apparmor: add cross check permission helper macros
authorJohn Johansen <john.johansen@canonical.com>
Fri, 9 Jun 2017 21:23:09 +0000 (14:23 -0700)
committerJohn Johansen <john.johansen@canonical.com>
Sun, 11 Jun 2017 00:11:41 +0000 (17:11 -0700)
The cross check permission helper macros will help simplify code
that does cross task permission checks like ptrace.

Signed-off-by: John Johansen <john.johansen@canonical.com>
security/apparmor/include/perms.h

index 0c5c2b00be02689f23f7a101c187e27dd1a1bc2d..2b27bb79aec4421665aaa6f2a2490868227bed0f 100644 (file)
@@ -92,7 +92,47 @@ struct aa_perms {
 extern struct aa_perms nullperms;
 extern struct aa_perms allperms;
 
-struct aa_profile;
+
+#define xcheck(FN1, FN2)       \
+({                             \
+       int e, error = FN1;     \
+       e = FN2;                \
+       if (e)                  \
+               error = e;      \
+       error;                  \
+})
+
+
+/*
+ * TODO: update for labels pointing to labels instead of profiles
+ * TODO: optimize the walk, currently does subwalk of L2 for each P in L1
+ * gah this doesn't allow for label compound check!!!!
+ */
+#define xcheck_ns_profile_profile(P1, P2, FN, args...)         \
+({                                                             \
+       int ____e = 0;                                          \
+       if (P1->ns == P2->ns)                                   \
+               ____e = FN((P1), (P2), args);                   \
+       (____e);                                                \
+})
+
+#define xcheck_ns_profile_label(P, L, FN, args...)             \
+({                                                             \
+       struct aa_profile *__p2;                                \
+       fn_for_each((L), __p2,                                  \
+                   xcheck_ns_profile_profile((P), __p2, (FN), args));  \
+})
+
+#define xcheck_ns_labels(L1, L2, FN, args...)                  \
+({                                                             \
+       struct aa_profile *__p1;                                \
+       fn_for_each((L1), __p1, FN(__p1, (L2), args));          \
+})
+
+/* Do the cross check but applying FN at the profiles level */
+#define xcheck_labels_profiles(L1, L2, FN, args...)            \
+       xcheck_ns_labels((L1), (L2), xcheck_ns_profile_label, (FN), args)
+
 
 void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask);
 void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask);