apparmor: change op from int to const char *

Having ops be an integer that is an index into an op name table is awkward and brittle. Every op change requires an edit for both the op constant and a string in the table. Instead switch to using const strings directly, eliminating the need for the table that needs to be kept in sync. Signed-off-by: John Johansen <john.johansen@canonical.com>

apparmor: change op from int to const char *
Having ops be an integer that is an index into an op name table is awkward and brittle. Every op change requires an edit for both the op constant and a string in the table. Instead switch to using const strings directly, eliminating the need for the table that needs to be kept in sync. Signed-off-by: John Johansen <john.johansen@canonical.com>
47f6e5cc · John Johansen · 55a26ebf · 47f6e5cc · 47f6e5cc · 47f6e5cc
Commit 47f6e5cc authored Jan 16, 2017 by John Johansen
10 changed files
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -85,7 +85,7 @@ static int mangle_name(const char *name, char *target)
 * Returns: kernel buffer containing copy of user buffer data or an
 *          ERR_PTR on failure.
 */
-static struct aa_loaddata *aa_simple_write_to_buffer(int op,
+static struct aa_loaddata *aa_simple_write_to_buffer(const char *op,
 						     const char __user *userbuf,
 						     size_t alloc_size,
 						     size_t copy_size,
@@ -122,7 +122,7 @@ static ssize_t policy_update(int binop, const char __user *buf, size_t size,
 	ssize_t error;
 	struct aa_loaddata *data;
 	struct aa_profile *profile = aa_current_profile();
-	int op = binop == PROF_ADD ? OP_PROF_LOAD : OP_PROF_REPL;
+	const char *op = binop == PROF_ADD ? OP_PROF_LOAD : OP_PROF_REPL;
 	/* high level check about policy management - fine grained in
 	 * below after unpack
 	 */

--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -20,59 +20,6 @@
 #include "include/policy.h"
 #include "include/policy_ns.h"
-const char *const op_table[] = {
-	"null",
-	"sysctl",
-	"capable",
-	"unlink",
-	"mkdir",
-	"rmdir",
-	"mknod",
-	"truncate",
-	"link",
-	"symlink",
-	"rename_src",
-	"rename_dest",
-	"chmod",
-	"chown",
-	"getattr",
-	"open",
-	"file_perm",
-	"file_lock",
-	"file_mmap",
-	"file_mprotect",
-	"create",
-	"post_create",
-	"bind",
-	"connect",
-	"listen",
-	"accept",
-	"sendmsg",
-	"recvmsg",
-	"getsockname",
-	"getpeername",
-	"getsockopt",
-	"setsockopt",
-	"socket_shutdown",
-	"ptrace",
-	"exec",
-	"change_hat",
-	"change_profile",
-	"change_onexec",
-	"setprocattr",
-	"setrlimit",
-	"profile_replace",
-	"profile_load",
-	"profile_remove"
-};
 const char *const audit_mode_names[] = {
 	"normal",
@@ -120,7 +67,7 @@ static void audit_pre(struct audit_buffer *ab, void *ca)
 	if (sa->aad->op) {
 		audit_log_format(ab, " operation=");
-		audit_log_string(ab, op_table[sa->aad->op]);
+		audit_log_string(ab, sa->aad->op);
 	}
 	if (sa->aad->info) {

--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -750,8 +750,8 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
 	struct aa_profile *profile, *target = NULL;
 	struct aa_ns *ns = NULL;
 	struct file_perms perms = {};
-	const char *name = NULL, *info = NULL;
+	const char *name = NULL, *info = NULL, *op;
-	int op, error = 0;
+	int error = 0;
 	u32 request;
 	if (!hname && !ns_name)

--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -104,7 +104,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
 * Returns: %0 or error on failure
 */
 int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
-		  gfp_t gfp, int op, u32 request, const char *name,
+		  gfp_t gfp, const char *op, u32 request, const char *name,
 		  const char *target, kuid_t ouid, const char *info, int error)
 {
 	int type = AUDIT_APPARMOR_AUTO;
@@ -276,8 +276,9 @@ static inline bool is_deleted(struct dentry *dentry)
 *
 * Returns: %0 else error if access denied or other error
 */
-int aa_path_perm(int op, struct aa_profile *profile, const struct path *path,
+int aa_path_perm(const char *op, struct aa_profile *profile,
-		 int flags, u32 request, struct path_cond *cond)
+		 const struct path *path, int flags, u32 request,
+		 struct path_cond *cond)
 {
 	char *buffer = NULL;
 	struct file_perms perms = {};
@@ -446,7 +447,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
 *
 * Returns: %0 if access allowed else error
 */
-int aa_file_perm(int op, struct aa_profile *profile, struct file *file,
+int aa_file_perm(const char *op, struct aa_profile *profile, struct file *file,
 		 u32 request)
 {
 	struct path_cond cond = {

--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -46,65 +46,63 @@ enum audit_type {
 	AUDIT_APPARMOR_AUTO
 };
-extern const char *const op_table[];
+#define OP_NULL NULL
-enum aa_ops {
-	OP_NULL,
+#define OP_SYSCTL "sysctl"
+#define OP_CAPABLE "capable"
-	OP_SYSCTL,
-	OP_CAPABLE,
+#define OP_UNLINK "unlink"
+#define OP_MKDIR "mkdir"
-	OP_UNLINK,
+#define OP_RMDIR "rmdir"
-	OP_MKDIR,
+#define OP_MKNOD "mknod"
-	OP_RMDIR,
+#define OP_TRUNC "truncate"
-	OP_MKNOD,
+#define OP_LINK "link"
-	OP_TRUNC,
+#define OP_SYMLINK "symlink"
-	OP_LINK,
+#define OP_RENAME_SRC "rename_src"
-	OP_SYMLINK,
+#define OP_RENAME_DEST "rename_dest"
-	OP_RENAME_SRC,
+#define OP_CHMOD "chmod"
-	OP_RENAME_DEST,
+#define OP_CHOWN "chown"
-	OP_CHMOD,
+#define OP_GETATTR "getattr"
-	OP_CHOWN,
+#define OP_OPEN "open"
-	OP_GETATTR,
-	OP_OPEN,
+#define OP_FPERM "file_perm"
+#define OP_FLOCK "file_lock"
-	OP_FPERM,
+#define OP_FMMAP "file_mmap"
-	OP_FLOCK,
+#define OP_FMPROT "file_mprotect"
-	OP_FMMAP,
-	OP_FMPROT,
+#define OP_CREATE "create"
+#define OP_POST_CREATE "post_create"
-	OP_CREATE,
+#define OP_BIND "bind"
-	OP_POST_CREATE,
+#define OP_CONNECT "connect"
-	OP_BIND,
+#define OP_LISTEN "listen"
-	OP_CONNECT,
+#define OP_ACCEPT "accept"
-	OP_LISTEN,
+#define OP_SENDMSG "sendmsg"
-	OP_ACCEPT,
+#define OP_RECVMSG "recvmsg"
-	OP_SENDMSG,
+#define OP_GETSOCKNAME "getsockname"
-	OP_RECVMSG,
+#define OP_GETPEERNAME "getpeername"
-	OP_GETSOCKNAME,
+#define OP_GETSOCKOPT "getsockopt"
-	OP_GETPEERNAME,
+#define OP_SETSOCKOPT "setsockopt"
-	OP_GETSOCKOPT,
+#define OP_SHUTDOWN "socket_shutdown"
-	OP_SETSOCKOPT,
-	OP_SOCK_SHUTDOWN,
+#define OP_PTRACE "ptrace"
-	OP_PTRACE,
+#define OP_EXEC "exec"
-	OP_EXEC,
+#define OP_CHANGE_HAT "change_hat"
-	OP_CHANGE_HAT,
+#define OP_CHANGE_PROFILE "change_profile"
-	OP_CHANGE_PROFILE,
+#define OP_CHANGE_ONEXEC "change_onexec"
-	OP_CHANGE_ONEXEC,
+#define OP_SETPROCATTR "setprocattr"
-	OP_SETPROCATTR,
+#define OP_SETRLIMIT "setrlimit"
-	OP_SETRLIMIT,
+#define OP_PROF_REPL "profile_replace"
-	OP_PROF_REPL,
+#define OP_PROF_LOAD "profile_load"
-	OP_PROF_LOAD,
+#define OP_PROF_RM "profile_remove"
-	OP_PROF_RM,
-};
 struct apparmor_audit_data {
 	int error;
-	int op;
+	const char *op;
 	int type;
 	void *profile;
 	const char *name;

--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -145,7 +145,7 @@ static inline u16 dfa_map_xindex(u16 mask)
 	dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
 int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
-		  gfp_t gfp, int op, u32 request, const char *name,
+		  gfp_t gfp, const char *op, u32 request, const char *name,
 		  const char *target, kuid_t ouid, const char *info, int error);
 /**
@@ -171,13 +171,14 @@ unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
 			  const char *name, struct path_cond *cond,
 			  struct file_perms *perms);
-int aa_path_perm(int op, struct aa_profile *profile, const struct path *path,
+int aa_path_perm(const char *op, struct aa_profile *profile,
-		 int flags, u32 request, struct path_cond *cond);
+		 const struct path *path, int flags, u32 request,
+		 struct path_cond *cond);
 int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
 		 const struct path *new_dir, struct dentry *new_dentry);
-int aa_file_perm(int op, struct aa_profile *profile, struct file *file,
+int aa_file_perm(const char *op, struct aa_profile *profile, struct file *file,
 		 u32 request);
 static inline void aa_free_file_rules(struct aa_file_rules *rules)

--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -303,6 +303,7 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
 bool policy_view_capable(struct aa_ns *ns);
 bool policy_admin_capable(struct aa_ns *ns);
-int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op);
+int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns,
+			 const char *op);
 #endif /* __AA_POLICY_H */
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -152,7 +152,7 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
 *
 * Returns: %0 else error code if error or permission denied
 */
-static int common_perm(int op, const struct path *path, u32 mask,
+static int common_perm(const char *op, const struct path *path, u32 mask,
 		       struct path_cond *cond)
 {
 	struct aa_profile *profile;
@@ -175,7 +175,7 @@ static int common_perm(int op, const struct path *path, u32 mask,
 *
 * Returns: %0 else error code if error or permission denied
 */
-static int common_perm_dir_dentry(int op, const struct path *dir,
+static int common_perm_dir_dentry(const char *op, const struct path *dir,
 				  struct dentry *dentry, u32 mask,
 				  struct path_cond *cond)
 {
@@ -192,7 +192,8 @@ static int common_perm_dir_dentry(int op, const struct path *dir,
 *
 * Returns: %0 else error code if error or permission denied
 */
-static inline int common_perm_path(int op, const struct path *path, u32 mask)
+static inline int common_perm_path(const char *op, const struct path *path,
+				   u32 mask)
 {
 	struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
 				  d_backing_inode(path->dentry)->i_mode
@@ -212,7 +213,7 @@ static inline int common_perm_path(int op, const struct path *path, u32 mask)
 *
 * Returns: %0 else error code if error or permission denied
 */
-static int common_perm_rm(int op, const struct path *dir,
+static int common_perm_rm(const char *op, const struct path *dir,
 			  struct dentry *dentry, u32 mask)
 {
 	struct inode *inode = d_backing_inode(dentry);
@@ -237,7 +238,7 @@ static int common_perm_rm(int op, const struct path *dir,
 *
 * Returns: %0 else error code if error or permission denied
 */
-static int common_perm_create(int op, const struct path *dir,
+static int common_perm_create(const char *op, const struct path *dir,
 			      struct dentry *dentry, u32 mask, umode_t mode)
 {
 	struct path_cond cond = { current_fsuid(), mode };
@@ -395,7 +396,7 @@ static void apparmor_file_free_security(struct file *file)
 	aa_free_file_context(ctx);
 }
-static int common_file_perm(int op, struct file *file, u32 mask)
+static int common_file_perm(const char *op, struct file *file, u32 mask)
 {
 	struct aa_file_ctx *fctx = file->f_security;
 	struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred);
@@ -438,7 +439,7 @@ static int apparmor_file_lock(struct file *file, unsigned int cmd)
 	return common_file_perm(OP_FLOCK, file, mask);
 }
-static int common_mmap(int op, struct file *file, unsigned long prot,
+static int common_mmap(const char *op, struct file *file, unsigned long prot,
 		       unsigned long flags)
 {
 	int mask = 0;

--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -606,7 +606,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
 *
 * Returns: the error to be returned after audit is done
 */
-static int audit_policy(struct aa_profile *profile, int op, gfp_t gfp,
+static int audit_policy(struct aa_profile *profile, const char *op, gfp_t gfp,
 			const char *nsname, const char *name,
 			const char *info, int error)
 {
@@ -670,7 +670,8 @@ bool policy_admin_capable(struct aa_ns *ns)
 *
 * Returns: 0 if the task is allowed to manipulate policy else error
 */
-int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op)
+int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns,
+			 const char *op)
 {
 	/* check if loading policy is locked out */
 	if (aa_g_lock_policy)
@@ -819,7 +820,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
 	const char *ns_name, *info = NULL;
 	struct aa_ns *ns = NULL;
 	struct aa_load_ent *ent, *tmp;
-	int op = OP_PROF_REPL;
+	const char *op = OP_PROF_REPL;
 	ssize_t count, error;
 	LIST_HEAD(lh);

--- a/security/apparmor/procattr.c
+++ b/security/apparmor/procattr.c
@@ -88,13 +88,13 @@ int aa_getprocattr(struct aa_profile *profile, char **string)
 *
 * Returns: start position of name after token else NULL on failure
 */
-static char *split_token_from_name(int op, char *args, u64 * token)
+static char *split_token_from_name(const char *op, char *args, u64 *token)
 {
 	char *name;
 	*token = simple_strtoull(args, &name, 16);
 	if ((name == args) || *name != '^') {
-		AA_ERROR("%s: Invalid input '%s'", op_table[op], args);
+		AA_ERROR("%s: Invalid input '%s'", op, args);
 		return ERR_PTR(-EINVAL);
 	}