1
Refactor some duplicated code patterns
3
lsm.c duplicates the pattern (get active profile; do access check; put
4
active profile) all over the place. This can easily be abstracted away
5
as in the attached patch.
7
Index: b/security/apparmor/lsm.c
8
===================================================================
9
--- a/security/apparmor/lsm.c
10
+++ b/security/apparmor/lsm.c
11
@@ -277,26 +277,27 @@ out:
15
-static int apparmor_inode_create(struct inode *dir, struct dentry *dentry,
16
- struct vfsmount *mnt, int mask)
17
+static int aa_permission(struct inode *inode, struct dentry *dentry,
18
+ struct vfsmount *mnt, int mask)
20
- struct aa_profile *active;
23
- if (!mnt || !mediated_filesystem(dir))
26
- active = get_active_aa_profile();
28
- /* At a minimum, need write perm to create */
30
- error = aa_perm(active, dentry, mnt, MAY_WRITE);
31
+ if (mnt && mediated_filesystem(inode)) {
32
+ struct aa_profile *active = get_active_aa_profile();
34
- put_aa_profile(active);
37
+ error = aa_perm(active, dentry, mnt, mask);
38
+ put_aa_profile(active);
43
+static int apparmor_inode_create(struct inode *dir, struct dentry *dentry,
44
+ struct vfsmount *mnt, int mask)
46
+ return aa_permission(dir, dentry, mnt, MAY_WRITE);
49
static int apparmor_inode_link(struct dentry *old_dentry,
50
struct vfsmount *old_mnt, struct inode *dir,
51
struct dentry *new_dentry,
52
@@ -324,61 +325,19 @@ static int apparmor_inode_unlink(struct
53
struct dentry *dentry,
56
- struct aa_profile *active;
59
- if (!mnt || !mediated_filesystem(dir))
62
- active = get_active_aa_profile();
65
- error = aa_perm(active, dentry, mnt, MAY_WRITE);
67
- put_aa_profile(active);
71
+ return aa_permission(dir, dentry, mnt, MAY_WRITE);
74
static int apparmor_inode_symlink(struct inode *dir, struct dentry *dentry,
75
struct vfsmount *mnt, const char *old_name)
77
- struct aa_profile *active;
80
- if (!mnt || !mediated_filesystem(dir))
83
- active = get_active_aa_profile();
86
- error = aa_perm(active, dentry, mnt, MAY_WRITE);
88
- put_aa_profile(active);
92
+ return aa_permission(dir, dentry, mnt, MAY_WRITE);
95
static int apparmor_inode_mknod(struct inode *dir, struct dentry *dentry,
96
struct vfsmount *mnt, int mode, dev_t dev)
98
- struct aa_profile *active;
101
- if (!mnt || !mediated_filesystem(dir))
104
- active = get_active_aa_profile();
107
- error = aa_perm(active, dentry, mnt, MAY_WRITE);
109
- put_aa_profile(active);
113
+ return aa_permission(dir, dentry, mnt, MAY_WRITE);
116
static int apparmor_inode_rename(struct inode *old_dir,
117
@@ -415,21 +374,10 @@ out:
118
static int apparmor_inode_permission(struct inode *inode, int mask,
119
struct nameidata *nd)
123
- /* Do not perform check on pipes or sockets
124
- * Same as apparmor_file_permission
126
- if (nd && mediated_filesystem(inode)) {
127
- struct aa_profile *active;
129
- active = get_active_aa_profile();
131
- error = aa_perm(active, nd->dentry, nd->mnt, mask);
132
- put_aa_profile(active);
138
+ return aa_permission(inode, nd->dentry, nd->mnt,
139
+ mask & (MAY_READ | MAY_WRITE | MAY_EXEC));
142
static int apparmor_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
143
@@ -458,91 +406,49 @@ out:
147
-static int apparmor_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
148
- char *name, void *value, size_t size,
150
+static int aa_xattr_permission(struct dentry *dentry, struct vfsmount *mnt,
151
+ const char *name, const char *operation,
159
- if (mediated_filesystem(dentry->d_inode)) {
