 348 348 - unsigned int state; 348 348 + aa_state_t state; 349 349 350 350 state = aa_dfa_match_until(stacksplitdfa, DFA_START, str, &pos); 351 351 if (!ACCEPT_TABLE(stacksplitdfa)[state]) ··· 358 358 359 359 struct aa_perms; 360 360 int aa_label_match(struct aa_profile *profile, struct aa_label *label, 361 361 - unsigned int state, bool subns, u32 request, 361 361 + aa_state_t state, bool subns, u32 request, 362 362 struct aa_perms *perms); 363 363 364 364

+2 -2

security/apparmor/include/lib.h

reviewed

··· 87 87 * character which is not used in standard matching and is only 88 88 * used to separate pairs. 89 89 */ 90 90 - static inline unsigned int aa_dfa_null_transition(struct aa_dfa *dfa, 91 91 - unsigned int start) 90 90 + static inline aa_state_t aa_dfa_null_transition(struct aa_dfa *dfa, 91 91 + aa_state_t start) 92 92 { 93 93 /* the null transition only needs the string's null terminator byte */ 94 94 return aa_dfa_next(dfa, start, 0);

+14 -14

security/apparmor/include/match.h

reviewed

··· 125 125 int aa_setup_dfa_engine(void); 126 126 void aa_teardown_dfa_engine(void); 127 127 128 128 + #define aa_state_t unsigned int 129 129 + 128 130 struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags); 129 129 - unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start, 130 130 - const char *str, int len); 131 131 - unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start, 132 132 - const char *str); 133 133 - unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state, 134 134 - const char c); 135 135 - unsigned int aa_dfa_outofband_transition(struct aa_dfa *dfa, 136 136 - unsigned int state); 137 137 - unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start, 138 138 - const char *str, const char **retpos); 139 139 - unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start, 140 140 - const char *str, int n, const char **retpos); 131 131 + aa_state_t aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start, 132 132 + const char *str, int len); 133 133 + aa_state_t aa_dfa_match(struct aa_dfa *dfa, aa_state_t start, 134 134 + const char *str); 135 135 + aa_state_t aa_dfa_next(struct aa_dfa *dfa, aa_state_t state, const char c); 136 136 + aa_state_t aa_dfa_outofband_transition(struct aa_dfa *dfa, aa_state_t state); 137 137 + aa_state_t aa_dfa_match_until(struct aa_dfa *dfa, aa_state_t start, 138 138 + const char *str, const char **retpos); 139 139 + aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start, 140 140 + const char *str, int n, const char **retpos); 141 141 142 142 void aa_dfa_free_kref(struct kref *kref); 143 143 ··· 156 156 .len = 0, \ 157 157 } 158 158 159 159 - unsigned int aa_dfa_leftmatch(struct aa_dfa *dfa, unsigned int start, 160 160 - const char *str, unsigned int *count); 159 159 + aa_state_t aa_dfa_leftmatch(struct aa_dfa *dfa, aa_state_t start, 160 160 + const char *str, unsigned int *count); 161 161 162 162 /** 163 163 * aa_get_dfa - increment refcount on dfa @p

+7 -7

security/apparmor/include/policy.h

reviewed

··· 78 78 struct aa_dfa *dfa; 79 79 struct aa_perms *perms; 80 80 struct aa_domain trans; 81 81 - unsigned int start[AA_CLASS_LAST + 1]; 81 81 + aa_state_t start[AA_CLASS_LAST + 1]; 82 82 }; 83 83 84 84 static inline void aa_destroy_policydb(struct aa_policydb *policy) ··· 91 91 } 92 92 93 93 static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy, 94 94 - unsigned int state) 94 94 + aa_state_t state) 95 95 { 96 96 unsigned int index = ACCEPT_TABLE(policy->dfa)[state]; 97 97 ··· 239 239 return labels_profile(aa_get_newest_label(&p->label)); 240 240 } 241 241 242 242 - static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile, 242 242 + static inline aa_state_t PROFILE_MEDIATES(struct aa_profile *profile, 243 243 unsigned char class) 244 244 { 245 245 if (class <= AA_CLASS_LAST) ··· 249 249 profile->policy.start[0], &class, 1); 250 250 } 251 251 252 252 - static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile, 253 253 - u16 AF) { 254 254 - unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET); 252 252 + static inline aa_state_t PROFILE_MEDIATES_AF(struct aa_profile *profile, 253 253 + u16 AF) { 254 254 + aa_state_t state = PROFILE_MEDIATES(profile, AA_CLASS_NET); 255 255 __be16 be_af = cpu_to_be16(AF); 256 256 257 257 if (!state) 258 258 - return 0; 258 258 + return DFA_NOMATCH; 259 259 return aa_dfa_match_len(profile->policy.dfa, state, (char *) &be_af, 2); 260 260 } 261 261

