[apparmor] [PATCH 5/7] Refactor query_label into a base raw fn, and fn built on, top
John Johansen
john.johansen at canonical.com
Fri Feb 10 20:52:53 UTC 2017
dconf needs the raw perms, not the boolean allowed/audited provided
by query_label.
Split query_label into a base query_label_raw fn and make query_label
a wrapper of the raw fn.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
libraries/libapparmor/src/kernel.c | 57 +++++++++++++++++++++++++++-----------
1 file changed, 41 insertions(+), 16 deletions(-)
diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
index 349290d..c504c9d 100644
--- a/libraries/libapparmor/src/kernel.c
+++ b/libraries/libapparmor/src/kernel.c
@@ -888,31 +888,26 @@ int aa_query_cmd(const char *cmd, size_t cmd_size, char *query, size_t size,
/* "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n" */
#define QUERY_LABEL_REPLY_LEN 67
+typedef struct {
+ uint32_t allow, deny, audit, quiet;
+} aa_perms_t;
+
/**
* aa_query_label - query the access(es) of a label
* @mask: permission bits to query
* @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE
* @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE
- * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
- * @audited: upon successful return, will be 1 if query should be audited and 0
- * if not
+ * @perms: Return: perms for given query
*
* Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
* ENOENT, the subject label in the query string is unknown to the
* kernel.
*/
-int query_label(uint32_t mask, char *query, size_t size, int *allowed,
- int *audited)
+static int query_label_raw(char *query, size_t size, aa_perms_t *perms)
{
char buf[QUERY_LABEL_REPLY_LEN];
- uint32_t allow, deny, audit, quiet;
int ret;
- if (!mask) {
- errno = EINVAL;
- return -1;
- }
-
ret = aa_query_cmd(AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE, query,
size, buf, QUERY_LABEL_REPLY_LEN);
if (ret != QUERY_LABEL_REPLY_LEN) {
@@ -924,16 +919,46 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed,
"deny 0x%8" SCNx32 "\n"
"audit 0x%8" SCNx32 "\n"
"quiet 0x%8" SCNx32 "\n",
- &allow, &deny, &audit, &quiet);
+ &perms->allow, &perms->deny, &perms->audit, &perms->quiet);
if (ret != 4) {
errno = EPROTONOSUPPORT;
return -1;
}
- *allowed = mask & ~(allow & ~deny) ? 0 : 1;
- if (!(*allowed))
- audit = 0xFFFFFFFF;
- *audited = mask & ~(audit & ~quiet) ? 0 : 1;
+ return 0;
+}
+
+/**
+ * aa_query_label - query the access(es) of a label
+ * @mask: permission bits to query
+ * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE
+ * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE
+ * @allowed: upon successful return, will be 1 if query is allowed and 0 if not
+ * @audited: upon successful return, will be 1 if query should be audited and 0
+ * if not
+ *
+ * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is
+ * ENOENT, the subject label in the query string is unknown to the
+ * kernel.
+ */
+int query_label(uint32_t mask, char *query, size_t size, int *allowed,
+ int *audited)
+{
+ aa_perms_t perms;
+ int ret;
+
+ if (!mask) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ ret = query_label_raw(query, size, &perms);
+ if (ret == 0) {
+ *allowed = mask & ~(perms.allow & ~perms.deny) ? 0 : 1;
+ if (!(*allowed))
+ perms.audit = 0xFFFFFFFF;
+ *audited = mask & ~(perms.audit & ~perms.quiet) ? 0 : 1;
+ }
return 0;
}
--
2.9.3
More information about the AppArmor
mailing list