Reserve a secid value that we can use as a wildcard, allowing us to define policy that's expected to match against all secids.
Signed-off-by: Matthew Garrett <[email protected]> --- security/apparmor/include/secid.h | 5 +++++ security/apparmor/secid.c | 4 +--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h index 686de8e50a79..29bdfc7b48b7 100644 --- a/security/apparmor/include/secid.h +++ b/security/apparmor/include/secid.h @@ -22,6 +22,11 @@ struct aa_label; /* secid value that will not be allocated */ #define AA_SECID_INVALID 0 +#define AA_SECID_MAX (U32_MAX - 1) + +/* secid value that matches any other secid */ +#define AA_SECID_WILDCARD U32_MAX + struct aa_label *aa_secid_to_label(u32 secid); int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c index c2f0c1571156..9574660f4531 100644 --- a/security/apparmor/secid.c +++ b/security/apparmor/secid.c @@ -49,8 +49,6 @@ static unsigned long free_count; * TODO: use secid_update in label replace */ -#define SECID_MAX U32_MAX - /* TODO: mark free list as exceptional */ static void *to_ptr(u32 secid) { @@ -204,7 +202,7 @@ u32 aa_alloc_secid(struct aa_label *label, gfp_t gfp) if (gfpflags_allow_blocking(gfp) && !radix_tree_preload(gfp)) preload = 1; spin_lock_irqsave(&secid_lock, flags); - if (alloced_secid != SECID_MAX) { + if (alloced_secid != AA_SECID_MAX) { secid = ++alloced_secid; res = radix_tree_insert(&aa_secids_map, secid, label); AA_BUG(res == -EEXIST); -- 2.17.0.441.gb46fe60e1d-goog -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