+1 -1

security/apparmor/ipc.c

reviewed

··· 79 79 struct common_audit_data *sa) 80 80 { 81 81 struct aa_perms perms; 82 82 - unsigned int state; 82 82 + aa_state_t state; 83 83 84 84 if (profile_unconfined(profile) || 85 85 !PROFILE_MEDIATES(profile, AA_CLASS_SIGNAL))

+7 -7

security/apparmor/label.c

reviewed

··· 1265 1265 * If a subns profile is not to be matched should be prescreened with 1266 1266 * visibility test. 1267 1267 */ 1268 1268 - static inline unsigned int match_component(struct aa_profile *profile, 1269 1269 - struct aa_profile *tp, 1270 1270 - unsigned int state) 1268 1268 + static inline aa_state_t match_component(struct aa_profile *profile, 1269 1269 + struct aa_profile *tp, 1270 1270 + aa_state_t state) 1271 1271 { 1272 1272 const char *ns_name; 1273 1273 ··· 1299 1299 */ 1300 1300 static int label_compound_match(struct aa_profile *profile, 1301 1301 struct aa_label *label, 1302 1302 - unsigned int state, bool subns, u32 request, 1302 1302 + aa_state_t state, bool subns, u32 request, 1303 1303 struct aa_perms *perms) 1304 1304 { 1305 1305 struct aa_profile *tp; ··· 1356 1356 * check to be stacked. 1357 1357 */ 1358 1358 static int label_components_match(struct aa_profile *profile, 1359 1359 - struct aa_label *label, unsigned int start, 1359 1359 + struct aa_label *label, aa_state_t start, 1360 1360 bool subns, u32 request, 1361 1361 struct aa_perms *perms) 1362 1362 { 1363 1363 struct aa_profile *tp; 1364 1364 struct label_it i; 1365 1365 struct aa_perms tmp; 1366 1366 - unsigned int state = 0; 1366 1366 + aa_state_t state = 0; 1367 1367 1368 1368 /* find first subcomponent to test */ 1369 1369 label_for_each(i, label, tp) { ··· 1415 1415 * Returns: the state the match finished in, may be the none matching state 1416 1416 */ 1417 1417 int aa_label_match(struct aa_profile *profile, struct aa_label *label, 1418 1418 - unsigned int state, bool subns, u32 request, 1418 1418 + aa_state_t state, bool subns, u32 request, 1419 1419 struct aa_perms *perms) 1420 1420 { 1421 1421 int error = label_compound_match(profile, label, state, subns, request,

+1 -1

security/apparmor/lib.c

reviewed

··· 357 357 int type, u32 request, struct aa_perms *perms) 358 358 { 359 359 /* TODO: doesn't yet handle extended types */ 360 360 - unsigned int state; 360 360 + aa_state_t state; 361 361 362 362 state = aa_dfa_next(profile->policy.dfa, 363 363 profile->policy.start[AA_CLASS_LABEL],

