apparmor: preparse for state being more than just an integer

Convert from an unsigned int to a state_t for state position. This is a step in prepping for the state position carrying some additional flags, and a limited form of backtracking to support variables. Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2022-01-18 00:43:49 +0300
committer: John Johansen <john.johansen@canonical.com> 2022-10-04 00:49:03 +0300
commit: 33fc95d8293cfca352ac875668857293e22d7d51 (patch)
tree: 045b3ba1a1fb5d6e08845d650b19806c6f44f4d4 /security/apparmor/include
parent: e844fe9b51c984472ea98be3b2d1201ba9ee3213 (diff)
download: linux-33fc95d8293cfca352ac875668857293e22d7d51.tar.xz
5 files changed, 30 insertions, 30 deletions
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index 736b8f655404..8c82cf279dc2 100644
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -166,10 +166,10 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
 		  const char *info, int error);
 
 struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules,
-				  unsigned int state, struct path_cond *cond);
-unsigned int aa_str_perms(struct aa_policydb *file_rules, unsigned int start,
-			  const char *name, struct path_cond *cond,
-			  struct aa_perms *perms);
+				  aa_state_t state, struct path_cond *cond);
+aa_state_t aa_str_perms(struct aa_policydb *file_rules, aa_state_t start,
+			const char *name, struct path_cond *cond,
+			struct aa_perms *perms);
 
 int __aa_path_perm(const char *op, struct aa_profile *profile,
 		   const char *name, u32 request, struct path_cond *cond,
diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
index 860484c6f99a..1130ba10a152 100644
--- a/security/apparmor/include/label.h
+++ b/security/apparmor/include/label.h
@@ -333,7 +333,7 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
 static inline const char *aa_label_strn_split(const char *str, int n)
 {
 	const char *pos;
-	unsigned int state;
+	aa_state_t state;
 
 	state = aa_dfa_matchn_until(stacksplitdfa, DFA_START, str, n, &pos);
 	if (!ACCEPT_TABLE(stacksplitdfa)[state])
@@ -345,7 +345,7 @@ static inline const char *aa_label_strn_split(const char *str, int n)
 static inline const char *aa_label_str_split(const char *str)
 {
 	const char *pos;
-	unsigned int state;
+	aa_state_t state;
 
 	state = aa_dfa_match_until(stacksplitdfa, DFA_START, str, &pos);
 	if (!ACCEPT_TABLE(stacksplitdfa)[state])
@@ -358,7 +358,7 @@ static inline const char *aa_label_str_split(const char *str)
 
 struct aa_perms;
 int aa_label_match(struct aa_profile *profile, struct aa_label *label,
-		   unsigned int state, bool subns, u32 request,
+		   aa_state_t state, bool subns, u32 request,
 		   struct aa_perms *perms);
 
 
diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
index f42359f58eb5..f176f3ced2a3 100644
--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -87,8 +87,8 @@ static inline bool aa_strneq(const char *str, const char *sub, int len)
  * character which is not used in standard matching and is only
  * used to separate pairs.
  */
-static inline unsigned int aa_dfa_null_transition(struct aa_dfa *dfa,
-						  unsigned int start)
+static inline aa_state_t aa_dfa_null_transition(struct aa_dfa *dfa,
+						aa_state_t start)
 {
 	/* the null transition only needs the string's null terminator byte */
 	return aa_dfa_next(dfa, start, 0);
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index 884489590588..58fbf67139b9 100644
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -125,19 +125,19 @@ static inline size_t table_size(size_t len, size_t el_size)
 int aa_setup_dfa_engine(void);
 void aa_teardown_dfa_engine(void);
 
+#define aa_state_t unsigned int
+
 struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags);
-unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
-			      const char *str, int len);
-unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
-			  const char *str);
-unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
-			 const char c);
-unsigned int aa_dfa_outofband_transition(struct aa_dfa *dfa,
-					 unsigned int state);
-unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start,
-				const char *str, const char **retpos);
-unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start,
-				 const char *str, int n, const char **retpos);
+aa_state_t aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start,
+			    const char *str, int len);
+aa_state_t aa_dfa_match(struct aa_dfa *dfa, aa_state_t start,
+			const char *str);
+aa_state_t aa_dfa_next(struct aa_dfa *dfa, aa_state_t state, const char c);
+aa_state_t aa_dfa_outofband_transition(struct aa_dfa *dfa, aa_state_t state);
+aa_state_t aa_dfa_match_until(struct aa_dfa *dfa, aa_state_t start,
+			      const char *str, const char **retpos);
+aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start,
+			       const char *str, int n, const char **retpos);
 
 void aa_dfa_free_kref(struct kref *kref);
 
@@ -156,8 +156,8 @@ struct match_workbuf N = {		\
 	.len = 0,			\
 }
 
-unsigned int aa_dfa_leftmatch(struct aa_dfa *dfa, unsigned int start,
-			      const char *str, unsigned int *count);
+aa_state_t aa_dfa_leftmatch(struct aa_dfa *dfa, aa_state_t start,
+			    const char *str, unsigned int *count);
 
 /**
  * aa_get_dfa - increment refcount on dfa @p
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 31c0af876250..3a7d165e8fcc 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -78,7 +78,7 @@ struct aa_policydb {
 	struct aa_dfa *dfa;
 	struct aa_perms *perms;
 	struct aa_domain trans;
-	unsigned int start[AA_CLASS_LAST + 1];
+	aa_state_t start[AA_CLASS_LAST + 1];
 };
 
 static inline void aa_destroy_policydb(struct aa_policydb *policy)
@@ -91,7 +91,7 @@ static inline void aa_destroy_policydb(struct aa_policydb *policy)
 }
 
 static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy,
-					       unsigned int state)
+					       aa_state_t state)
 {
 	unsigned int index = ACCEPT_TABLE(policy->dfa)[state];
 
@@ -239,7 +239,7 @@ static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
 	return labels_profile(aa_get_newest_label(&p->label));
 }
 
-static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile,
+static inline aa_state_t PROFILE_MEDIATES(struct aa_profile *profile,
 					    unsigned char class)
 {
 	if (class <= AA_CLASS_LAST)
@@ -249,13 +249,13 @@ static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile,
 					profile->policy.start[0], &class, 1);
 }
 
-static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
-					       u16 AF) {
-	unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
+static inline aa_state_t PROFILE_MEDIATES_AF(struct aa_profile *profile,
+					     u16 AF) {
+	aa_state_t state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
 	__be16 be_af = cpu_to_be16(AF);
 
 	if (!state)
-		return 0;
+		return DFA_NOMATCH;
 	return aa_dfa_match_len(profile->policy.dfa, state, (char *) &be_af, 2);
 }
author	John Johansen <john.johansen@canonical.com>	2022-01-18 00:43:49 +0300
committer	John Johansen <john.johansen@canonical.com>	2022-10-04 00:49:03 +0300
commit	33fc95d8293cfca352ac875668857293e22d7d51 (patch)
tree	045b3ba1a1fb5d6e08845d650b19806c6f44f4d4 /security/apparmor/include
parent	e844fe9b51c984472ea98be3b2d1201ba9ee3213 (diff)
download	linux-33fc95d8293cfca352ac875668857293e22d7d51.tar.xz