apparmor: change op from int to const char *
Having ops be an integer that is an index into an op name table is awkward and brittle. Every op change requires an edit for both the op constant and a string in the table. Instead switch to using const strings directly, eliminating the need for the table that needs to be kept in sync. Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
parent
55a26ebf63
commit
47f6e5cc73
|
@ -85,7 +85,7 @@ static int mangle_name(const char *name, char *target)
|
|||
* Returns: kernel buffer containing copy of user buffer data or an
|
||||
* ERR_PTR on failure.
|
||||
*/
|
||||
static struct aa_loaddata *aa_simple_write_to_buffer(int op,
|
||||
static struct aa_loaddata *aa_simple_write_to_buffer(const char *op,
|
||||
const char __user *userbuf,
|
||||
size_t alloc_size,
|
||||
size_t copy_size,
|
||||
|
@ -122,7 +122,7 @@ static ssize_t policy_update(int binop, const char __user *buf, size_t size,
|
|||
ssize_t error;
|
||||
struct aa_loaddata *data;
|
||||
struct aa_profile *profile = aa_current_profile();
|
||||
int op = binop == PROF_ADD ? OP_PROF_LOAD : OP_PROF_REPL;
|
||||
const char *op = binop == PROF_ADD ? OP_PROF_LOAD : OP_PROF_REPL;
|
||||
/* high level check about policy management - fine grained in
|
||||
* below after unpack
|
||||
*/
|
||||
|
|
|
@ -20,59 +20,6 @@
|
|||
#include "include/policy.h"
|
||||
#include "include/policy_ns.h"
|
||||
|
||||
const char *const op_table[] = {
|
||||
"null",
|
||||
|
||||
"sysctl",
|
||||
"capable",
|
||||
|
||||
"unlink",
|
||||
"mkdir",
|
||||
"rmdir",
|
||||
"mknod",
|
||||
"truncate",
|
||||
"link",
|
||||
"symlink",
|
||||
"rename_src",
|
||||
"rename_dest",
|
||||
"chmod",
|
||||
"chown",
|
||||
"getattr",
|
||||
"open",
|
||||
|
||||
"file_perm",
|
||||
"file_lock",
|
||||
"file_mmap",
|
||||
"file_mprotect",
|
||||
|
||||
"create",
|
||||
"post_create",
|
||||
"bind",
|
||||
"connect",
|
||||
"listen",
|
||||
"accept",
|
||||
"sendmsg",
|
||||
"recvmsg",
|
||||
"getsockname",
|
||||
"getpeername",
|
||||
"getsockopt",
|
||||
"setsockopt",
|
||||
"socket_shutdown",
|
||||
|
||||
"ptrace",
|
||||
|
||||
"exec",
|
||||
"change_hat",
|
||||
"change_profile",
|
||||
"change_onexec",
|
||||
|
||||
"setprocattr",
|
||||
"setrlimit",
|
||||
|
||||
"profile_replace",
|
||||
"profile_load",
|
||||
"profile_remove"
|
||||
};
|
||||
|
||||
const char *const audit_mode_names[] = {
|
||||
"normal",
|
||||
|
@ -120,7 +67,7 @@ static void audit_pre(struct audit_buffer *ab, void *ca)
|
|||
|
||||
if (sa->aad->op) {
|
||||
audit_log_format(ab, " operation=");
|
||||
audit_log_string(ab, op_table[sa->aad->op]);
|
||||
audit_log_string(ab, sa->aad->op);
|
||||
}
|
||||
|
||||
if (sa->aad->info) {
|
||||
|
|
|
@ -750,8 +750,8 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
|
|||
struct aa_profile *profile, *target = NULL;
|
||||
struct aa_ns *ns = NULL;
|
||||
struct file_perms perms = {};
|
||||
const char *name = NULL, *info = NULL;
|
||||
int op, error = 0;
|
||||
const char *name = NULL, *info = NULL, *op;
|
||||
int error = 0;
|
||||
u32 request;
|
||||
|
||||
if (!hname && !ns_name)
|
||||
|
|
|
@ -104,7 +104,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
|
|||
* Returns: %0 or error on failure
|
||||
*/
|
||||
int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
|
||||
gfp_t gfp, int op, u32 request, const char *name,
|
||||
gfp_t gfp, const char *op, u32 request, const char *name,
|
||||
const char *target, kuid_t ouid, const char *info, int error)
|
||||
{
|
||||
int type = AUDIT_APPARMOR_AUTO;
|
||||
|
@ -276,8 +276,9 @@ static inline bool is_deleted(struct dentry *dentry)
|
|||
*
|
||||
* Returns: %0 else error if access denied or other error
|
||||
*/
|
||||
int aa_path_perm(int op, struct aa_profile *profile, const struct path *path,
|
||||
int flags, u32 request, struct path_cond *cond)
|
||||
int aa_path_perm(const char *op, struct aa_profile *profile,
|
||||
const struct path *path, int flags, u32 request,
|
||||
struct path_cond *cond)
|
||||
{
|
||||
char *buffer = NULL;
|
||||
struct file_perms perms = {};
|
||||
|
@ -446,7 +447,7 @@ audit:
|
|||
*
|
||||
* Returns: %0 if access allowed else error
|
||||
*/
|
||||
int aa_file_perm(int op, struct aa_profile *profile, struct file *file,
|
||||
int aa_file_perm(const char *op, struct aa_profile *profile, struct file *file,
|
||||
u32 request)
|
||||
{
|
||||
struct path_cond cond = {
|
||||
|
|
|
@ -46,65 +46,63 @@ enum audit_type {
|
|||
AUDIT_APPARMOR_AUTO
|
||||
};
|
||||
|
||||
extern const char *const op_table[];
|
||||
enum aa_ops {
|
||||
OP_NULL,
|
||||
#define OP_NULL NULL
|
||||
|
||||
OP_SYSCTL,
|
||||
OP_CAPABLE,
|
||||
#define OP_SYSCTL "sysctl"
|
||||
#define OP_CAPABLE "capable"
|
||||
|
||||
OP_UNLINK,
|
||||
OP_MKDIR,
|
||||
OP_RMDIR,
|
||||
OP_MKNOD,
|
||||
OP_TRUNC,
|
||||
OP_LINK,
|
||||
OP_SYMLINK,
|
||||
OP_RENAME_SRC,
|
||||
OP_RENAME_DEST,
|
||||
OP_CHMOD,
|
||||
OP_CHOWN,
|
||||
OP_GETATTR,
|
||||
OP_OPEN,
|
||||
#define OP_UNLINK "unlink"
|
||||
#define OP_MKDIR "mkdir"
|
||||
#define OP_RMDIR "rmdir"
|
||||
#define OP_MKNOD "mknod"
|
||||
#define OP_TRUNC "truncate"
|
||||
#define OP_LINK "link"
|
||||
#define OP_SYMLINK "symlink"
|
||||
#define OP_RENAME_SRC "rename_src"
|
||||
#define OP_RENAME_DEST "rename_dest"
|
||||
#define OP_CHMOD "chmod"
|
||||
#define OP_CHOWN "chown"
|
||||
#define OP_GETATTR "getattr"
|
||||
#define OP_OPEN "open"
|
||||
|
||||
OP_FPERM,
|
||||
OP_FLOCK,
|
||||
OP_FMMAP,
|
||||
OP_FMPROT,
|
||||
#define OP_FPERM "file_perm"
|
||||
#define OP_FLOCK "file_lock"
|
||||
#define OP_FMMAP "file_mmap"
|
||||
#define OP_FMPROT "file_mprotect"
|
||||
|
||||
OP_CREATE,
|
||||
OP_POST_CREATE,
|
||||
OP_BIND,
|
||||
OP_CONNECT,
|
||||
OP_LISTEN,
|
||||
OP_ACCEPT,
|
||||
OP_SENDMSG,
|
||||
OP_RECVMSG,
|
||||
OP_GETSOCKNAME,
|
||||
OP_GETPEERNAME,
|
||||
OP_GETSOCKOPT,
|
||||
OP_SETSOCKOPT,
|
||||
OP_SOCK_SHUTDOWN,
|
||||
#define OP_CREATE "create"
|
||||
#define OP_POST_CREATE "post_create"
|
||||
#define OP_BIND "bind"
|
||||
#define OP_CONNECT "connect"
|
||||
#define OP_LISTEN "listen"
|
||||
#define OP_ACCEPT "accept"
|
||||
#define OP_SENDMSG "sendmsg"
|
||||
#define OP_RECVMSG "recvmsg"
|
||||
#define OP_GETSOCKNAME "getsockname"
|
||||
#define OP_GETPEERNAME "getpeername"
|
||||
#define OP_GETSOCKOPT "getsockopt"
|
||||
#define OP_SETSOCKOPT "setsockopt"
|
||||
#define OP_SHUTDOWN "socket_shutdown"
|
||||
|
||||
OP_PTRACE,
|
||||
#define OP_PTRACE "ptrace"
|
||||
|
||||
OP_EXEC,
|
||||
OP_CHANGE_HAT,
|
||||
OP_CHANGE_PROFILE,
|
||||
OP_CHANGE_ONEXEC,
|
||||
#define OP_EXEC "exec"
|
||||
|
||||
OP_SETPROCATTR,
|
||||
OP_SETRLIMIT,
|
||||
#define OP_CHANGE_HAT "change_hat"
|
||||
#define OP_CHANGE_PROFILE "change_profile"
|
||||
#define OP_CHANGE_ONEXEC "change_onexec"
|
||||
|
||||
OP_PROF_REPL,
|
||||
OP_PROF_LOAD,
|
||||
OP_PROF_RM,
|
||||
