[apparmor] [PATCH 4/8] apparmor: use type safe idmapping helpers

John Johansen john.johansen at canonical.com
Tue Oct 25 07:16:02 UTC 2022 

On 10/24/22 04:12, Christian Brauner wrote:
> We already ported most parts and filesystems over for v6.0 to the new
> vfs{g,u}id_t type and associated helpers for v6.0. Convert the remaining
> places so we can remove all the old helpers.
> This is a non-functional change.
> 
> Signed-off-by: Christian Brauner (Microsoft) <brauner at kernel.org>

Acked-by: John Johansen <john.johansen at canonical.com>

I have pulled this into my tree

> ---
> 
> Notes:
> 
>   security/apparmor/domain.c |  8 ++++----
>   security/apparmor/file.c   |  4 +++-
>   security/apparmor/lsm.c    | 24 ++++++++++++++++--------
>   3 files changed, 23 insertions(+), 13 deletions(-)
> 
> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> index 91689d34d281..7bafb4c4767c 100644
> --- a/security/apparmor/domain.c
> +++ b/security/apparmor/domain.c
> @@ -859,10 +859,10 @@ int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm)
>   	const char *info = NULL;
>   	int error = 0;
>   	bool unsafe = false;
> -	kuid_t i_uid = i_uid_into_mnt(file_mnt_user_ns(bprm->file),
> -				      file_inode(bprm->file));
> +	vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_user_ns(bprm->file),
> +					    file_inode(bprm->file));
>   	struct path_cond cond = {
> -		i_uid,
> +		vfsuid_into_kuid(vfsuid),
>   		file_inode(bprm->file)->i_mode
>   	};
>   
> @@ -970,7 +970,7 @@ int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm)
>   	error = fn_for_each(label, profile,
>   			aa_audit_file(profile, &nullperms, OP_EXEC, MAY_EXEC,
>   				      bprm->filename, NULL, new,
> -				      i_uid, info, error));
> +				      vfsuid_into_kuid(vfsuid), info, error));
>   	aa_put_label(new);
>   	goto done;
>   }
> diff --git a/security/apparmor/file.c b/security/apparmor/file.c
> index e1b7e93602e4..d43679894d23 100644
> --- a/security/apparmor/file.c
> +++ b/security/apparmor/file.c
> @@ -510,8 +510,10 @@ static int __file_path_perm(const char *op, struct aa_label *label,
>   {
>   	struct aa_profile *profile;
>   	struct aa_perms perms = {};
> +	vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_user_ns(file),
> +					    file_inode(file));
>   	struct path_cond cond = {
> -		.uid = i_uid_into_mnt(file_mnt_user_ns(file), file_inode(file)),
> +		.uid = vfsuid_into_kuid(vfsuid),
>   		.mode = file_inode(file)->i_mode
>   	};
>   	char *buffer;
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index f56070270c69..cab55e25b4e3 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -225,8 +225,10 @@ static int common_perm(const char *op, const struct path *path, u32 mask,
>   static int common_perm_cond(const char *op, const struct path *path, u32 mask)
>   {
>   	struct user_namespace *mnt_userns = mnt_user_ns(path->mnt);
> +	vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_userns,
> +					    d_backing_inode(path->dentry));
>   	struct path_cond cond = {
> -		i_uid_into_mnt(mnt_userns, d_backing_inode(path->dentry)),
> +		vfsuid_into_kuid(vfsuid),
>   		d_backing_inode(path->dentry)->i_mode
>   	};
>   
> @@ -270,11 +272,12 @@ static int common_perm_rm(const char *op, const struct path *dir,
>   	struct inode *inode = d_backing_inode(dentry);
>   	struct user_namespace *mnt_userns = mnt_user_ns(dir->mnt);
>   	struct path_cond cond = { };
> +	vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_userns, inode);
>   
>   	if (!inode || !path_mediated_fs(dentry))
>   		return 0;
>   
> -	cond.uid = i_uid_into_mnt(mnt_userns, inode);
> +	cond.uid = vfsuid_into_kuid(vfsuid);
>   	cond.mode = inode->i_mode;
>   
>   	return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
> @@ -368,20 +371,23 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d
>   	label = begin_current_label_crit_section();
>   	if (!unconfined(label)) {
>   		struct user_namespace *mnt_userns = mnt_user_ns(old_dir->mnt);
> +		vfsuid_t vfsuid;
>   		struct path old_path = { .mnt = old_dir->mnt,
>   					 .dentry = old_dentry };
>   		struct path new_path = { .mnt = new_dir->mnt,
>   					 .dentry = new_dentry };
>   		struct path_cond cond = {
> -			i_uid_into_mnt(mnt_userns, d_backing_inode(old_dentry)),
> -			d_backing_inode(old_dentry)->i_mode
> +			.mode = d_backing_inode(old_dentry)->i_mode
>   		};
> +		vfsuid = i_uid_into_vfsuid(mnt_userns, d_backing_inode(old_dentry));
> +		cond.uid = vfsuid_into_kuid(vfsuid);
>   
>   		if (flags & RENAME_EXCHANGE) {
>   			struct path_cond cond_exchange = {
> -				i_uid_into_mnt(mnt_userns, d_backing_inode(new_dentry)),
> -				d_backing_inode(new_dentry)->i_mode
> +				.mode = d_backing_inode(new_dentry)->i_mode,
>   			};
> +			vfsuid = i_uid_into_vfsuid(mnt_userns, d_backing_inode(old_dentry));
> +			cond_exchange.uid = vfsuid_into_kuid(vfsuid);
>   
>   			error = aa_path_perm(OP_RENAME_SRC, label, &new_path, 0,
>   					     MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
> @@ -447,10 +453,12 @@ static int apparmor_file_open(struct file *file)
>   	if (!unconfined(label)) {
>   		struct user_namespace *mnt_userns = file_mnt_user_ns(file);
>   		struct inode *inode = file_inode(file);
> +		vfsuid_t vfsuid;
>   		struct path_cond cond = {
> -			i_uid_into_mnt(mnt_userns, inode),
> -			inode->i_mode
> +			.mode = inode->i_mode,
>   		};
> +		vfsuid = i_uid_into_vfsuid(mnt_userns, inode);
> +		cond.uid = vfsuid_into_kuid(vfsuid);
>   
>   		error = aa_path_perm(OP_OPEN, label, &file->f_path, 0,
>   				     aa_map_file_to_perms(file), &cond);

More information about the AppArmor mailing list