| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZxUXBBI4XE0oqcee@gallifrey>
Date: Sun, 20 Oct 2024 14:43:16 +0000
From: "Dr. David Alan Gilbert" <linux@...blig.org>
To: john.johansen@...onical.com, paul@...l-moore.com, jmorris@...ei.org,
serge@...lyn.com
Cc: apparmor@...ts.ubuntu.com, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] apparmor: Remove deadcode
* linux@...blig.org (linux@...blig.org) wrote:
> From: "Dr. David Alan Gilbert" <linux@...blig.org>
>
> aa_label_audit, aa_label_find, aa_label_seq_print and aa_update_label_name
> were added by commit
> f1bd904175e8 ("apparmor: add the base fns() for domain labels")
> but never used.
>
> aa_profile_label_perm was added by commit
> 637f688dc3dc ("apparmor: switch from profiles to using labels on contexts")
> but never used.
>
> aa_secid_update was added by commit
> c092921219d2 ("apparmor: add support for mapping secids and using secctxes")
> but never used.
>
> aa_split_fqname has been unused since commit
> 3664268f19ea ("apparmor: add namespace lookup fns()")
>
> aa_lookup_profile has been unused since commit
> 93c98a484c49 ("apparmor: move exec domain mediation to using labels")
>
> aa_audit_perms_cb was only used by aa_profile_label_perm (see above).
>
> All of these commits are from around 2017.
>
> Remove them.
>
> Signed-off-by: Dr. David Alan Gilbert <linux@...blig.org>
Ping.
Dave
> ---
> security/apparmor/include/label.h | 4 --
> security/apparmor/include/lib.h | 1 -
> security/apparmor/include/perms.h | 3 --
> security/apparmor/include/policy.h | 1 -
> security/apparmor/include/secid.h | 1 -
> security/apparmor/label.c | 33 ------------
> security/apparmor/lib.c | 84 ------------------------------
> security/apparmor/policy.c | 5 --
> security/apparmor/secid.c | 14 -----
> 9 files changed, 146 deletions(-)
>
> diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
> index 2a72e6b17d68..83a840d935bc 100644
> --- a/security/apparmor/include/label.h
> +++ b/security/apparmor/include/label.h
> @@ -291,8 +291,6 @@ bool aa_label_replace(struct aa_label *old, struct aa_label *new);
> bool aa_label_make_newest(struct aa_labelset *ls, struct aa_label *old,
> struct aa_label *new);
>
> -struct aa_label *aa_label_find(struct aa_label *l);
> -
> struct aa_profile *aa_label_next_in_merge(struct label_it *I,
> struct aa_label *a,
> struct aa_label *b);
> @@ -320,8 +318,6 @@ void aa_label_seq_xprint(struct seq_file *f, struct aa_ns *ns,
> struct aa_label *label, int flags, gfp_t gfp);
> void aa_label_xprintk(struct aa_ns *ns, struct aa_label *label, int flags,
> gfp_t gfp);
> -void aa_label_audit(struct audit_buffer *ab, struct aa_label *label, gfp_t gfp);
> -void aa_label_seq_print(struct seq_file *f, struct aa_label *label, gfp_t gfp);
> void aa_label_printk(struct aa_label *label, gfp_t gfp);
>
> struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str,
> diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
> index d7a894b1031f..f11a0db7f51d 100644
> --- a/security/apparmor/include/lib.h
> +++ b/security/apparmor/include/lib.h
> @@ -59,7 +59,6 @@ extern int apparmor_initialized;
>
> /* fn's in lib */
> const char *skipn_spaces(const char *str, size_t n);
> -char *aa_split_fqname(char *args, char **ns_name);
> const char *aa_splitn_fqname(const char *fqname, size_t n, const char **ns_name,
> size_t *ns_len);
> void aa_info_message(const char *str);
> diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h
> index 0f7e913c3fc2..bbaa7d39a39a 100644
> --- a/security/apparmor/include/perms.h
> +++ b/security/apparmor/include/perms.h
> @@ -213,9 +213,6 @@ void aa_perms_accum_raw(struct aa_perms *accum, struct aa_perms *addend);
> void aa_profile_match_label(struct aa_profile *profile,
> struct aa_ruleset *rules, struct aa_label *label,
