[apparmor] [PATCH V2 1/3] apparmor: Add a wildcard secid

[Matthew Garrett]

Reserve a secid value that we can use as a wildcard, allowing us to
define policy that's expected to match against all secids.

Signed-off-by: Matthew Garrett <mjg59 at google.com>
---
 security/apparmor/include/secid.h | 5 +++++
 security/apparmor/secid.c         | 4 +---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
index 686de8e50a79..29bdfc7b48b7 100644
--- a/security/apparmor/include/secid.h
+++ b/security/apparmor/include/secid.h
@@ -22,6 +22,11 @@ struct aa_label;
 /* secid value that will not be allocated */
 #define AA_SECID_INVALID 0
 
+#define AA_SECID_MAX (U32_MAX - 1)
+
+/* secid value that matches any other secid */
+#define AA_SECID_WILDCARD U32_MAX
+
 struct aa_label *aa_secid_to_label(u32 secid);
 int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
 int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index c2f0c1571156..9574660f4531 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -49,8 +49,6 @@ static unsigned long free_count;
  * TODO: use secid_update in label replace
  */
 
-#define SECID_MAX U32_MAX
-
 /* TODO: mark free list as exceptional */
 static void *to_ptr(u32 secid)
 {
@@ -204,7 +202,7 @@ u32 aa_alloc_secid(struct aa_label *label, gfp_t gfp)
 		if (gfpflags_allow_blocking(gfp) && !radix_tree_preload(gfp))
 			preload = 1;
 		spin_lock_irqsave(&secid_lock, flags);
-		if (alloced_secid != SECID_MAX) {
+		if (alloced_secid != AA_SECID_MAX) {
 			secid = ++alloced_secid;
 			res = radix_tree_insert(&aa_secids_map, secid, label);
 			AA_BUG(res == -EEXIST);
-- 
2.17.0.441.gb46fe60e1d-goog