Re: [apparmor] [PATCH 4/8] apparmor: use type safe idmapping helpers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/24/22 04:12, Christian Brauner wrote:

We already ported most parts and filesystems over for v6.0 to the new
vfs{g,u}id_t type and associated helpers for v6.0. Convert the remaining
places so we can remove all the old helpers.
This is a non-functional change.

Signed-off-by: Christian Brauner (Microsoft) <brauner@xxxxxxxxxx>


Acked-by: John Johansen <john.johansen@xxxxxxxxxxxxx>

I have pulled this into my tree


---

Notes:

  security/apparmor/domain.c |  8 ++++----
  security/apparmor/file.c   |  4 +++-
  security/apparmor/lsm.c    | 24 ++++++++++++++++--------
  3 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 91689d34d281..7bafb4c4767c 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -859,10 +859,10 @@ int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm)
  	const char *info = NULL;
  	int error = 0;
  	bool unsafe = false;
-	kuid_t i_uid = i_uid_into_mnt(file_mnt_user_ns(bprm->file),
-				      file_inode(bprm->file));
+	vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_user_ns(bprm->file),
+					    file_inode(bprm->file));
  	struct path_cond cond = {
-		i_uid,
+		vfsuid_into_kuid(vfsuid),
  		file_inode(bprm->file)->i_mode
  	};
@@ -970,7 +970,7 @@ int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm) 
  	error = fn_for_each(label, profile,
  			aa_audit_file(profile, &nullperms, OP_EXEC, MAY_EXEC,
  				      bprm->filename, NULL, new,
-				      i_uid, info, error));
+				      vfsuid_into_kuid(vfsuid), info, error));
  	aa_put_label(new);
  	goto done;
  }
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index e1b7e93602e4..d43679894d23 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -510,8 +510,10 @@ static int __file_path_perm(const char *op, struct aa_label *label,
  {
  	struct aa_profile *profile;
  	struct aa_perms perms = {};
+	vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_user_ns(file),
+					    file_inode(file));
  	struct path_cond cond = {
-		.uid = i_uid_into_mnt(file_mnt_user_ns(file), file_inode(file)),
+		.uid = vfsuid_into_kuid(vfsuid),
  		.mode = file_inode(file)->i_mode
  	};
  	char *buffer;
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index f56070270c69..cab55e25b4e3 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -225,8 +225,10 @@ static int common_perm(const char *op, const struct path *path, u32 mask,
  static int common_perm_cond(const char *op, const struct path *path, u32 mask)
  {
  	struct user_namespace *mnt_userns = mnt_user_ns(path->mnt);
+	vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_userns,
+					    d_backing_inode(path->dentry));
  	struct path_cond cond = {
-		i_uid_into_mnt(mnt_userns, d_backing_inode(path->dentry)),
+		vfsuid_into_kuid(vfsuid),
  		d_backing_inode(path->dentry)->i_mode
  	};
@@ -270,11 +272,12 @@ static int common_perm_rm(const char *op, const struct path *dir, 
  	struct inode *inode = d_backing_inode(dentry);
  	struct user_namespace *mnt_userns = mnt_user_ns(dir->mnt);
  	struct path_cond cond = { };
+	vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_userns, inode);
if (!inode || !path_mediated_fs(dentry)) 
  		return 0;
- cond.uid = i_uid_into_mnt(mnt_userns, inode); 
+	cond.uid = vfsuid_into_kuid(vfsuid);
  	cond.mode = inode->i_mode;
return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 
@@ -368,20 +371,23 @@ static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_d
  	label = begin_current_label_crit_section();
  	if (!unconfined(label)) {
  		struct user_namespace *mnt_userns = mnt_user_ns(old_dir->mnt);
+		vfsuid_t vfsuid;
  		struct path old_path = { .mnt = old_dir->mnt,
  					 .dentry = old_dentry };
  		struct path new_path = { .mnt = new_dir->mnt,
  					 .dentry = new_dentry };
  		struct path_cond cond = {
-			i_uid_into_mnt(mnt_userns, d_backing_inode(old_dentry)),
-			d_backing_inode(old_dentry)->i_mode
+			.mode = d_backing_inode(old_dentry)->i_mode
  		};
+		vfsuid = i_uid_into_vfsuid(mnt_userns, d_backing_inode(old_dentry));
+		cond.uid = vfsuid_into_kuid(vfsuid);
if (flags & RENAME_EXCHANGE) { 
  			struct path_cond cond_exchange = {
-				i_uid_into_mnt(mnt_userns, d_backing_inode(new_dentry)),
-				d_backing_inode(new_dentry)->i_mode
+				.mode = d_backing_inode(new_dentry)->i_mode,
  			};
+			vfsuid = i_uid_into_vfsuid(mnt_userns, d_backing_inode(old_dentry));
+			cond_exchange.uid = vfsuid_into_kuid(vfsuid);
error = aa_path_perm(OP_RENAME_SRC, label, &new_path, 0, 
  					     MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
@@ -447,10 +453,12 @@ static int apparmor_file_open(struct file *file)
  	if (!unconfined(label)) {
  		struct user_namespace *mnt_userns = file_mnt_user_ns(file);
  		struct inode *inode = file_inode(file);
+		vfsuid_t vfsuid;
  		struct path_cond cond = {
-			i_uid_into_mnt(mnt_userns, inode),
-			inode->i_mode
+			.mode = inode->i_mode,
  		};
+		vfsuid = i_uid_into_vfsuid(mnt_userns, inode);
+		cond.uid = vfsuid_into_kuid(vfsuid);
error = aa_path_perm(OP_OPEN, label, &file->f_path, 0, 
  				     aa_map_file_to_perms(file), &cond);
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux