1
shared.h is no longer shared with anything. Remove it, and put its
2
definitions in apparmor.h.
4
Remove AA_MAY_READ, AA_MAY_WRITE, AA_MAY_AXEC, AA_MAY_APPEND, and
5
use the in-kernel versions instead: we are doing that in some
6
places already anyway; redefining them only raises the question
7
if the AA_MAY_ constants are identical to the MAY_ constants.
9
Index: b/security/apparmor/lsm.c
10
===================================================================
11
--- a/security/apparmor/lsm.c
12
+++ b/security/apparmor/lsm.c
13
@@ -231,8 +231,7 @@ static int apparmor_inode_mkdir(struct i
14
active = get_active_aa_profile();
17
- error = aa_perm_dir(active, dentry, mnt, "mkdir",
19
+ error = aa_perm_dir(active, dentry, mnt, "mkdir", MAY_WRITE);
21
put_aa_profile(active);
23
@@ -252,8 +251,7 @@ static int apparmor_inode_rmdir(struct i
24
active = get_active_aa_profile();
27
- error = aa_perm_dir(active, dentry, mnt, "rmdir",
29
+ error = aa_perm_dir(active, dentry, mnt, "rmdir", MAY_WRITE);
31
put_aa_profile(active);
33
@@ -426,27 +424,25 @@ static int apparmor_inode_setxattr(struc
34
char *name, void *value, size_t size,
37
- return aa_xattr_permission(dentry, mnt, name, "xattr set",
39
+ return aa_xattr_permission(dentry, mnt, name, "xattr set", MAY_WRITE);
42
static int apparmor_inode_getxattr(struct dentry *dentry, struct vfsmount *mnt,
45
- return aa_xattr_permission(dentry, mnt, name, "xattr get", AA_MAY_READ);
46
+ return aa_xattr_permission(dentry, mnt, name, "xattr get", MAY_READ);
49
static int apparmor_inode_listxattr(struct dentry *dentry, struct vfsmount *mnt)
51
- return aa_xattr_permission(dentry, mnt, NULL, "xattr list",
53
+ return aa_xattr_permission(dentry, mnt, NULL, "xattr list", MAY_READ);
56
static int apparmor_inode_removexattr(struct dentry *dentry,
57
struct vfsmount *mnt, char *name)
59
return aa_xattr_permission(dentry, mnt, name, "xattr remove",
64
static inline int aa_mmap(struct file *file, unsigned long prot,
65
Index: b/security/apparmor/main.c
66
===================================================================
67
--- a/security/apparmor/main.c
68
+++ b/security/apparmor/main.c
69
@@ -404,9 +404,9 @@ int aa_audit(struct aa_profile *active,
71
audit_log_format(ab, "%s%s%s%s%s access to %s ",
72
perm & AA_EXEC_MMAP ? "m" : "",
73
- perm & AA_MAY_READ ? "r" : "",
74
- perm & AA_MAY_WRITE ? "w" : "",
75
- perm & AA_MAY_EXEC ? "x" : "",
76
+ perm & MAY_READ ? "r" : "",
77
+ perm & MAY_WRITE ? "w" : "",
78
+ perm & MAY_EXEC ? "x" : "",
79
perm & AA_MAY_LINK ? "l" : "",
82
@@ -839,13 +839,13 @@ int aa_register(struct linux_binprm *bpr
83
find_profile_mandatory = 1;
88
/* this should not happen, entries
89
* with just EXEC only should be
90
* rejected at profile load time
92
AA_ERROR("%s: Rejecting exec(2) of image '%s'. "
93
- "AA_MAY_EXEC without exec qualifier invalid "
94
+ "MAY_EXEC without exec qualifier invalid "
95
"(%s(%d) profile %s active %s\n",
