Commit 47f6e5cc authored by John Johansen's avatar John Johansen

apparmor: change op from int to const char *

Having ops be an integer that is an index into an op name table is
awkward and brittle. Every op change requires an edit for both the
op constant and a string in the table. Instead switch to using const
strings directly, eliminating the need for the table that needs to
be kept in sync.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 55a26ebf
...@@ -85,7 +85,7 @@ static int mangle_name(const char *name, char *target) ...@@ -85,7 +85,7 @@ static int mangle_name(const char *name, char *target)
* Returns: kernel buffer containing copy of user buffer data or an * Returns: kernel buffer containing copy of user buffer data or an
* ERR_PTR on failure. * ERR_PTR on failure.
*/ */
static struct aa_loaddata *aa_simple_write_to_buffer(int op, static struct aa_loaddata *aa_simple_write_to_buffer(const char *op,
const char __user *userbuf, const char __user *userbuf,
size_t alloc_size, size_t alloc_size,
size_t copy_size, size_t copy_size,
...@@ -122,7 +122,7 @@ static ssize_t policy_update(int binop, const char __user *buf, size_t size, ...@@ -122,7 +122,7 @@ static ssize_t policy_update(int binop, const char __user *buf, size_t size,
ssize_t error; ssize_t error;
struct aa_loaddata *data; struct aa_loaddata *data;
struct aa_profile *profile = aa_current_profile(); struct aa_profile *profile = aa_current_profile();
int op = binop == PROF_ADD ? OP_PROF_LOAD : OP_PROF_REPL; const char *op = binop == PROF_ADD ? OP_PROF_LOAD : OP_PROF_REPL;
/* high level check about policy management - fine grained in /* high level check about policy management - fine grained in
* below after unpack * below after unpack
*/ */
......
...@@ -20,59 +20,6 @@ ...@@ -20,59 +20,6 @@
#include "include/policy.h" #include "include/policy.h"
#include "include/policy_ns.h" #include "include/policy_ns.h"
const char *const op_table[] = {
"null",
"sysctl",
"capable",
"unlink",
"mkdir",
"rmdir",
"mknod",
"truncate",
"link",
"symlink",
"rename_src",
"rename_dest",
"chmod",
"chown",
"getattr",
"open",
"file_perm",
"file_lock",
"file_mmap",
"file_mprotect",
"create",
"post_create",
"bind",
"connect",
"listen",
"accept",
"sendmsg",
"recvmsg",
"getsockname",
"getpeername",
"getsockopt",
"setsockopt",
"socket_shutdown",
"ptrace",
"exec",
"change_hat",
"change_profile",
"change_onexec",
"setprocattr",
"setrlimit",
"profile_replace",
"profile_load",
"profile_remove"
};
const char *const audit_mode_names[] = { const char *const audit_mode_names[] = {
"normal", "normal",
...@@ -120,7 +67,7 @@ static void audit_pre(struct audit_buffer *ab, void *ca) ...@@ -120,7 +67,7 @@ static void audit_pre(struct audit_buffer *ab, void *ca)
if (sa->aad->op) { if (sa->aad->op) {
audit_log_format(ab, " operation="); audit_log_format(ab, " operation=");
audit_log_string(ab, op_table[sa->aad->op]); audit_log_string(ab, sa->aad->op);
} }
if (sa->aad->info) { if (sa->aad->info) {
......
...@@ -750,8 +750,8 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, ...@@ -750,8 +750,8 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
struct aa_profile *profile, *target = NULL; struct aa_profile *profile, *target = NULL;
struct aa_ns *ns = NULL; struct aa_ns *ns = NULL;
struct file_perms perms = {}; struct file_perms perms = {};
const char *name = NULL, *info = NULL; const char *name = NULL, *info = NULL, *op;
int op, error = 0; int error = 0;
u32 request; u32 request;
if (!hname && !ns_name) if (!hname && !ns_name)
......
