apparmor: cleanup: refactor file_perm() to doc semantics of some checks

Provide semantics, via fn names, for some checks being done in
file_perm(). This is a preparatory patch for improvements to both
permission caching and delegation, where the check will become more
involved.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index d52a5b14dad4c75f24acdb93a07a148ee620d9f2..81c54ffd63cb2b01859af20d3331a8ea3ee1ac85 100644 (file)
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -557,6 +557,19 @@ static int __file_sock_perm(const char *op, const struct cred *subj_cred,
        return error;
 }
 
+/* wrapper fn to indicate semantics of the check */
+static bool __subj_label_is_cached(struct aa_label *subj_label,
+                           struct aa_label *obj_label)
+{
+       return aa_label_is_subset(obj_label, subj_label);
+}
+
+/* for now separate fn to indicate semantics of the check */
+static bool __file_is_delegated(struct aa_label *obj_label)
+{
+       return unconfined(obj_label);
+}
+
 /**
  * aa_file_perm - do permission revalidation check & audit for @file
  * @op: operation being checked
@@ -594,8 +607,8 @@ int aa_file_perm(const char *op, const struct cred *subj_cred,
         *       delegation from unconfined tasks
         */
        denied = request & ~fctx->allow;
-       if (unconfined(label) || unconfined(flabel) ||
-           (!denied && aa_label_is_subset(flabel, label))) {
+       if (unconfined(label) || __file_is_delegated(flabel) ||
+           (!denied && __subj_label_is_cached(label, flabel))) {
                rcu_read_unlock();
                goto done;
        }