dconf needs the raw perms, not the boolean allowed/audited provided by query_label.
Split query_label into a base query_label_raw fn and make query_label a wrapper of the raw fn. Signed-off-by: John Johansen <[email protected]> --- libraries/libapparmor/src/kernel.c | 57 +++++++++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 16 deletions(-) diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c index 349290d..c504c9d 100644 --- a/libraries/libapparmor/src/kernel.c +++ b/libraries/libapparmor/src/kernel.c @@ -888,31 +888,26 @@ int aa_query_cmd(const char *cmd, size_t cmd_size, char *query, size_t size, /* "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n" */ #define QUERY_LABEL_REPLY_LEN 67 +typedef struct { + uint32_t allow, deny, audit, quiet; +} aa_perms_t; + /** * aa_query_label - query the access(es) of a label * @mask: permission bits to query * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE - * @allowed: upon successful return, will be 1 if query is allowed and 0 if not - * @audited: upon successful return, will be 1 if query should be audited and 0 - * if not + * @perms: Return: perms for given query * * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is * ENOENT, the subject label in the query string is unknown to the * kernel. */ -int query_label(uint32_t mask, char *query, size_t size, int *allowed, - int *audited) +static int query_label_raw(char *query, size_t size, aa_perms_t *perms) { char buf[QUERY_LABEL_REPLY_LEN]; - uint32_t allow, deny, audit, quiet; int ret; - if (!mask) { - errno = EINVAL; - return -1; - } - ret = aa_query_cmd(AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE, query, size, buf, QUERY_LABEL_REPLY_LEN); if (ret != QUERY_LABEL_REPLY_LEN) { @@ -924,16 +919,46 @@ int query_label(uint32_t mask, char *query, size_t size, int *allowed, "deny 0x%8" SCNx32 "\n" "audit 0x%8" SCNx32 "\n" "quiet 0x%8" SCNx32 "\n", - &allow, &deny, &audit, &quiet); + &perms->allow, &perms->deny, &perms->audit, &perms->quiet); if (ret != 4) { errno = EPROTONOSUPPORT; return -1; } - *allowed = mask & ~(allow & ~deny) ? 0 : 1; - if (!(*allowed)) - audit = 0xFFFFFFFF; - *audited = mask & ~(audit & ~quiet) ? 0 : 1; + return 0; +} + +/** + * aa_query_label - query the access(es) of a label + * @mask: permission bits to query + * @query: binary query string, must be offset by AA_QUERY_CMD_LABEL_SIZE + * @size: size of the query string must include AA_QUERY_CMD_LABEL_SIZE + * @allowed: upon successful return, will be 1 if query is allowed and 0 if not + * @audited: upon successful return, will be 1 if query should be audited and 0 + * if not + * + * Returns: 0 on success else -1 and sets errno. If -1 is returned and errno is + * ENOENT, the subject label in the query string is unknown to the + * kernel. + */ +int query_label(uint32_t mask, char *query, size_t size, int *allowed, + int *audited) +{ + aa_perms_t perms; + int ret; + + if (!mask) { + errno = EINVAL; + return -1; + } + + ret = query_label_raw(query, size, &perms); + if (ret == 0) { + *allowed = mask & ~(perms.allow & ~perms.deny) ? 0 : 1; + if (!(*allowed)) + perms.audit = 0xFFFFFFFF; + *audited = mask & ~(perms.audit & ~perms.quiet) ? 0 : 1; + } return 0; } -- 2.9.3 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
