AppArmor: Abstract use of cred security blob

Don't use the cred->security pointer directly.
Provide a helper function that provides the security blob pointer.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
[kees: adjusted for ordered init series]
Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Casey Schaufler 2018-09-21 17:17:59 -07:00 коммит произвёл Kees Cook
Родитель 3d25252948
Коммит 69b5a44a95
4 изменённых файлов: 24 добавлений и 10 удалений

Просмотреть файл

@ -975,7 +975,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
} }
aa_put_label(cred_label(bprm->cred)); aa_put_label(cred_label(bprm->cred));
/* transfer reference, released when cred is freed */ /* transfer reference, released when cred is freed */
cred_label(bprm->cred) = new; set_cred_label(bprm->cred, new);
done: done:
aa_put_label(label); aa_put_label(label);

Просмотреть файл

@ -23,8 +23,22 @@
#include "policy_ns.h" #include "policy_ns.h"
#include "task.h" #include "task.h"
#define cred_label(X) ((X)->security) static inline struct aa_label *cred_label(const struct cred *cred)
{
struct aa_label **blob = cred->security;
AA_BUG(!blob);
return *blob;
}
static inline void set_cred_label(const struct cred *cred,
struct aa_label *label)
{
struct aa_label **blob = cred->security;
AA_BUG(!blob);
*blob = label;
}
/** /**
* aa_cred_raw_label - obtain cred's label * aa_cred_raw_label - obtain cred's label

Просмотреть файл

@ -60,7 +60,7 @@ DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
static void apparmor_cred_free(struct cred *cred) static void apparmor_cred_free(struct cred *cred)
{ {
aa_put_label(cred_label(cred)); aa_put_label(cred_label(cred));
cred_label(cred) = NULL; set_cred_label(cred, NULL);
} }
/* /*
@ -68,7 +68,7 @@ static void apparmor_cred_free(struct cred *cred)
*/ */
static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{ {
cred_label(cred) = NULL; set_cred_label(cred, NULL);
return 0; return 0;
} }
@ -78,7 +78,7 @@ static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
static int apparmor_cred_prepare(struct cred *new, const struct cred *old, static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
gfp_t gfp) gfp_t gfp)
{ {
cred_label(new) = aa_get_newest_label(cred_label(old)); set_cred_label(new, aa_get_newest_label(cred_label(old)));
return 0; return 0;
} }
@ -87,7 +87,7 @@ static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
*/ */
static void apparmor_cred_transfer(struct cred *new, const struct cred *old) static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
{ {
cred_label(new) = aa_get_newest_label(cred_label(old)); set_cred_label(new, aa_get_newest_label(cred_label(old)));
} }
static void apparmor_task_free(struct task_struct *task) static void apparmor_task_free(struct task_struct *task)
@ -1485,7 +1485,7 @@ static int __init set_init_ctx(void)
if (!ctx) if (!ctx)
return -ENOMEM; return -ENOMEM;
cred_label(cred) = aa_get_label(ns_unconfined(root_ns)); set_cred_label(cred, aa_get_label(ns_unconfined(root_ns)));
task_ctx(current) = ctx; task_ctx(current) = ctx;
return 0; return 0;

Просмотреть файл

@ -81,7 +81,7 @@ int aa_replace_current_label(struct aa_label *label)
*/ */
aa_get_label(label); aa_get_label(label);
aa_put_label(cred_label(new)); aa_put_label(cred_label(new));
cred_label(new) = label; set_cred_label(new, label);
commit_creds(new); commit_creds(new);
return 0; return 0;
@ -138,7 +138,7 @@ int aa_set_current_hat(struct aa_label *label, u64 token)
return -EACCES; return -EACCES;
} }
cred_label(new) = aa_get_newest_label(label); set_cred_label(new, aa_get_newest_label(label));
/* clear exec on switching context */ /* clear exec on switching context */
aa_put_label(ctx->onexec); aa_put_label(ctx->onexec);
ctx->onexec = NULL; ctx->onexec = NULL;
@ -172,7 +172,7 @@ int aa_restore_previous_label(u64 token)
return -ENOMEM; return -ENOMEM;
aa_put_label(cred_label(new)); aa_put_label(cred_label(new));
cred_label(new) = aa_get_newest_label(ctx->previous); set_cred_label(new, aa_get_newest_label(ctx->previous));
AA_BUG(!cred_label(new)); AA_BUG(!cred_label(new));
/* clear exec && prev information when restoring to previous context */ /* clear exec && prev information when restoring to previous context */
aa_clear_task_ctx_trans(ctx); aa_clear_task_ctx_trans(ctx);