};
|
||||
#define OP_SETPROCATTR "setprocattr"
|
||||
#define OP_SETRLIMIT "setrlimit"
|
||||
|
||||
#define OP_PROF_REPL "profile_replace"
|
||||
#define OP_PROF_LOAD "profile_load"
|
||||
#define OP_PROF_RM "profile_remove"
|
||||
|
||||
|
||||
struct apparmor_audit_data {
|
||||
int error;
|
||||
int op;
|
||||
const char *op;
|
||||
int type;
|
||||
void *profile;
|
||||
const char *name;
|
||||
|
|
|
@ -145,7 +145,7 @@ static inline u16 dfa_map_xindex(u16 mask)
|
|||
dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
|
||||
|
||||
int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
|
||||
gfp_t gfp, int op, u32 request, const char *name,
|
||||
gfp_t gfp, const char *op, u32 request, const char *name,
|
||||
const char *target, kuid_t ouid, const char *info, int error);
|
||||
|
||||
/**
|
||||
|
@ -171,13 +171,14 @@ unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
|
|||
const char *name, struct path_cond *cond,
|
||||
struct file_perms *perms);
|
||||
|
||||
int aa_path_perm(int op, struct aa_profile *profile, const struct path *path,
|
||||
int flags, u32 request, struct path_cond *cond);
|
||||
int aa_path_perm(const char *op, struct aa_profile *profile,
|
||||
const struct path *path, int flags, u32 request,
|
||||
struct path_cond *cond);
|
||||
|
||||
int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
|
||||
const struct path *new_dir, struct dentry *new_dentry);
|
||||
|
||||
int aa_file_perm(int op, struct aa_profile *profile, struct file *file,
|
||||
int aa_file_perm(const char *op, struct aa_profile *profile, struct file *file,
|
||||
u32 request);
|
||||
|
||||
static inline void aa_free_file_rules(struct aa_file_rules *rules)
|
||||
|
|
|
@ -303,6 +303,7 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
|
|||
|
||||
bool policy_view_capable(struct aa_ns *ns);
|
||||
bool policy_admin_capable(struct aa_ns *ns);
|
||||
int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op);
|
||||
int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns,
|
||||
const char *op);
|
||||
|
||||
#endif /* __AA_POLICY_H */
|
||||
|
|
|
@ -152,7 +152,7 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
|
|||
*
|
||||
* Returns: %0 else error code if error or permission denied
|
||||
*/
|
||||
static int common_perm(int op, const struct path *path, u32 mask,
|
||||
static int common_perm(const char *op, const struct path *path, u32 mask,
|
||||
struct path_cond *cond)
|
||||
{
|
||||
struct aa_profile *profile;
|
||||
|
@ -175,7 +175,7 @@ static int common_perm(int op, const struct path *path, u32 mask,
|
|||
*
|
||||
* Returns: %0 else error code if error or permission denied
|
||||
*/
|
||||
static int common_perm_dir_dentry(int op, const struct path *dir,
|
||||
static int common_perm_dir_dentry(const char *op, const struct path *dir,
|
||||
struct dentry *dentry, u32 mask,
|
||||
struct path_cond *cond)
|
||||
{
|
||||
|
@ -192,7 +192,8 @@ static int common_perm_dir_dentry(int op, const struct path *dir,
|
|||
*
|
||||
* Returns: %0 else error code if error or permission denied
|
||||
*/
|
||||
static inline int common_perm_path(int op, const struct path *path, u32 mask)
|
||||
static inline int common_perm_path(const char *op, const struct path *path,
|
||||
u32 mask)
|
||||
{
|
||||
struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
|
||||
d_backing_inode(path->dentry)->i_mode
|
||||
|
