From 92de220a7f336367127351da58cff691da5bb17b Mon Sep 17 00:00:00 2001 From: John Johansen Date: Tue, 30 Jun 2020 17:00:11 -0700 Subject: apparmor: update policy capable checks to use a label Previously the policy capable checks assumed they were using the current task. Make them take the task label so the query can be made against an arbitrary task. Signed-off-by: John Johansen --- security/apparmor/include/label.h | 1 + security/apparmor/include/policy.h | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'security/apparmor/include') diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h index 255764ab06e2..f5b5485e20c9 100644 --- a/security/apparmor/include/label.h +++ b/security/apparmor/include/label.h @@ -148,6 +148,7 @@ do { \ #define __label_make_stale(X) ((X)->flags |= FLAG_STALE) #define labels_ns(X) (vec_ns(&((X)->vec[0]), (X)->size)) #define labels_set(X) (&labels_ns(X)->labels) +#define labels_view(X) labels_ns(X) #define labels_profile(X) ((X)->vec[(X)->size - 1]) diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index b5b4b8190e65..cb5ef21991b7 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -301,9 +301,11 @@ static inline int AUDIT_MODE(struct aa_profile *profile) return profile->audit; } -bool policy_view_capable(struct aa_ns *ns); -bool policy_admin_capable(struct aa_ns *ns); +bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns); +bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns); int aa_may_manage_policy(struct aa_label *label, struct aa_ns *ns, u32 mask); +bool aa_current_policy_view_capable(struct aa_ns *ns); +bool aa_current_policy_admin_capable(struct aa_ns *ns); #endif /* __AA_POLICY_H */ -- cgit v1.2.3 From ef70454508c00a415a41156a19cb771a186c55d0 Mon Sep 17 00:00:00 2001 From: Randy Dunlap Date: Mon, 25 Jan 2021 11:53:50 -0800 Subject: security: apparmor: file.h: delete duplicated word Delete the doubled word "then" in a comment. Signed-off-by: Randy Dunlap Reviewed-by: Seth Arnold Signed-off-by: John Johansen --- security/apparmor/include/file.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/apparmor/include') diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h index aff26fc71407..a7672dacd001 100644 --- a/security/apparmor/include/file.h +++ b/security/apparmor/include/file.h @@ -167,7 +167,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, * @perms: permission table indexed by the matched state accept entry of @dfa * @trans: transition table for indexed by named x transitions * - * File permission are determined by matching a path against @dfa and then + * File permission are determined by matching a path against @dfa and * then using the value of the accept entry for the matching state as * an index into @perms. If a named exec transition is required it is * looked up in the transition table. -- cgit v1.2.3 From c75ea024094e7307219a4f9c706dad5ea461509a Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Mon, 22 Mar 2021 12:00:08 +0100 Subject: apparmor: avoid -Wempty-body warning Building with 'make W=1' shows a warning for an empty macro: security/apparmor/label.c: In function '__label_update': security/apparmor/label.c:2096:59: error: suggest braces around empty body in an 'else' statement [-Werror=empty-body] 2096 | AA_BUG(labels_ns(label) != labels_ns(new)); Change the macro definition to use no_printk(), which improves format string checking and avoids the warning. Signed-off-by: Arnd Bergmann Signed-off-by: John Johansen --- security/apparmor/include/lib.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'security/apparmor/include') diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h index 7d27db740bc2..67fbb81a11f3 100644 --- a/security/apparmor/include/lib.h +++ b/security/apparmor/include/lib.h @@ -36,7 +36,7 @@ #define AA_BUG_FMT(X, fmt, args...) \ WARN((X), "AppArmor WARN %s: (" #X "): " fmt, __func__, ##args) #else -#define AA_BUG_FMT(X, fmt, args...) +#define AA_BUG_FMT(X, fmt, args...) no_printk(fmt, ##args) #endif #define AA_ERROR(fmt, args...) \ -- cgit v1.2.3 From 7e50e9ffdee6fa8b375baddbac85fcb8ffee156a Mon Sep 17 00:00:00 2001 From: Shaokun Zhang Date: Sat, 29 May 2021 16:40:48 +0800 Subject: apparmor: Remove the repeated declaration Function 'aa_labelset_destroy' and 'aa_labelset_init' are declared twice, so remove the repeated declaration and unnecessary blank line. Cc: John Johansen Cc: James Morris Cc: "Serge E. Hallyn" Signed-off-by: Shaokun Zhang Signed-off-by: John Johansen --- security/apparmor/include/label.h | 4 ---- 1 file changed, 4 deletions(-) (limited to 'security/apparmor/include') diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h index f5b5485e20c9..7ead1474769e 100644 --- a/security/apparmor/include/label.h +++ b/security/apparmor/include/label.h @@ -77,10 +77,6 @@ struct aa_labelset { #define __labelset_for_each(LS, N) \ for ((N) = rb_first(&(LS)->root); (N); (N) = rb_next(N)) -void aa_labelset_destroy(struct aa_labelset *ls); -void aa_labelset_init(struct aa_labelset *ls); - - enum label_flags { FLAG_HAT = 1, /* profile is a hat */ FLAG_UNCONFINED = 2, /* label unconfined only if all */ -- cgit v1.2.3 From 4d47fbbe54bf75b72eac3f5a0caa664300937620 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 2 Sep 2021 23:27:31 -0700 Subject: apparmor: fix zero-length compiler warning in AA_BUG() Uses of AA_BUG() without a message can result in the compiler warning warning: zero-length gnu_printf format string [-Wformat-zero-length] Fix this with a pragma for now. A larger rework of AA_BUG() will follow. Signed-off-by: John Johansen --- security/apparmor/include/lib.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'security/apparmor/include') diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h index 67fbb81a11f3..e2e8df0c6f1c 100644 --- a/security/apparmor/include/lib.h +++ b/security/apparmor/include/lib.h @@ -31,7 +31,12 @@ #define AA_WARN(X) WARN((X), "APPARMOR WARN %s: %s\n", __func__, #X) -#define AA_BUG(X, args...) AA_BUG_FMT((X), "" args) +#define AA_BUG(X, args...) \ + do { \ + _Pragma("GCC diagnostic ignored \"-Wformat-zero-length\""); \ + AA_BUG_FMT((X), "" args); \ + _Pragma("GCC diagnostic warning \"-Wformat-zero-length\""); \ + } while (0) #ifdef CONFIG_SECURITY_APPARMOR_DEBUG_ASSERTS #define AA_BUG_FMT(X, fmt, args...) \ WARN((X), "AppArmor WARN %s: (" #X "): " fmt, __func__, ##args) -- cgit v1.2.3