[apparmor] [PATCH 28/36] apparmor: remove FLAG_MEDIATE_DELETED

John Johansen john.johansen at canonical.com
Wed May 1 21:31:13 UTC 2013 

The label FLAG_MEDIATE_DELETED will never be set as it is not part of
the policy stream (PATH_MEDIATED_DELETED is used), and it is never
used outside of policy load (where it has no affect).

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 security/apparmor/include/label.h | 2 +-
 security/apparmor/include/path.h  | 2 +-
 security/apparmor/policy_unpack.c | 8 +++-----
 3 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
index f21dd40..eb70520 100644
--- a/security/apparmor/include/label.h
+++ b/security/apparmor/include/label.h
@@ -117,7 +117,7 @@ enum label_flags {
 	FLAG_REVOKED = 0x2000,		/* label has revocation in it */
 
 	/* These flags must correspond with PATH_flags */
-	FLAG_MEDIATE_DELETED = 0x10000, /* mediate instead delegate deleted */
+	/* TODO: add new path flags */
 };
 
 struct aa_label;
diff --git a/security/apparmor/include/path.h b/security/apparmor/include/path.h
index 286ac75..04727e5 100644
--- a/security/apparmor/include/path.h
+++ b/security/apparmor/include/path.h
@@ -23,7 +23,7 @@ enum path_flags {
 	PATH_CHROOT_NSCONNECT = 0x10,	/* connect paths that are at ns root */
 
 	PATH_DELEGATE_DELETED = 0x08000, /* delegate deleted files */
-	PATH_MEDIATE_DELETED = 0x10000,	/* mediate deleted paths */
+	PATH_MEDIATE_DELETED = 0x10000,	 /* mediate deleted paths */
 };
 
 int aa_path_name(struct path *path, int flags, char **buffer,
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index c48eff2..13a14bc 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -25,6 +25,7 @@
 #include "include/audit.h"
 #include "include/context.h"
 #include "include/match.h"
+#include "include/path.h"
 #include "include/policy.h"
 #include "include/policy_unpack.h"
 
@@ -532,12 +533,9 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
 		goto fail;
 
 	/* path_flags is optional */
-	if (unpack_u32(e, &profile->path_flags, "path_flags"))
-		profile->path_flags |= profile->label.flags &
-			FLAG_MEDIATE_DELETED;
-	else
+	if (!unpack_u32(e, &profile->path_flags, "path_flags"))
 		/* set a default value if path_flags field is not present */
-		profile->path_flags = FLAG_MEDIATE_DELETED;
+		profile->path_flags = PATH_MEDIATE_DELETED;
 
 	if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))
 		goto fail;
-- 
1.8.1.2

More information about the AppArmor mailing list