@ -212,7 +213,7 @@ static inline int common_perm_path(int op, const struct path *path, u32 mask)
|
|||
*
|
||||
* Returns: %0 else error code if error or permission denied
|
||||
*/
|
||||
static int common_perm_rm(int op, const struct path *dir,
|
||||
static int common_perm_rm(const char *op, const struct path *dir,
|
||||
struct dentry *dentry, u32 mask)
|
||||
{
|
||||
struct inode *inode = d_backing_inode(dentry);
|
||||
|
@ -237,7 +238,7 @@ static int common_perm_rm(int op, const struct path *dir,
|
|||
*
|
||||
* Returns: %0 else error code if error or permission denied
|
||||
*/
|
||||
static int common_perm_create(int op, const struct path *dir,
|
||||
static int common_perm_create(const char *op, const struct path *dir,
|
||||
struct dentry *dentry, u32 mask, umode_t mode)
|
||||
{
|
||||
struct path_cond cond = { current_fsuid(), mode };
|
||||
|
@ -395,7 +396,7 @@ static void apparmor_file_free_security(struct file *file)
|
|||
aa_free_file_context(ctx);
|
||||
}
|
||||
|
||||
static int common_file_perm(int op, struct file *file, u32 mask)
|
||||
static int common_file_perm(const char *op, struct file *file, u32 mask)
|
||||
{
|
||||
struct aa_file_ctx *fctx = file->f_security;
|
||||
struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred);
|
||||
|
@ -438,7 +439,7 @@ static int apparmor_file_lock(struct file *file, unsigned int cmd)
|
|||
return common_file_perm(OP_FLOCK, file, mask);
|
||||
}
|
||||
|
||||
static int common_mmap(int op, struct file *file, unsigned long prot,
|
||||
static int common_mmap(const char *op, struct file *file, unsigned long prot,
|
||||
unsigned long flags)
|
||||
{
|
||||
int mask = 0;
|
||||
|
|
|
@ -606,7 +606,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
|
|||
*
|
||||
* Returns: the error to be returned after audit is done
|
||||
*/
|
||||
static int audit_policy(struct aa_profile *profile, int op, gfp_t gfp,
|
||||
static int audit_policy(struct aa_profile *profile, const char *op, gfp_t gfp,
|
||||
const char *nsname, const char *name,
|
||||
const char *info, int error)
|
||||
{
|
||||
|
@ -670,7 +670,8 @@ bool policy_admin_capable(struct aa_ns *ns)
|
|||
*
|
||||
* Returns: 0 if the task is allowed to manipulate policy else error
|
||||
*/
|
||||
int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op)
|
||||
int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns,
|
||||
const char *op)
|
||||
{
|
||||
/* check if loading policy is locked out */
|
||||
if (aa_g_lock_policy)
|
||||
|
@ -819,7 +820,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
|
|||
const char *ns_name, *info = NULL;
|
||||
struct aa_ns *ns = NULL;
|
||||
struct aa_load_ent *ent, *tmp;
|
||||
int op = OP_PROF_REPL;
|
||||
const char *op = OP_PROF_REPL;
|
||||
ssize_t count, error;
|
||||
LIST_HEAD(lh);
|
||||
|
||||
|
|
|
@ -88,13 +88,13 @@ int aa_getprocattr(struct aa_profile *profile, char **string)
|
|||
*
|
||||
* Returns: start position of name after token else NULL on failure
|
||||
*/
|
||||
static char *split_token_from_name(int op, char *args, u64 * token)
|
||||
static char *split_token_from_name(const char *op, char *args, u64 *token)
|
||||
{
|
||||
char *name;
|
||||
|
||||
*token = simple_strtoull(args, &name, 16);
|
||||
if ((name == args) || *name != '^') {
|
||||
AA_ERROR("%s: Invalid input '%s'", op_table[op], args);
|
||||
AA_ERROR("%s: Invalid input '%s'", op, args);
|
||||
return ERR_PTR(-EINVAL);
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue