[RFC,01/10] AppArmor: Abstract the cred security blob
diff mbox

Message ID 3bee601f-8f4b-58e6-f516-67c60a59ef46@schaufler-ca.com
State New
Headers show

Commit Message

Casey Schaufler July 11, 2016, 7:29 p.m. UTC
Subject: [PATCH RFC 01/10] AppArmor: Abstract the cred security blob

Abstract reading the credential security blob.
Remove abstraction when writing the credential security blob.
There is no change in the behavior of the code.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 security/apparmor/include/context.h | 10 ++++++++--
 security/apparmor/lsm.c             | 15 +++++++++------
 2 files changed, 17 insertions(+), 8 deletions(-)


--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch
diff mbox

diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index 6bf6579..07fb7a1 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -18,10 +18,11 @@ 
 #include <linux/cred.h>
 #include <linux/slab.h>
 #include <linux/sched.h>
+#include <linux/lsm_hooks.h>
 
 #include "policy.h"
 
-#define cred_cxt(X) (X)->security
+#define cred_cxt(X) apparmor_cred(X)
 #define current_cxt() cred_cxt(current_cred())
 
 /* struct aa_file_cxt - the AppArmor context the file was opened in
@@ -85,6 +86,10 @@  int aa_set_current_hat(struct aa_profile *profile, u64 token);
 int aa_restore_previous_profile(u64 cookie);
 struct aa_profile *aa_get_task_profile(struct task_struct *task);
 
+static inline struct aa_task_cxt *apparmor_cred(const struct cred *cred)
+{
+	return cred->security;
+}
 
 /**
  * aa_cred_profile - obtain cred's profiles
@@ -96,7 +101,8 @@  struct aa_profile *aa_get_task_profile(struct task_struct *task);
  */
 static inline struct aa_profile *aa_cred_profile(const struct cred *cred)
 {
-	struct aa_task_cxt *cxt = cred_cxt(cred);
+	struct aa_task_cxt *cxt = apparmor_cred(cred);
+
 	BUG_ON(!cxt || !cxt->profile);
 	return cxt->profile;
 }
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 5cac15f..1c022ec 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -49,7 +49,7 @@  int apparmor_initialized __initdata;
 static void apparmor_cred_free(struct cred *cred)
 {
 	aa_free_task_context(cred_cxt(cred));
-	cred_cxt(cred) = NULL;
+	cred->security = NULL;
 }
 
 /*
@@ -62,7 +62,7 @@  static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
 	if (!cxt)
 		return -ENOMEM;
 
-	cred_cxt(cred) = cxt;
+	cred->security = cxt;
 	return 0;
 }
 
@@ -72,13 +72,14 @@  static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
 static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
 				 gfp_t gfp)
 {
+	struct aa_task_cxt *cxt;
 	/* freed by apparmor_cred_free */
-	struct aa_task_cxt *cxt = aa_alloc_task_context(gfp);
+	cxt = aa_alloc_task_context(gfp);
 	if (!cxt)
 		return -ENOMEM;
 
 	aa_dup_task_context(cxt, cred_cxt(old));
-	cred_cxt(new) = cxt;
+	new->security = cxt;
 	return 0;
 }
 
@@ -880,7 +881,7 @@  static int __init set_init_cxt(void)
 		return -ENOMEM;
 
 	cxt->profile = aa_get_profile(root_ns->unconfined);
-	cred_cxt(cred) = cxt;
+	cred->security = cxt;
 
 	return 0;
 }
@@ -890,11 +891,13 @@  static int __init apparmor_init(void)
 	int error;
 
 	if (!apparmor_enabled || !security_module_enable("apparmor")) {
-		aa_info_message("AppArmor disabled by boot time parameter");
+		aa_info_message(
+			"AppArmor disabled by boot time parameter");
 		apparmor_enabled = 0;
 		return 0;
 	}
 
+
 	error = aa_alloc_root_ns();
 	if (error) {
 		AA_ERROR("Unable to allocate default profile namespace\n");