...@@ -104,7 +104,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) ...@@ -104,7 +104,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va)
* Returns: %0 or error on failure * Returns: %0 or error on failure
*/ */
int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
gfp_t gfp, int op, u32 request, const char *name, gfp_t gfp, const char *op, u32 request, const char *name,
const char *target, kuid_t ouid, const char *info, int error) const char *target, kuid_t ouid, const char *info, int error)
{ {
int type = AUDIT_APPARMOR_AUTO; int type = AUDIT_APPARMOR_AUTO;
...@@ -276,8 +276,9 @@ static inline bool is_deleted(struct dentry *dentry) ...@@ -276,8 +276,9 @@ static inline bool is_deleted(struct dentry *dentry)
* *
* Returns: %0 else error if access denied or other error * Returns: %0 else error if access denied or other error
*/ */
int aa_path_perm(int op, struct aa_profile *profile, const struct path *path, int aa_path_perm(const char *op, struct aa_profile *profile,
int flags, u32 request, struct path_cond *cond) const struct path *path, int flags, u32 request,
struct path_cond *cond)
{ {
char *buffer = NULL; char *buffer = NULL;
struct file_perms perms = {}; struct file_perms perms = {};
...@@ -446,7 +447,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry, ...@@ -446,7 +447,7 @@ int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
* *
* Returns: %0 if access allowed else error * Returns: %0 if access allowed else error
*/ */
int aa_file_perm(int op, struct aa_profile *profile, struct file *file, int aa_file_perm(const char *op, struct aa_profile *profile, struct file *file,
u32 request) u32 request)
{ {
struct path_cond cond = { struct path_cond cond = {
......
...@@ -46,65 +46,63 @@ enum audit_type { ...@@ -46,65 +46,63 @@ enum audit_type {
AUDIT_APPARMOR_AUTO AUDIT_APPARMOR_AUTO
}; };
extern const char *const op_table[]; #define OP_NULL NULL
enum aa_ops {
OP_NULL, #define OP_SYSCTL "sysctl"
#define OP_CAPABLE "capable"
OP_SYSCTL,
OP_CAPABLE, #define OP_UNLINK "unlink"
#define OP_MKDIR "mkdir"
OP_UNLINK, #define OP_RMDIR "rmdir"
OP_MKDIR, #define OP_MKNOD "mknod"
OP_RMDIR, #define OP_TRUNC "truncate"
OP_MKNOD, #define OP_LINK "link"
OP_TRUNC, #define OP_SYMLINK "symlink"
OP_LINK, #define OP_RENAME_SRC "rename_src"
OP_SYMLINK, #define OP_RENAME_DEST "rename_dest"
OP_RENAME_SRC, #define OP_CHMOD "chmod"
OP_RENAME_DEST, #define OP_CHOWN "chown"
OP_CHMOD, #define OP_GETATTR "getattr"
OP_CHOWN, #define OP_OPEN "open"
OP_GETATTR,
OP_OPEN, #define OP_FPERM "file_perm"
#define OP_FLOCK "file_lock"
OP_FPERM, #define OP_FMMAP "file_mmap"
OP_FLOCK, #define OP_FMPROT "file_mprotect"
OP_FMMAP,
OP_FMPROT, #define OP_CREATE "create"
#define OP_POST_CREATE "post_create"
OP_CREATE, #define OP_BIND "bind"
OP_POST_CREATE, #define OP_CONNECT "connect"
OP_BIND, #define OP_LISTEN "listen"
OP_CONNECT, #define OP_ACCEPT "accept"
OP_LISTEN, #define OP_SENDMSG "sendmsg"
OP_ACCEPT, #define OP_RECVMSG "recvmsg"
OP_SENDMSG, #define OP_GETSOCKNAME "getsockname"
OP_RECVMSG, #define OP_GETPEERNAME "getpeername"
OP_GETSOCKNAME, #define OP_GETSOCKOPT "getsockopt"
OP_GETPEERNAME, #define OP_SETSOCKOPT "setsockopt"
OP_GETSOCKOPT, #define OP_SHUTDOWN "socket_shutdown"
OP_SETSOCKOPT,
OP_SOCK_SHUTDOWN, #define OP_PTRACE "ptrace"
OP_PTRACE, #define OP_EXEC "exec"
OP_EXEC, #define OP_CHANGE_HAT "change_hat"
OP_CHANGE_HAT, #define OP_CHANGE_PROFILE "change_profile"
OP_CHANGE_PROFILE, #define OP_CHANGE_ONEXEC "change_onexec"
OP_CHANGE_ONEXEC,
#define OP_SETPROCATTR "setprocattr"
OP_SETPROCATTR, #define OP_SETRLIMIT "setrlimit"
OP_SETRLIMIT,
#define OP_PROF_REPL "profile_replace"
OP_PROF_REPL, #define OP_PROF_LOAD "profile_load"
OP_PROF_LOAD, #define OP_PROF_RM "profile_remove"
OP_PROF_RM,
};
struct apparmor_audit_data { struct apparmor_audit_data {
int error; int error;
int op; const char *op;
int type; int type;
void *profile; void *profile;
const char *name; const char *name;
......
...@@ -145,7 +145,7 @@ static inline u16 dfa_map_xindex(u16 mask) ...@@ -145,7 +145,7 @@ static inline u16 dfa_map_xindex(u16 mask)
dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff) dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
gfp_t gfp, int op, u32 request, const char *name, gfp_t gfp, const char *op, u32 request, const char *name,
const char *target, kuid_t ouid, const char *info, int error); const char *target, kuid_t ouid, const char *info, int error);
/** /**
...@@ -171,13 +171,14 @@ unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start, ...@@ -171,13 +171,14 @@ unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
const char *name, struct path_cond *cond, const char *name, struct path_cond *cond,
struct file_perms *perms); struct file_perms *perms);
int aa_path_perm(int op, struct aa_profile *profile, const struct path *path, int aa_path_perm(const char *op, struct aa_profile *profile,
int flags, u32 request, struct path_cond *cond); const struct path *path, int flags, u32 request,
struct path_cond *cond);
int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry, int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
const struct path *new_dir, struct dentry *new_dentry); const struct path *new_dir, struct dentry *new_dentry);
int aa_file_perm(int op, struct aa_profile *profile, struct file *file, int aa_file_perm(const char *op, struct aa_profile *profile, struct file *file,
u32 request); u32 request);
static inline void aa_free_file_rules(struct aa_file_rules *rules) static inline void aa_free_file_rules(struct aa_file_rules *rules)
......
...@@ -303,6 +303,7 @@ static inline int AUDIT_MODE(struct aa_profile *profile) ...@@ -303,6 +303,7 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
bool policy_view_capable(struct aa_ns *ns); bool policy_view_capable(struct aa_ns *ns);
bool policy_admin_capable(struct aa_ns *ns); bool policy_admin_capable(struct aa_ns *ns);
int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op); int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns,
const char *op);
#endif /* __AA_POLICY_H */ #endif /* __AA_POLICY_H */
...@@ -152,7 +152,7 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, ...@@ -152,7 +152,7 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
* *
* Returns: %0 else error code if error or permission denied * Returns: %0 else error code if error or permission denied
*/ */
static int common_perm(int op, const struct path *path, u32 mask, static int common_perm(const char *op, const struct path *path, u32 mask,
struct path_cond *cond) struct path_cond *cond)
{ {
struct aa_profile *profile; struct aa_profile *profile;
...@@ -175,7 +175,7 @@ static int common_perm(int op, const struct path *path, u32 mask, ...@@ -175,7 +175,7 @@ static int common_perm(int op, const struct path *path, u32 mask,
* *
* Returns: %0 else error code if error or permission denied * Returns: %0 else error code if error or permission denied
*/ */
static int common_perm_dir_dentry(int op, const struct path *dir, static int common_perm_dir_dentry(const char *op, const struct path *dir,
struct dentry *dentry, u32 mask, struct dentry *dentry, u32 mask,
struct path_cond *cond) struct path_cond *cond)
{ {
...@@ -192,7 +192,8 @@ static int common_perm_dir_dentry(int op, const struct path *dir, ...@@ -192,7 +192,8 @@ static int common_perm_dir_dentry(int op, const struct path *dir,
* *
* Returns: %0 else error code if error or permission denied * Returns: %0 else error code if error or permission denied
*/ */
static inline int common_perm_path(int op, const struct path *path, u32 mask) static inline int common_perm_path(const char *op, const struct path *path,
u32 mask)
{ {
struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
d_backing_inode(path->dentry)->i_mode d_backing_inode(path->dentry)->i_mode
...@@ -212,7 +213,7 @@ static inline int common_perm_path(int op, const struct path *path, u32 mask) ...@@ -212,7 +213,7 @@ static inline int common_perm_path(int op, const struct path *path, u32 mask)
* *
* Returns: %0 else error code if error or permission denied * Returns: %0 else error code if error or permission denied
*/ */
static int common_perm_rm(int op, const struct path *dir, static int common_perm_rm(const char *op, const struct path *dir,
