From b9590ad4c4f2fedc364016613f2af74ea7758bea Mon Sep 17 00:00:00 2001 From: John Johansen Date: Sat, 3 Mar 2018 01:59:02 -0800 Subject: [PATCH] apparmor: remove POLICY_MEDIATES_SAFE The unpack code now makes sure every profile has a dfa so the safe version of POLICY_MEDIATES is no longer needed. Signed-off-by: John Johansen --- security/apparmor/apparmorfs.c | 2 +- security/apparmor/include/policy.h | 12 +----------- 2 files changed, 2 insertions(+), 12 deletions(-) diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 10d16e3..701cb3e 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -619,7 +619,7 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms, tmp = aa_compute_fperms(dfa, state, &cond); } } else if (profile->policy.dfa) { - if (!PROFILE_MEDIATES_SAFE(profile, *match_str)) + if (!PROFILE_MEDIATES(profile, *match_str)) return; /* no change to current perms */ dfa = profile->policy.dfa; state = aa_dfa_match_len(dfa, profile->policy.start[0], diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index ffe12a2..ab64c6b 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -214,17 +214,7 @@ static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p) return labels_profile(aa_get_newest_label(&p->label)); } -#define PROFILE_MEDIATES(P, T) ((P)->policy.start[(T)]) -/* safe version of POLICY_MEDIATES for full range input */ -static inline unsigned int PROFILE_MEDIATES_SAFE(struct aa_profile *profile, - unsigned char class) -{ - if (profile->policy.dfa) - return aa_dfa_match_len(profile->policy.dfa, - profile->policy.start[0], &class, 1); - return 0; -} - +#define PROFILE_MEDIATES(P, T) ((P)->policy.start[(unsigned char) (T)]) static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile, u16 AF) { unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET); -- 2.7.4