From: John Johansen <john.johansen@canonical.com>
Date: Fri, 19 Jan 2024 09:23:55 +0000 (-0800)
Subject: apparmor: cleanup: refactor file_perm() to doc semantics of some checks
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=34d31f23385b018890295414acaee31d786cf73d;p=thirdparty%2Fkernel%2Fstable.git

apparmor: cleanup: refactor file_perm() to doc semantics of some checks

Provide semantics, via fn names, for some checks being done in
file_perm(). This is a preparatory patch for improvements to both
permission caching and delegation, where the check will become more
involved.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index d52a5b14dad4..81c54ffd63cb 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -557,6 +557,19 @@ static int __file_sock_perm(const char *op, const struct cred *subj_cred,
 	return error;
 }
 
+/* wrapper fn to indicate semantics of the check */
+static bool __subj_label_is_cached(struct aa_label *subj_label,
+			    struct aa_label *obj_label)
+{
+	return aa_label_is_subset(obj_label, subj_label);
+}
+
+/* for now separate fn to indicate semantics of the check */
+static bool __file_is_delegated(struct aa_label *obj_label)
+{
+	return unconfined(obj_label);
+}
+
 /**
  * aa_file_perm - do permission revalidation check & audit for @file
  * @op: operation being checked
@@ -594,8 +607,8 @@ int aa_file_perm(const char *op, const struct cred *subj_cred,
 	 *       delegation from unconfined tasks
 	 */
 	denied = request & ~fctx->allow;
-	if (unconfined(label) || unconfined(flabel) ||
-	    (!denied && aa_label_is_subset(flabel, label))) {
+	if (unconfined(label) || __file_is_delegated(flabel) ||
+	    (!denied && __subj_label_is_cached(label, flabel))) {
 		rcu_read_unlock();
 		goto done;
 	}