> int type, u32 request, struct aa_perms *perms);
> -int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
> - u32 request, int type, u32 *deny,
> - struct apparmor_audit_data *ad);
> int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
> u32 request, struct apparmor_audit_data *ad,
> void (*cb)(struct audit_buffer *, void *));
> diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
> index 75088cc310b6..757e3c232c57 100644
> --- a/security/apparmor/include/policy.h
> +++ b/security/apparmor/include/policy.h
> @@ -264,7 +264,6 @@ void aa_free_profile(struct aa_profile *profile);
> struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name);
> struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
> size_t n);
> -struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *name);
> struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
> const char *fqname, size_t n);
>
> diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
> index a912a5d5d04f..b49dd0253118 100644
> --- a/security/apparmor/include/secid.h
> +++ b/security/apparmor/include/secid.h
> @@ -32,6 +32,5 @@ void apparmor_release_secctx(char *secdata, u32 seclen);
>
> int aa_alloc_secid(struct aa_label *label, gfp_t gfp);
> void aa_free_secid(u32 secid);
> -void aa_secid_update(u32 secid, struct aa_label *label);
>
> #endif /* __AA_SECID_H */
> diff --git a/security/apparmor/label.c b/security/apparmor/label.c
> index c71e4615dd46..91483ecacc16 100644
> --- a/security/apparmor/label.c
> +++ b/security/apparmor/label.c
> @@ -899,23 +899,6 @@ struct aa_label *aa_vec_find_or_create_label(struct aa_profile **vec, int len,
> return vec_create_and_insert_label(vec, len, gfp);
> }
>
> -/**
> - * aa_label_find - find label @label in label set
> - * @label: label to find (NOT NULL)
> - *
> - * Requires: caller to hold a valid ref on l
> - *
> - * Returns: refcounted @label if @label is in tree
> - * refcounted label that is equiv to @label in tree
> - * else NULL if @label or equiv is not in tree
> - */
> -struct aa_label *aa_label_find(struct aa_label *label)
> -{
> - AA_BUG(!label);
> -
> - return vec_find(label->vec, label->size);
> -}
> -
>
> /**
> * aa_label_insert - insert label @label into @ls or return existing label
> @@ -1811,22 +1794,6 @@ void aa_label_xprintk(struct aa_ns *ns, struct aa_label *label, int flags,
> pr_info("%s", label->hname);
> }
>
> -void aa_label_audit(struct audit_buffer *ab, struct aa_label *label, gfp_t gfp)
> -{
> - struct aa_ns *ns = aa_get_current_ns();
> -
> - aa_label_xaudit(ab, ns, label, FLAG_VIEW_SUBNS, gfp);
> - aa_put_ns(ns);
> -}
> -
> -void aa_label_seq_print(struct seq_file *f, struct aa_label *label, gfp_t gfp)
> -{
> - struct aa_ns *ns = aa_get_current_ns();
> -
> - aa_label_seq_xprint(f, ns, label, FLAG_VIEW_SUBNS, gfp);
> - aa_put_ns(ns);
> -}
> -
> void aa_label_printk(struct aa_label *label, gfp_t gfp)
> {
> struct aa_ns *ns = aa_get_current_ns();
> diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
> index cd569fbbfe36..7db62213e352 100644
> --- a/security/apparmor/lib.c
> +++ b/security/apparmor/lib.c
> @@ -45,44 +45,6 @@ void aa_free_str_table(struct aa_str_table *t)
> }
> }
>
> -/**
> - * aa_split_fqname - split a fqname into a profile and namespace name
> - * @fqname: a full qualified name in namespace profile format (NOT NULL)
> - * @ns_name: pointer to portion of the string containing the ns name (NOT NULL)
> - *
> - * Returns: profile name or NULL if one is not specified
> - *
> - * Split a namespace name from a profile name (see policy.c for naming
> - * description). If a portion of the name is missing it returns NULL for
> - * that portion.
> - *
> - * NOTE: may modify the @fqname string. The pointers returned point
> - * into the @fqname string.
> - */
> -char *aa_split_fqname(char *fqname, char **ns_name)
> -{
> - char *name = strim(fqname);
> -
> - *ns_name = NULL;
> - if (name[0] == ':') {
> - char *split = strchr(&name[1], ':');
> - *ns_name = skip_spaces(&name[1]);
> - if (split) {
> - /* overwrite ':' with \0 */
> - *split++ = 0;
> - if (strncmp(split, "//", 2) == 0)
> - split += 2;
> - name = skip_spaces(split);
> - } else
> - /* a ns name without a following profile is allowed */
> - name = NULL;
> - }
> - if (name && *name == 0)
> - name = NULL;
> -
> - return name;
> -}
> -
> /**
> * skipn_spaces - Removes leading whitespace from @str.
> * @str: The string to be stripped.
> @@ -275,33 +237,6 @@ void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
> audit_log_format(ab, "\"");
> }
>
> -/**
> - * aa_audit_perms_cb - generic callback fn for auditing perms
> - * @ab: audit buffer (NOT NULL)
> - * @va: audit struct to audit values of (NOT NULL)
> - */
> -static void aa_audit_perms_cb(struct audit_buffer *ab, void *va)
> -{
> - struct common_audit_data *sa = va;
> - struct apparmor_audit_data *ad = aad(sa);
> -
> - if (ad->request) {
> - audit_log_format(ab, " requested_mask=");
> - aa_audit_perm_mask(ab, ad->request, aa_file_perm_chrs,
> - PERMS_CHRS_MASK, aa_file_perm_names,
> - PERMS_NAMES_MASK);
> - }
> - if (ad->denied) {
> - audit_log_format(ab, "denied_mask=");
> - aa_audit_perm_mask(ab, ad->denied, aa_file_perm_chrs,
> - PERMS_CHRS_MASK, aa_file_perm_names,
> - PERMS_NAMES_MASK);
> - }
> - audit_log_format(ab, " peer=");
> - aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,
> - FLAGS_NONE, GFP_ATOMIC);
> -}
> -
> /**
> * aa_apply_modes_to_perms - apply namespace and profile flags to perms
> * @profile: that perms where computed from
> @@ -349,25 +284,6 @@ void aa_profile_match_label(struct aa_profile *profile,
> }
>
>
> -/* currently unused */
> -int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
> - u32 request, int type, u32 *deny,
> - struct apparmor_audit_data *ad)
> -{
> - struct aa_ruleset *rules = list_first_entry(&profile->rules,
> - typeof(*rules), list);
> - struct aa_perms perms;
> -
> - ad->peer = &target->label;
> - ad->request = request;
> -
> - aa_profile_match_label(profile, rules, &target->label, type, request,
> - &perms);
> - aa_apply_modes_to_perms(profile, &perms);
> - *deny |= request & perms.deny;
> - return aa_check_perms(profile, &perms, request, ad, aa_audit_perms_cb);
> -}
> -
> /**
> * aa_check_perms - do audit mode selection based on perms set
> * @profile: profile being checked
> diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
> index 14df15e35695..74c854e8889f 100644
> --- a/security/apparmor/policy.c
> +++ b/security/apparmor/policy.c
> @@ -580,11 +580,6 @@ struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
> return profile;
> }
>
> -struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *hname)
> -{
> - return aa_lookupn_profile(ns, hname, strlen(hname));
> -}
> -
> struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
> const char *fqname, size_t n)
> {
> diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
> index 83d3d1e6d9dc..a52c789d4f18 100644
> --- a/security/apparmor/secid.c
> +++ b/security/apparmor/secid.c
> @@ -39,20 +39,6 @@ int apparmor_display_secid_mode;
> * TODO: use secid_update in label replace
> */
>
> -/**
> - * aa_secid_update - update a secid mapping to a new label
> - * @secid: secid to update
> - * @label: label the secid will now map to
> - */
> -void aa_secid_update(u32 secid, struct aa_label *label)
> -{
> - unsigned long flags;
> -
> - xa_lock_irqsave(&aa_secids, flags);
> - __xa_store(&aa_secids, secid, label, 0);
> - xa_unlock_irqrestore(&aa_secids, flags);
> -}
> -
> /*
> * see label for inverse aa_label_to_secid
> */
> --
> 2.46.1
>
--
-----Open up your eyes, open up your mind, open up your code -------
/ Dr. David Alan Gilbert | Running GNU/Linux | Happy \
\ dave @ treblig.org | | In Hex /
\ _________________________|_____ http://www.treblig.org |_______/
Powered by blists - more mailing lists