160
- struct aa_profile *active;
162
- active = get_active_aa_profile();
163
+ if (mnt && mediated_filesystem(dentry->d_inode)) {
164
+ struct aa_profile *active = get_active_aa_profile();
167
error = aa_perm_xattr(active, dentry, mnt, name,
168
- "xattr set", AA_MAY_WRITE);
170
put_aa_profile(active);
177
+static int apparmor_inode_setxattr(struct dentry *dentry, struct vfsmount *mnt,
178
+ char *name, void *value, size_t size,
181
+ return aa_xattr_permission(dentry, mnt, name, "xattr set",
185
static int apparmor_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
193
- if (mediated_filesystem(dentry->d_inode)) {
194
- struct aa_profile *active;
196
- active = get_active_aa_profile();
198
- error = aa_perm_xattr(active, dentry, mnt, name,
199
- "xattr get", AA_MAY_READ);
200
- put_aa_profile(active);
205
+ return aa_xattr_permission(dentry, mnt, name, "xattr get", AA_MAY_READ);
208
static int apparmor_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt)
215
- if (mediated_filesystem(dentry->d_inode)) {
216
- struct aa_profile *active;
218
- active = get_active_aa_profile();
220
- error = aa_perm_xattr(active, dentry, mnt, NULL,
221
- "xattr list", AA_MAY_READ);;
222
- put_aa_profile(active);
227
+ return aa_xattr_permission(dentry, mnt, NULL, "xattr list",
231
static int apparmor_inode_removexattr(struct dentry *dentry,
232
struct vfsmount *mnt, char *name)
239
- if (mediated_filesystem(dentry->d_inode)) {
240
- struct aa_profile *active;
242
- active = get_active_aa_profile();
244
- error = aa_perm_xattr(active, dentry, mnt, name,
245
- "xattr remove", AA_MAY_WRITE);
246
- put_aa_profile(active);
251
+ return aa_xattr_permission(dentry, mnt, name, "xattr remove",
255
static int apparmor_file_permission(struct file *file, int mask)
256
@@ -551,15 +457,16 @@ static int apparmor_file_permission(stru
257
struct aa_profile *file_profile = (struct aa_profile*)file->f_security;
260
- /* bail out early if this isn't a mediated file */
261
- if (!file_profile || !mediated_filesystem(file->f_dentry->d_inode))
262
+ /* FIXME: get rid of revalidation. */
266
active = get_active_aa_profile();
267
if (active && file_profile != active) {
268
- /* FIXME: get rid of revalidation. */
269
- error = aa_perm(active, file->f_dentry, file->f_vfsmnt,
270
- mask & (MAY_EXEC | MAY_WRITE | MAY_READ));
271
+ struct dentry *dentry = file->f_dentry;
273
+ error = aa_permission(dentry->d_inode, dentry, file->f_vfsmnt,
274
+ mask & (MAY_READ | MAY_WRITE | MAY_EXEC));
276
put_aa_profile(active);
278
@@ -591,32 +498,22 @@ static void apparmor_file_free_security(
279
static inline int aa_mmap(struct file *file, unsigned long prot,
282
- int error = 0, mask = 0;
283
- struct aa_profile *active;
286
- active = get_active_aa_profile();
287
- if (!active || !file || !mediated_filesystem(file->f_dentry->d_inode))
292
if (prot & PROT_READ)
295
/* Private mappings don't require write perms since they don't
296
* write back to the files */
297
- if (prot & PROT_WRITE && !(flags & MAP_PRIVATE))
298
+ if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
300
if (prot & PROT_EXEC)
301
mask |= AA_EXEC_MMAP;
303
- AA_DEBUG("%s: 0x%x\n", __FUNCTION__, mask);
306
- error = aa_perm(active, file->f_dentry, file->f_vfsmnt, mask);
308
- put_aa_profile(active);
312
+ return aa_permission(file->f_dentry->d_inode, file->f_dentry,
313
+ file->f_vfsmnt, mask);
316
static int apparmor_file_mmap(struct file *file, unsigned long reqprot,