struct dentry *dentry, u32 mask) struct dentry *dentry, u32 mask)
{ {
struct inode *inode = d_backing_inode(dentry); struct inode *inode = d_backing_inode(dentry);
...@@ -237,7 +238,7 @@ static int common_perm_rm(int op, const struct path *dir, ...@@ -237,7 +238,7 @@ static int common_perm_rm(int op, const struct path *dir,
* *
* Returns: %0 else error code if error or permission denied * Returns: %0 else error code if error or permission denied
*/ */
static int common_perm_create(int op, const struct path *dir, static int common_perm_create(const char *op, const struct path *dir,
struct dentry *dentry, u32 mask, umode_t mode) struct dentry *dentry, u32 mask, umode_t mode)
{ {
struct path_cond cond = { current_fsuid(), mode }; struct path_cond cond = { current_fsuid(), mode };
...@@ -395,7 +396,7 @@ static void apparmor_file_free_security(struct file *file) ...@@ -395,7 +396,7 @@ static void apparmor_file_free_security(struct file *file)
aa_free_file_context(ctx); aa_free_file_context(ctx);
} }
static int common_file_perm(int op, struct file *file, u32 mask) static int common_file_perm(const char *op, struct file *file, u32 mask)
{ {
struct aa_file_ctx *fctx = file->f_security; struct aa_file_ctx *fctx = file->f_security;
struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred); struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred);
...@@ -438,7 +439,7 @@ static int apparmor_file_lock(struct file *file, unsigned int cmd) ...@@ -438,7 +439,7 @@ static int apparmor_file_lock(struct file *file, unsigned int cmd)
return common_file_perm(OP_FLOCK, file, mask); return common_file_perm(OP_FLOCK, file, mask);
} }
static int common_mmap(int op, struct file *file, unsigned long prot, static int common_mmap(const char *op, struct file *file, unsigned long prot,
unsigned long flags) unsigned long flags)
{ {
int mask = 0; int mask = 0;
......
...@@ -606,7 +606,7 @@ static void audit_cb(struct audit_buffer *ab, void *va) ...@@ -606,7 +606,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
* *
* Returns: the error to be returned after audit is done * Returns: the error to be returned after audit is done
*/ */
static int audit_policy(struct aa_profile *profile, int op, gfp_t gfp, static int audit_policy(struct aa_profile *profile, const char *op, gfp_t gfp,
const char *nsname, const char *name, const char *nsname, const char *name,
const char *info, int error) const char *info, int error)
{ {
...@@ -670,7 +670,8 @@ bool policy_admin_capable(struct aa_ns *ns) ...@@ -670,7 +670,8 @@ bool policy_admin_capable(struct aa_ns *ns)
* *
* Returns: 0 if the task is allowed to manipulate policy else error * Returns: 0 if the task is allowed to manipulate policy else error
*/ */
int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op) int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns,
const char *op)
{ {
/* check if loading policy is locked out */ /* check if loading policy is locked out */
if (aa_g_lock_policy) if (aa_g_lock_policy)
...@@ -819,7 +820,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile, ...@@ -819,7 +820,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
const char *ns_name, *info = NULL; const char *ns_name, *info = NULL;
struct aa_ns *ns = NULL; struct aa_ns *ns = NULL;
struct aa_load_ent *ent, *tmp; struct aa_load_ent *ent, *tmp;
int op = OP_PROF_REPL; const char *op = OP_PROF_REPL;
ssize_t count, error; ssize_t count, error;
LIST_HEAD(lh); LIST_HEAD(lh);
......
...@@ -88,13 +88,13 @@ int aa_getprocattr(struct aa_profile *profile, char **string) ...@@ -88,13 +88,13 @@ int aa_getprocattr(struct aa_profile *profile, char **string)
* *
* Returns: start position of name after token else NULL on failure * Returns: start position of name after token else NULL on failure
*/ */
static char *split_token_from_name(int op, char *args, u64 * token) static char *split_token_from_name(const char *op, char *args, u64 *token)
{ {
char *name; char *name;
*token = simple_strtoull(args, &name, 16); *token = simple_strtoull(args, &name, 16);
if ((name == args) || *name != '^') { if ((name == args) || *name != '^') {
AA_ERROR("%s: Invalid input '%s'", op_table[op], args); AA_ERROR("%s: Invalid input '%s'", op, args);
return ERR_PTR(-EINVAL); return ERR_PTR(-EINVAL);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment