apparmor: cleanup shared permission struct

The shared permissions struct has the stop field which is unneeded and the "reserved" subtree field commented which is needed. Also reorganize so that the entries are logically grouped. Signed-off-by: John Johansen <john.johansen@canonical.com>

apparmor: cleanup shared permission struct
The shared permissions struct has the stop field which is unneeded and the "reserved" subtree field commented which is needed. Also reorganize so that the entries are logically grouped. Signed-off-by: John Johansen <john.johansen@canonical.com>
bf690f59 · John Johansen · 2d63dd43 · bf690f59 · bf690f59
Commit bf690f59 authored Apr 10, 2021 by John Johansen
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 12 deletions

security/apparmor/include/perms.h security/apparmor/include/perms.h +7 -10

security/apparmor/lib.c security/apparmor/lib.c +2 -2

No files found.
--- a/security/apparmor/include/perms.h
+++ b/security/apparmor/include/perms.h
@@ -65,22 +65,19 @@ extern const char *aa_file_perm_names[];
 struct aa_perms {
 	u32 allow;
-	u32 audit;	/* set only when allow is set */
 	u32 deny;	/* explicit deny, or conflict if allow also set */
-	u32 quiet;	/* set only when ~allow | deny */
-	u32 kill;	/* set only when ~allow | deny */
-	u32 stop;	/* set only when ~allow | deny */
-	u32 complain;	/* accumulates only used when ~allow & ~deny */
+	u32 subtree;	/* allow perm on full subtree only when allow is set */
 	u32 cond;	/* set only when ~allow and ~deny */
-	u32 hide;	/* set only when  ~allow | deny */
+	u32 kill;	/* set only when ~allow | deny */
+	u32 complain;	/* accumulates only used when ~allow & ~deny */
 	u32 prompt;	/* accumulates only used when ~allow & ~deny */
-	/* Reserved:
+	u32 audit;	/* set only when allow is set */
-	 * u32 subtree;	/ * set only when allow is set * /
+	u32 quiet;	/* set only when ~allow | deny */
-	 */
+	u32 hide;	/* set only when  ~allow | deny */
 	u16 xindex;
 };

--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -327,11 +327,11 @@ void aa_perms_accum_raw(struct aa_perms *accum, struct aa_perms *addend)
 	accum->audit |= addend->audit & addend->allow;
 	accum->quiet &= addend->quiet & ~addend->allow;
 	accum->kill |= addend->kill & ~addend->allow;
-	accum->stop |= addend->stop & ~addend->allow;
 	accum->complain |= addend->complain & ~addend->allow & ~addend->deny;
 	accum->cond |= addend->cond & ~addend->allow & ~addend->deny;
 	accum->hide &= addend->hide & ~addend->allow;
 	accum->prompt |= addend->prompt & ~addend->allow & ~addend->deny;
+	accum->subtree |= addend->subtree & ~addend->deny;
 }
 /**
@@ -346,11 +346,11 @@ void aa_perms_accum(struct aa_perms *accum, struct aa_perms *addend)
 	accum->audit |= addend->audit & accum->allow;
 	accum->quiet &= addend->quiet & ~accum->allow;
 	accum->kill |= addend->kill & ~accum->allow;
-	accum->stop |= addend->stop & ~accum->allow;
 	accum->complain |= addend->complain & ~accum->allow & ~accum->deny;
 	accum->cond |= addend->cond & ~accum->allow & ~accum->deny;
 	accum->hide &= addend->hide & ~accum->allow;
 	accum->prompt |= addend->prompt & ~accum->allow & ~accum->deny;
+	accum->subtree &= addend->subtree & ~accum->deny;
 }
 void aa_profile_match_label(struct aa_profile *profile, struct aa_label *label,