Commit 0bc8c686 authored by John Johansen's avatar John Johansen
Browse files

apparmor: switch signal mediation to use RULE_MEDIATES 



Currently signal mediation is using a hard coded form of the
RULE_MEDIATES check. This hides the intended semantics, and means this
specific check won't pickup any changes or improvements made in the
RULE_MEDIATES check. Switch to using RULE_MEDIATES().

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 46b9b994

security/apparmor/ipc.c

+5 −5
Original line number Diff line number Diff line
@@ -85,16 +85,16 @@ static int profile_signal_perm(const struct cred *cred, 
	struct aa_perms perms;

	aa_state_t state;



	if (profile_unconfined(profile) ||

	    !ANY_RULE_MEDIATES(&profile->rules, AA_CLASS_SIGNAL))

	if (profile_unconfined(profile))

		return 0;



	ad->subj_cred = cred;

	ad->peer = peer;

	/* TODO: secondary cache check <profile, profile, perm> */

	state = aa_dfa_next(rules->policy->dfa,

			    rules->policy->start[AA_CLASS_SIGNAL],

			    ad->signal);

	state = RULE_MEDIATES(rules, AA_CLASS_SIGNAL);

	if (!state)

		return 0;

	state = aa_dfa_next(rules->policy->dfa, state, ad->signal);

	aa_label_match(profile, rules, peer, state, false, request, &perms);

	aa_apply_modes_to_perms(profile, &perms);

	return aa_check_perms(profile, &perms, request, ad, audit_signal_cb);