apparmor: use type safe idmapping helpers

We already ported most parts and filesystems over for v6.0 to the new
vfs{g,u}id_t type and associated helpers for v6.0. Convert the remaining
places so we can remove all the old helpers.
This is a non-functional change.

Reviewed-by: Seth Forshee (DigitalOcean) <sforshee@kernel.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 91689d3..7bafb4c 100644 (file)
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -859,10 +859,10 @@ int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm)
        const char *info = NULL;
        int error = 0;
        bool unsafe = false;
-       kuid_t i_uid = i_uid_into_mnt(file_mnt_user_ns(bprm->file),
-                                     file_inode(bprm->file));
+       vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_user_ns(bprm->file),
+                                           file_inode(bprm->file));
        struct path_cond cond = {
-               i_uid,
+               vfsuid_into_kuid(vfsuid),
                file_inode(bprm->file)->i_mode
        };
 
@@ -970,7 +970,7 @@ audit:
        error = fn_for_each(label, profile,
                        aa_audit_file(profile, &nullperms, OP_EXEC, MAY_EXEC,
                                      bprm->filename, NULL, new,
-                                     i_uid, info, error));
+                                     vfsuid_into_kuid(vfsuid), info, error));
        aa_put_label(new);
        goto done;
 }

diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index e1b7e93..d436798 100644 (file)
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -510,8 +510,10 @@ static int __file_path_perm(const char *op, struct aa_label *label,
 {
        struct aa_profile *profile;
        struct aa_perms perms = {};
+       vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_user_ns(file),
+                                           file_inode(file));
        struct path_cond cond = {
-               .uid = i_uid_into_mnt(file_mnt_user_ns(file), file_inode(file)),
+               .uid = vfsuid_into_kuid(vfsuid),
                .mode = file_inode(file)->i_mode
        };
        char *buffer;

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index f560702..f34675f 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -225,8 +225,10 @@ static int common_perm(const char *op, const struct path *path, u32 mask,
 static int common_perm_cond(const char *op, const struct path *path, u32 mask)
 {
        struct user_namespace *mnt_userns = mnt_user_ns(path->mnt);
+       vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_userns,
+                                           d_backing_inode(path->dentry));
        struct path_cond cond = {
-               i_uid_into_mnt(mnt_userns, d_backing_inode(path->dentry)),
+               vfsuid_into_kuid(vfsuid),
                d_backing_inode(path->dentry)->i_mode
        };
 
@@ -270,11 +272,13 @@ static int common_perm_rm(const char *op, const struct path *dir,
        struct inode *inode = d_backing_inode(dentry);
        struct user_namespace *mnt_userns = mnt_user_ns(dir->mnt);
        struct path_cond cond = { };
+       vfsuid_t vfsuid;
 
        if (!inode || !path_mediated_fs(dentry))
                return 0;
 
-       cond.uid = i_uid_into_mnt(mnt_userns, inode);
+       vfsuid = i_uid_into_vfsuid(mnt_userns, inode);
+       cond.uid = vfsuid_into_kuid(vfsuid);
        cond.mode = inode->i_mode;
 
        return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
@@ -368,20 +372,23 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d
        label = begin_current_label_crit_section();
        if (!unconfined(label)) {
                struct user_namespace *mnt_userns = mnt_user_ns(old_dir->mnt);
+               vfsuid_t vfsuid;
                struct path old_path = { .mnt = old_dir->mnt,
                                         .dentry = old_dentry };
                struct path new_path = { .mnt = new_dir->mnt,
                                         .dentry = new_dentry };
                struct path_cond cond = {
-                       i_uid_into_mnt(mnt_userns, d_backing_inode(old_dentry)),
-                       d_backing_inode(old_dentry)->i_mode
+                       .mode = d_backing_inode(old_dentry)->i_mode
                };
+               vfsuid = i_uid_into_vfsuid(mnt_userns, d_backing_inode(old_dentry));
+               cond.uid = vfsuid_into_kuid(vfsuid);
 
                if (flags & RENAME_EXCHANGE) {
                        struct path_cond cond_exchange = {
-                               i_uid_into_mnt(mnt_userns, d_backing_inode(new_dentry)),
-                               d_backing_inode(new_dentry)->i_mode
+                               .mode = d_backing_inode(new_dentry)->i_mode,
                        };
+                       vfsuid = i_uid_into_vfsuid(mnt_userns, d_backing_inode(old_dentry));
+                       cond_exchange.uid = vfsuid_into_kuid(vfsuid);
 
                        error = aa_path_perm(OP_RENAME_SRC, label, &new_path, 0,
                                             MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
@@ -447,10 +454,12 @@ static int apparmor_file_open(struct file *file)
        if (!unconfined(label)) {
                struct user_namespace *mnt_userns = file_mnt_user_ns(file);
                struct inode *inode = file_inode(file);
+               vfsuid_t vfsuid;
                struct path_cond cond = {
-                       i_uid_into_mnt(mnt_userns, inode),
-                       inode->i_mode
+                       .mode = inode->i_mode,
                };
+               vfsuid = i_uid_into_vfsuid(mnt_userns, inode);
+               cond.uid = vfsuid_into_kuid(vfsuid);
 
                error = aa_path_perm(OP_OPEN, label, &file->f_path, 0,
                                     aa_map_file_to_perms(file), &cond);