UBUNTU: SAUCE: apparmor: Fix: query label file permission

File permissions have not been updated to use the newer compute_perms fn yet. So export the fn to compute the file permissions and use it in query_label until file permissions have been converted. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

UBUNTU: SAUCE: apparmor: Fix: query label file permission
File permissions have not been updated to use the newer compute_perms fn yet. So export the fn to compute the file permissions and use it in query_label until file permissions have been converted. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
b59aa901 · John Johansen · Tim Gardner · be364a06 · b59aa901 · b59aa901
Commit b59aa901 authored Oct 15, 2015 by John Johansen Committed by Tim Gardner Apr 06, 2016
Showing with 20 additions and 8 deletions

security/apparmor/apparmorfs.c security/apparmor/apparmorfs.c +14 -4

security/apparmor/file.c security/apparmor/file.c +4 -4

security/apparmor/include/file.h security/apparmor/include/file.h +2 -0

No files found.
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -250,17 +250,27 @@ static ssize_t query_label(char *buf, size_t buf_len,
 			dfa = profile->file.dfa;
 			state = aa_dfa_match_len(dfa, profile->file.start,
 						 match_str + 1, match_len - 1);
+			aa_perms_clear(&tmp);
+			if (state) {
+				struct file_perms fperms = { };
+				struct path_cond cond = { };
+				fperms = aa_compute_fperms(dfa, state, &cond);
+				tmp.allow = fperms.allow;
+				tmp.audit = fperms.audit;
+				tmp.quiet = fperms.quiet;
+				tmp.kill = fperms.kill;
+			}
 		} else if (profile->policy.dfa) {
 			if (!PROFILE_MEDIATES_SAFE(profile, *match_str))
 				continue;	/* no change to current perms */
 			dfa = profile->policy.dfa;
 			state = aa_dfa_match_len(dfa, profile->policy.start[0],
 						 match_str, match_len);
+			if (state)
+				aa_compute_perms(dfa, state, &tmp);
+			else
+				aa_perms_clear(&tmp);
 		}
-		if (state)
-			aa_compute_perms(dfa, state, &tmp);
-		else
-			aa_perms_clear(&tmp);
 		aa_apply_modes_to_perms(profile, &tmp);
 		aa_perms_accum_raw(&perms, &tmp);
 	}

--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -208,7 +208,7 @@ static u32 map_old_perms(u32 old)
 }

 /**
- * compute_perms - convert dfa compressed perms to internal perms
+ * aa_compute_fperms - convert dfa compressed perms to internal perms
 * @dfa: dfa to compute perms for   (NOT NULL)
 * @state: state in dfa
 * @cond:  conditions to consider  (NOT NULL)
@@ -218,8 +218,8 @@ static u32 map_old_perms(u32 old)
 *
 * Returns: computed permission set
 */
-static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
-				       struct path_cond *cond)
+struct file_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state,
+				    struct path_cond *cond)
 {
 	struct file_perms perms;

@@ -273,7 +273,7 @@ unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
 	}

 	state = aa_dfa_match(dfa, start, name);
-	*perms = compute_perms(dfa, state, cond);
+	*perms = aa_compute_fperms(dfa, state, cond);

 	return state;
 }

--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -204,6 +204,8 @@ struct aa_file_rules {
 	/* TODO: add delegate table */
 };

+struct file_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state,
+				    struct path_cond *cond);
 unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
 			  const char *name, struct path_cond *cond,
 			  struct file_perms *perms);