+28 -30

security/apparmor/match.c

reviewed

··· 436 436 * 437 437 * Returns: final state reached after input is consumed 438 438 */ 439 439 - unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start, 440 440 - const char *str, int len) 439 439 + aa_state_t aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start, 440 440 + const char *str, int len) 441 441 { 442 442 u16 *def = DEFAULT_TABLE(dfa); 443 443 u32 *base = BASE_TABLE(dfa); 444 444 u16 *next = NEXT_TABLE(dfa); 445 445 u16 *check = CHECK_TABLE(dfa); 446 446 - unsigned int state = start; 446 446 + aa_state_t state = start; 447 447 448 448 - if (state == 0) 449 449 - return 0; 448 448 + if (state == DFA_NOMATCH) 449 449 + return DFA_NOMATCH; 450 450 451 451 /* current state is <state>, matching character *str */ 452 452 if (dfa->tables[YYTD_ID_EC]) { ··· 476 476 * 477 477 * Returns: final state reached after input is consumed 478 478 */ 479 479 - unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start, 480 480 - const char *str) 479 479 + aa_state_t aa_dfa_match(struct aa_dfa *dfa, aa_state_t start, const char *str) 481 480 { 482 481 u16 *def = DEFAULT_TABLE(dfa); 483 482 u32 *base = BASE_TABLE(dfa); 484 483 u16 *next = NEXT_TABLE(dfa); 485 484 u16 *check = CHECK_TABLE(dfa); 486 486 - unsigned int state = start; 485 485 + aa_state_t state = start; 487 486 488 488 - if (state == 0) 489 489 - return 0; 487 487 + if (state == DFA_NOMATCH) 488 488 + return DFA_NOMATCH; 490 489 491 490 /* current state is <state>, matching character *str */ 492 491 if (dfa->tables[YYTD_ID_EC]) { ··· 514 515 * 515 516 * Returns: state reach after input @c 516 517 */ 517 517 - unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state, 518 518 - const char c) 518 518 + aa_state_t aa_dfa_next(struct aa_dfa *dfa, aa_state_t state, const char c) 519 519 { 520 520 u16 *def = DEFAULT_TABLE(dfa); 521 521 u32 *base = BASE_TABLE(dfa); ··· 532 534 return state; 533 535 } 534 536 535 535 - unsigned int aa_dfa_outofband_transition(struct aa_dfa *dfa, unsigned int state) 537 537 + aa_state_t aa_dfa_outofband_transition(struct aa_dfa *dfa, aa_state_t state) 536 538 { 537 539 u16 *def = DEFAULT_TABLE(dfa); 538 540 u32 *base = BASE_TABLE(dfa); ··· 562 564 * 563 565 * Returns: final state reached after input is consumed 564 566 */ 565 565 - unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start, 567 567 + aa_state_t aa_dfa_match_until(struct aa_dfa *dfa, aa_state_t start, 566 568 const char *str, const char **retpos) 567 569 { 568 570 u16 *def = DEFAULT_TABLE(dfa); ··· 570 572 u16 *next = NEXT_TABLE(dfa); 571 573 u16 *check = CHECK_TABLE(dfa); 572 574 u32 *accept = ACCEPT_TABLE(dfa); 573 573 - unsigned int state = start, pos; 575 575 + aa_state_t state = start, pos; 574 576 575 575 - if (state == 0) 576 576 - return 0; 577 577 + if (state == DFA_NOMATCH) 578 578 + return DFA_NOMATCH; 577 579 578 580 /* current state is <state>, matching character *str */ 579 581 if (dfa->tables[YYTD_ID_EC]) { ··· 623 625 * 624 626 * Returns: final state reached after input is consumed 625 627 */ 626 626 - unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start, 628 628 + aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start, 627 629 const char *str, int n, const char **retpos) 628 630 { 629 631 u16 *def = DEFAULT_TABLE(dfa); ··· 631 633 u16 *next = NEXT_TABLE(dfa); 632 634 u16 *check = CHECK_TABLE(dfa); 633 635 u32 *accept = ACCEPT_TABLE(dfa); 634 634 - unsigned int state = start, pos; 636 636 + aa_state_t state = start, pos; 635 637 636 638 *retpos = NULL; 637 637 - if (state == 0) 638 638 - return 0; 639 639 + if (state == DFA_NOMATCH) 640 640 + return DFA_NOMATCH; 639 641 640 642 /* current state is <state>, matching character *str */ 641 643 if (dfa->tables[YYTD_ID_EC]) { ··· 675 677 } while (0) 676 678 677 679 /* For DFAs that don't support extended tagging of states */ 678 678 - static bool is_loop(struct match_workbuf *wb, unsigned int state, 680 680 + static bool is_loop(struct match_workbuf *wb, aa_state_t state, 679 681 unsigned int *adjust) 680 682 { 681 681 - unsigned int pos = wb->pos; 682 682 - unsigned int i; 683 683 + aa_state_t pos = wb->pos; 684 684 + aa_state_t i; 683 685 684 686 if (wb->history[pos] < state) 685 687 return false; ··· 698 700 return true; 699 701 } 700 702 701 701 - static unsigned int leftmatch_fb(struct aa_dfa *dfa, unsigned int start, 703 703 + static aa_state_t leftmatch_fb(struct aa_dfa *dfa, aa_state_t start, 702 704 const char *str, struct match_workbuf *wb, 703 705 unsigned int *count) 704 706 { ··· 706 708 u32 *base = BASE_TABLE(dfa); 707 709 u16 *next = NEXT_TABLE(dfa); 708 710 u16 *check = CHECK_TABLE(dfa); 709 709 - unsigned int state = start, pos; 711 711 + aa_state_t state = start, pos; 710 712 711 713 AA_BUG(!dfa); 712 714 AA_BUG(!str); ··· 714 716 AA_BUG(!count); 715 717 716 718 *count = 0; 717 717 - if (state == 0) 718 718 - return 0; 719 719 + if (state == DFA_NOMATCH) 720 720 + return DFA_NOMATCH; 719 721 720 722 /* current state is <state>, matching character *str */ 721 723 if (dfa->tables[YYTD_ID_EC]) { ··· 779 781 * 780 782 * Returns: final state reached after input is consumed 781 783 */ 782 782 - unsigned int aa_dfa_leftmatch(struct aa_dfa *dfa, unsigned int start, 783 783 - const char *str, unsigned int *count) 784 784 + aa_state_t aa_dfa_leftmatch(struct aa_dfa *dfa, aa_state_t start, 785 785 + const char *str, unsigned int *count) 784 786 { 785 787 DEFINE_MATCH_WB(wb); 786 788

