apparmor: cleanup shared permission struct

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The shared permissions struct has the stop field which is unneeded
and the "reserved" subtree field commented which is needed. Also
reorganize so that the entries are logically grouped.

Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 3 years ago bf690f59 2d63dd43

+9 -12

2 changed files

expand all

security

apparmor

include

perms.h

lib.c

+7 -10

security/apparmor/include/perms.h

··· 65 65 66 66 struct aa_perms { 67 67 u32 allow; 68 - u32 audit; /* set only when allow is set */ 69 - 70 68 u32 deny; /* explicit deny, or conflict if allow also set */ 71 - u32 quiet; /* set only when ~allow | deny */ 72 - u32 kill; /* set only when ~allow | deny */ 73 - u32 stop; /* set only when ~allow | deny */ 74 69 75 - u32 complain; /* accumulates only used when ~allow & ~deny */ 70 + u32 subtree; /* allow perm on full subtree only when allow is set */ 76 71 u32 cond; /* set only when ~allow and ~deny */ 77 72 78 - u32 hide; /* set only when ~allow | deny */ 73 + u32 kill; /* set only when ~allow | deny */ 74 + u32 complain; /* accumulates only used when ~allow & ~deny */ 79 75 u32 prompt; /* accumulates only used when ~allow & ~deny */ 80 76 81 - /* Reserved: 82 - * u32 subtree; / * set only when allow is set * / 83 - */ 77 + u32 audit; /* set only when allow is set */ 78 + u32 quiet; /* set only when ~allow | deny */ 79 + u32 hide; /* set only when ~allow | deny */ 80 + 84 81 u16 xindex; 85 82 }; 86 83

+2 -2

security/apparmor/lib.c

··· 327 327 accum->audit |= addend->audit & addend->allow; 328 328 accum->quiet &= addend->quiet & ~addend->allow; 329 329 accum->kill |= addend->kill & ~addend->allow; 330 - accum->stop |= addend->stop & ~addend->allow; 331 330 accum->complain |= addend->complain & ~addend->allow & ~addend->deny; 332 331 accum->cond |= addend->cond & ~addend->allow & ~addend->deny; 333 332 accum->hide &= addend->hide & ~addend->allow; 334 333 accum->prompt |= addend->prompt & ~addend->allow & ~addend->deny; 334 + accum->subtree |= addend->subtree & ~addend->deny; 335 335 } 336 336 337 337 /** ··· 346 346 accum->audit |= addend->audit & accum->allow; 347 347 accum->quiet &= addend->quiet & ~accum->allow; 348 348 accum->kill |= addend->kill & ~accum->allow; 349 - accum->stop |= addend->stop & ~accum->allow; 350 349 accum->complain |= addend->complain & ~accum->allow & ~accum->deny; 351 350 accum->cond |= addend->cond & ~accum->allow & ~accum->deny; 352 351 accum->hide &= addend->hide & ~accum->allow; 353 352 accum->prompt |= addend->prompt & ~accum->allow & ~accum->deny; 353 + accum->subtree &= addend->subtree & ~accum->deny; 354 354 } 355 355 356 356 void aa_profile_match_label(struct aa_profile *profile, struct aa_label *label,