98
Index: b/security/apparmor/shared.h
99
===================================================================
100
--- a/security/apparmor/shared.h
104
- * Copyright (C) 2000, 2001, 2004, 2005 Novell/SUSE
106
- * Immunix AppArmor LSM
108
- * This program is free software; you can redistribute it and/or
109
- * modify it under the terms of the GNU General Public License as
110
- * published by the Free Software Foundation, version 2 of the
117
-/* start of system offsets */
118
-#define POS_AA_FILE_MIN 0
119
-#define POS_AA_MAY_EXEC POS_AA_FILE_MIN
120
-#define POS_AA_MAY_WRITE (POS_AA_MAY_EXEC + 1)
121
-#define POS_AA_MAY_READ (POS_AA_MAY_WRITE + 1)
122
-#define POS_AA_MAY_APPEND (POS_AA_MAY_READ + 1)
123
-/* end of system offsets */
125
-#define POS_AA_MAY_LINK (POS_AA_MAY_APPEND + 1)
126
-#define POS_AA_EXEC_INHERIT (POS_AA_MAY_LINK + 1)
127
-#define POS_AA_EXEC_UNCONSTRAINED (POS_AA_EXEC_INHERIT + 1)
128
-#define POS_AA_EXEC_PROFILE (POS_AA_EXEC_UNCONSTRAINED + 1)
129
-#define POS_AA_EXEC_MMAP (POS_AA_EXEC_PROFILE + 1)
130
-#define POS_AA_EXEC_UNSAFE (POS_AA_EXEC_MMAP + 1)
131
-#define POS_AA_FILE_MAX POS_AA_EXEC_UNSAFE
133
-/* Invalid perm permission */
134
-#define POS_AA_INVALID_POS 31
136
-/* Modeled after MAY_READ, MAY_WRITE, MAY_EXEC def'ns */
137
-#define AA_MAY_EXEC (0x01 << POS_AA_MAY_EXEC)
138
-#define AA_MAY_WRITE (0x01 << POS_AA_MAY_WRITE)
139
-#define AA_MAY_READ (0x01 << POS_AA_MAY_READ)
140
-#define AA_MAY_LINK (0x01 << POS_AA_MAY_LINK)
141
-#define AA_EXEC_INHERIT (0x01 << POS_AA_EXEC_INHERIT)
142
-#define AA_EXEC_UNCONSTRAINED (0x01 << POS_AA_EXEC_UNCONSTRAINED)
143
-#define AA_EXEC_PROFILE (0x01 << POS_AA_EXEC_PROFILE)
144
-#define AA_EXEC_MMAP (0x01 << POS_AA_EXEC_MMAP)
145
-#define AA_EXEC_UNSAFE (0x01 << POS_AA_EXEC_UNSAFE)
146
-#define AA_INVALID_PERM (0x01 << POS_AA_INVALID_POS)
148
-#define AA_EXEC_MODIFIERS (AA_EXEC_INHERIT | \
149
- AA_EXEC_UNCONSTRAINED | \
151
-#define AA_VALID_PERM_MASK ((1 << (POS_AA_FILE_MAX + 1)) - 1)
153
-#endif /* _SHARED_H */
154
Index: b/security/apparmor/apparmor.h
155
===================================================================
156
--- a/security/apparmor/apparmor.h
157
+++ b/security/apparmor/apparmor.h
159
#include <linux/binfmts.h> /* defn of linux_binprm */
160
#include <linux/rcupdate.h>
166
+ * We use MAY_READ, MAY_WRITE, MAY_EXEC, and the following flags for
167
+ * profile permissions (we don't use MAY_APPEND):
169
+#define AA_MAY_LINK 0x0010
170
+#define AA_EXEC_INHERIT 0x0020
171
+#define AA_EXEC_UNCONSTRAINED 0x0040
172
+#define AA_EXEC_PROFILE 0x0080
173
+#define AA_EXEC_MMAP 0x0100
174
+#define AA_EXEC_UNSAFE 0x0200
175
+#define AA_INVALID_PERM 0x0400
177
+#define AA_EXEC_MODIFIERS (AA_EXEC_INHERIT | \
178
+ AA_EXEC_UNCONSTRAINED | \
181
/* Control parameters (0 or 1), settable thru module/boot flags or
182
* via /sys/kernel/security/apparmor/control */
183
extern int apparmor_complain;