apparmor: switch signal mediation to use RULE_MEDIATES

Currently signal mediation is using a hard coded form of the
RULE_MEDIATES check. This hides the intended semantics, and means this
specific check won't pickup any changes or improvements made in the
RULE_MEDIATES check. Switch to using RULE_MEDIATES().

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
index 0cdf4340b02d5b04c7541714d8b0ba64ec813c31..3566d875645e4bc55df3a55ff9d3a3fb6d24e348 100644 (file)
--- a/security/apparmor/ipc.c
+++ b/security/apparmor/ipc.c
@@ -85,16 +85,16 @@ static int profile_signal_perm(const struct cred *cred,
        struct aa_perms perms;
        aa_state_t state;
 
-       if (profile_unconfined(profile) ||
-           !ANY_RULE_MEDIATES(&profile->rules, AA_CLASS_SIGNAL))
+       if (profile_unconfined(profile))
                return 0;
 
        ad->subj_cred = cred;
        ad->peer = peer;
        /* TODO: secondary cache check <profile, profile, perm> */
-       state = aa_dfa_next(rules->policy->dfa,
-                           rules->policy->start[AA_CLASS_SIGNAL],
-                           ad->signal);
+       state = RULE_MEDIATES(rules, AA_CLASS_SIGNAL);
+       if (!state)
+               return 0;
+       state = aa_dfa_next(rules->policy->dfa, state, ad->signal);
        aa_label_match(profile, rules, peer, state, false, request, &perms);
        aa_apply_modes_to_perms(profile, &perms);
        return aa_check_perms(profile, &perms, request, ad, audit_signal_cb);