+5 -5

security/apparmor/mount.c

reviewed

··· 190 190 * 191 191 * Returns: next state after flags match 192 192 */ 193 193 - static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state, 193 193 + static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state, 194 194 unsigned long flags) 195 195 { 196 196 unsigned int i; ··· 217 217 * Returns 0 on success else element that match failed in, this is the 218 218 * index into the mnt_info_table above 219 219 */ 220 220 - static int do_match_mnt(struct aa_policydb *policy, unsigned int start, 220 220 + static int do_match_mnt(struct aa_policydb *policy, aa_state_t start, 221 221 const char *mntpnt, const char *devname, 222 222 const char *type, unsigned long flags, 223 223 void *data, bool binary, struct aa_perms *perms) 224 224 { 225 225 - unsigned int state; 225 225 + aa_state_t state; 226 226 227 227 AA_BUG(!policy); 228 228 AA_BUG(!policy->dfa); ··· 567 567 { 568 568 struct aa_perms perms = { }; 569 569 const char *name = NULL, *info = NULL; 570 570 - unsigned int state; 570 570 + aa_state_t state; 571 571 int error; 572 572 573 573 AA_BUG(!profile); ··· 627 627 const char *old_name, *new_name = NULL, *info = NULL; 628 628 const char *trans_name = NULL; 629 629 struct aa_perms perms = { }; 630 630 - unsigned int state; 630 630 + aa_state_t state; 631 631 int error; 632 632 633 633 AA_BUG(!profile);

+1 -1

security/apparmor/net.c

reviewed

··· 109 109 u32 request, u16 family, int type) 110 110 { 111 111 struct aa_perms perms = { }; 112 112 - unsigned int state; 112 112 + aa_state_t state; 113 113 __be16 buffer[2]; 114 114 115 115 AA_BUG(family >= AF_MAX);

+8 -8

security/apparmor/policy_unpack.c

reviewed

··· 698 698 } 699 699 700 700 static void compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa, 701 701 - unsigned int state) 701 701 + aa_state_t state) 702 702 { 703 703 perms->allow |= AA_MAY_GETATTR; 704 704 ··· 710 710 } 711 711 712 712 static struct aa_perms compute_fperms_user(struct aa_dfa *dfa, 713 713 - unsigned int state) 713 713 + aa_state_t state) 714 714 { 715 715 struct aa_perms perms = { }; 716 716 ··· 725 725 } 726 726 727 727 static struct aa_perms compute_fperms_other(struct aa_dfa *dfa, 728 728 - unsigned int state) 728 728 + aa_state_t state) 729 729 { 730 730 struct aa_perms perms = { }; 731 731 ··· 748 748 */ 749 749 static struct aa_perms *compute_fperms(struct aa_dfa *dfa) 750 750 { 751 751 - int state; 752 752 - int state_count; 751 751 + aa_state_t state; 752 752 + unsigned int state_count; 753 753 struct aa_perms *table; 754 754 755 755 AA_BUG(!dfa); ··· 796 796 } 797 797 798 798 static struct aa_perms compute_perms_entry(struct aa_dfa *dfa, 799 799 - unsigned int state) 799 799 + aa_state_t state) 800 800 { 801 801 struct aa_perms perms = { }; 802 802 ··· 817 817 818 818 static struct aa_perms *compute_perms(struct aa_dfa *dfa) 819 819 { 820 820 - int state; 821 821 - int state_count; 820 820 + unsigned int state; 821 821 + unsigned int state_count; 822 822 struct aa_perms *table; 823 823 824 824 AA_BUG(!dfa);