apparmor: cleanup: refactor file_perm() to doc semantics of some checks

Provide semantics, via fn names, for some checks being done in file_perm(). This is a preparatory patch for improvements to both permission caching and delegation, where the check will become more involved. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-09-18 22:14:16 +00:00 · 2024-01-19 01:23:55 -08:00 · 2024-01-19 01:23:55 -08:00 · 34d31f2338
commit 34d31f2338
parent 35fad5b462
1 changed files with 15 additions and 2 deletions
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@ -557,6 +557,19 @@ static int __file_sock_perm(const char *op, const struct cred *subj_cred,
 	return error;
 }

+/* wrapper fn to indicate semantics of the check */
+static bool __subj_label_is_cached(struct aa_label *subj_label,
+			    struct aa_label *obj_label)
+{
+	return aa_label_is_subset(obj_label, subj_label);
+}
+
+/* for now separate fn to indicate semantics of the check */
+static bool __file_is_delegated(struct aa_label *obj_label)
+{
+	return unconfined(obj_label);
+}
+
 /**
 * aa_file_perm - do permission revalidation check & audit for @file
 * @op: operation being checked
@ -594,8 +607,8 @@ int aa_file_perm(const char *op, const struct cred *subj_cred,
 	 *       delegation from unconfined tasks
 	 */
 	denied = request & ~fctx->allow;
-	if (unconfined(label) || unconfined(flabel) ||
-	    (!denied && aa_label_is_subset(flabel, label))) {
+	if (unconfined(label) || __file_is_delegated(flabel) ||
+	    (!denied && __subj_label_is_cached(label, flabel))) {
 		rcu_read_unlock();
 		goto done;
 	}