lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2c2691c2-17d6-49dc-842e-289d8afced74@canonical.com>
Date: Sat, 9 Nov 2024 11:33:24 -0800
From: John Johansen <john.johansen@...onical.com>
To: "Dr. David Alan Gilbert" <linux@...blig.org>, paul@...l-moore.com,
 jmorris@...ei.org, serge@...lyn.com
Cc: apparmor@...ts.ubuntu.com, linux-security-module@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] apparmor: Remove deadcode

On 10/20/24 07:43, Dr. David Alan Gilbert wrote:
> * linux@...blig.org (linux@...blig.org) wrote:
>> From: "Dr. David Alan Gilbert" <linux@...blig.org>
>>
>> aa_label_audit, aa_label_find, aa_label_seq_print and aa_update_label_name
>> were added by commit
>> f1bd904175e8 ("apparmor: add the base fns() for domain labels")
>> but never used.
>>
>> aa_profile_label_perm was added by commit
>> 637f688dc3dc ("apparmor: switch from profiles to using labels on contexts")
>> but never used.
>>
>> aa_secid_update was added by commit
>> c092921219d2 ("apparmor: add support for mapping secids and using secctxes")
>> but never used.
>>
>> aa_split_fqname has been unused since commit
>> 3664268f19ea ("apparmor: add namespace lookup fns()")
>>
>> aa_lookup_profile has been unused since commit
>> 93c98a484c49 ("apparmor: move exec domain mediation to using labels")
>>
>> aa_audit_perms_cb was only used by aa_profile_label_perm (see above).
>>
>> All of these commits are from around 2017.
>>
>> Remove them.
>>
>> Signed-off-by: Dr. David Alan Gilbert <linux@...blig.org>
> 
Acked-by: John Johansen <john.johansen@...onical.com>

I have pulled this into my tree

> Ping.
> 
> Dave
> 
>> ---
>>   security/apparmor/include/label.h  |  4 --
>>   security/apparmor/include/lib.h    |  1 -
>>   security/apparmor/include/perms.h  |  3 --
>>   security/apparmor/include/policy.h |  1 -
>>   security/apparmor/include/secid.h  |  1 -
>>   security/apparmor/label.c          | 33 ------------
>>   security/apparmor/lib.c            | 84 ------------------------------
>>   security/apparmor/policy.c         |  5 --
>>   security/apparmor/secid.c          | 14 -----
>>   9 files changed, 146 deletions(-)
>>
>> diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
>> index 2a72e6b17d68..83a840d935bc 100644
>> --- a/security/apparmor/include/label.h
>> +++ b/security/apparmor/include/label.h
>> @@ -291,8 +291,6 @@ bool aa_label_replace(struct aa_label *old, struct aa_label *new);
>>   bool aa_label_make_newest(struct aa_labelset *ls, struct aa_label *old,
>>   			  struct aa_label *new);
>>   
>> -struct aa_label *aa_label_find(struct aa_label *l);
>> -
>>   struct aa_profile *aa_label_next_in_merge(struct label_it *I,
>>   					  struct aa_label *a,
>>   					  struct aa_label *b);
>> @@ -320,8 +318,6 @@ void aa_label_seq_xprint(struct seq_file *f, struct aa_ns *ns,
>>   			 struct aa_label *label, int flags, gfp_t gfp);
>>   void aa_label_xprintk(struct aa_ns *ns, struct aa_label *label, int flags,
>>   		      gfp_t gfp);
>> -void aa_label_audit(struct audit_buffer *ab, struct aa_label *label, gfp_t gfp);
>> -void aa_label_seq_print(struct seq_file *f, struct aa_label *label, gfp_t gfp);
>>   void aa_label_printk(struct aa_label *label, gfp_t gfp);
>>   
>>   struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str,
>> diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
>> index d7a894b1031f..f11a0db7f51d 100644
>> --- a/security/apparmor/include/lib.h
>> +++ b/security/apparmor/include/lib.h
>> @@ -59,7 +59,6 @@ extern int apparmor_initialized;
>>   
>>   /* fn's in lib */
>>   const char *skipn_spaces(const char *str, size_t n);
>> -char *aa_split_fqname(char *args, char **ns_name);
>>   const char *aa_splitn_fqname(const char *fqname, size_t n, const char **ns_name,
>>   			     size_t *ns_len);
>>   void aa_info_message(const char *str);
>> diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h
>> index 0f7e913c3fc2..bbaa7d39a39a 100644
>> --- a/security/apparmor/include/perms.h
>> +++ b/security/apparmor/include/perms.h
>> @@ -213,9 +213,6 @@ void aa_perms_accum_raw(struct aa_perms *accum, struct aa_perms *addend);
>>   void aa_profile_match_label(struct aa_profile *profile,
>>   			    struct aa_ruleset *rules, struct aa_label *label,
>>   			    int type, u32 request, struct aa_perms *perms);
>> -int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
>> -			  u32 request, int type, u32 *deny,
>> -			  struct apparmor_audit_data *ad);
>>   int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
>>   		   u32 request, struct apparmor_audit_data *ad,
>>   		   void (*cb)(struct audit_buffer *, void *));
>> diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
>> index 75088cc310b6..757e3c232c57 100644
>> --- a/security/apparmor/include/policy.h
>> +++ b/security/apparmor/include/policy.h
>> @@ -264,7 +264,6 @@ void aa_free_profile(struct aa_profile *profile);
>>   struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name);
>>   struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
>>   				      size_t n);
>> -struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *name);
>>   struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
>>   					const char *fqname, size_t n);
>>   
>> diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
>> index a912a5d5d04f..b49dd0253118 100644
>> --- a/security/apparmor/include/secid.h
>> +++ b/security/apparmor/include/secid.h
>> @@ -32,6 +32,5 @@ void apparmor_release_secctx(char *secdata, u32 seclen);
>>   
>>   int aa_alloc_secid(struct aa_label *label, gfp_t gfp);
>>   void aa_free_secid(u32 secid);
>> -void aa_secid_update(u32 secid, struct aa_label *label);
>>   
>>   #endif /* __AA_SECID_H */
>> diff --git a/security/apparmor/label.c b/security/apparmor/label.c
>> index c71e4615dd46..91483ecacc16 100644
>> --- a/security/apparmor/label.c
>> +++ b/security/apparmor/label.c
>> @@ -899,23 +899,6 @@ struct aa_label *aa_vec_find_or_create_label(struct aa_profile **vec, int len,
>>   	return vec_create_and_insert_label(vec, len, gfp);
>>   }
>>   
>> -/**
>> - * aa_label_find - find label @label in label set
>> - * @label: label to find (NOT NULL)
>> - *
>> - * Requires: caller to hold a valid ref on l
>> - *
>> - * Returns: refcounted @label if @label is in tree
>> - *          refcounted label that is equiv to @label in tree
>> - *     else NULL if @label or equiv is not in tree
>> - */
>> -struct aa_label *aa_label_find(struct aa_label *label)
>> -{
>> -	AA_BUG(!label);
>> -
>> -	return vec_find(label->vec, label->size);
>> -}
>> -
>>   
>>   /**
>>    * aa_label_insert - insert label @label into @ls or return existing label
>> @@ -1811,22 +1794,6 @@ void aa_label_xprintk(struct aa_ns *ns, struct aa_label *label, int flags,
>>   		pr_info("%s", label->hname);
>>   }
>>   
>> -void aa_label_audit(struct audit_buffer *ab, struct aa_label *label, gfp_t gfp)
>> -{
>> -	struct aa_ns *ns = aa_get_current_ns();
>> -
>> -	aa_label_xaudit(ab, ns, label, FLAG_VIEW_SUBNS, gfp);
>> -	aa_put_ns(ns);
>> -}
>> -
>> -void aa_label_seq_print(struct seq_file *f, struct aa_label *label, gfp_t gfp)
>> -{
>> -	struct aa_ns *ns = aa_get_current_ns();
>> -
>> -	aa_label_seq_xprint(f, ns, label, FLAG_VIEW_SUBNS, gfp);
>> -	aa_put_ns(ns);
>> -}
>> -
>>   void aa_label_printk(struct aa_label *label, gfp_t gfp)
>>   {
>>   	struct aa_ns *ns = aa_get_current_ns();
>> diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
>> index cd569fbbfe36..7db62213e352 100644
>> --- a/security/apparmor/lib.c
>> +++ b/security/apparmor/lib.c
>> @@ -45,44 +45,6 @@ void aa_free_str_table(struct aa_str_table *t)
>>   	}
>>   }
>>   
>> -/**
>> - * aa_split_fqname - split a fqname into a profile and namespace name
>> - * @fqname: a full qualified name in namespace profile format (NOT NULL)
>> - * @ns_name: pointer to portion of the string containing the ns name (NOT NULL)
>> - *
>> - * Returns: profile name or NULL if one is not specified
>> - *
>> - * Split a namespace name from a profile name (see policy.c for naming
>> - * description).  If a portion of the name is missing it returns NULL for
>> - * that portion.
>> - *
>> - * NOTE: may modify the @fqname string.  The pointers returned point
>> - *       into the @fqname string.
>> - */
>> -char *aa_split_fqname(char *fqname, char **ns_name)
>> -{
>> -	char *name = strim(fqname);
>> -
>> -	*ns_name = NULL;
>> -	if (name[0] == ':') {
>> -		char *split = strchr(&name[1], ':');
>> -		*ns_name = skip_spaces(&name[1]);
>> -		if (split) {
>> -			/* overwrite ':' with \0 */
>> -			*split++ = 0;
>> -			if (strncmp(split, "//", 2) == 0)
>> -				split += 2;
>> -			name = skip_spaces(split);
>> -		} else
>> -			/* a ns name without a following profile is allowed */
>> -			name = NULL;
>> -	}
>> -	if (name && *name == 0)
>> -		name = NULL;
>> -
>> -	return name;
>> -}
>> -
>>   /**
>>    * skipn_spaces - Removes leading whitespace from @str.
>>    * @str: The string to be stripped.
>> @@ -275,33 +237,6 @@ void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
>>   	audit_log_format(ab, "\"");
>>   }
>>   
>> -/**
>> - * aa_audit_perms_cb - generic callback fn for auditing perms
>> - * @ab: audit buffer (NOT NULL)
>> - * @va: audit struct to audit values of (NOT NULL)
>> - */
>> -static void aa_audit_perms_cb(struct audit_buffer *ab, void *va)
>> -{
>> -	struct common_audit_data *sa = va;
>> -	struct apparmor_audit_data *ad = aad(sa);
>> -
>> -	if (ad->request) {
>> -		audit_log_format(ab, " requested_mask=");
>> -		aa_audit_perm_mask(ab, ad->request, aa_file_perm_chrs,
>> -				   PERMS_CHRS_MASK, aa_file_perm_names,
>> -				   PERMS_NAMES_MASK);
>> -	}
>> -	if (ad->denied) {
>> -		audit_log_format(ab, "denied_mask=");
>> -		aa_audit_perm_mask(ab, ad->denied, aa_file_perm_chrs,
>> -				   PERMS_CHRS_MASK, aa_file_perm_names,
>> -				   PERMS_NAMES_MASK);
>> -	}
>> -	audit_log_format(ab, " peer=");
>> -	aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,
>> -				      FLAGS_NONE, GFP_ATOMIC);
>> -}
>> -
>>   /**
>>    * aa_apply_modes_to_perms - apply namespace and profile flags to perms
>>    * @profile: that perms where computed from
>> @@ -349,25 +284,6 @@ void aa_profile_match_label(struct aa_profile *profile,
>>   }
>>   
>>   
>> -/* currently unused */
>> -int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
>> -			  u32 request, int type, u32 *deny,
>> -			  struct apparmor_audit_data *ad)
>> -{
>> -	struct aa_ruleset *rules = list_first_entry(&profile->rules,
>> -						    typeof(*rules), list);
>> -	struct aa_perms perms;
>> -
>> -	ad->peer = &target->label;
>> -	ad->request = request;
>> -
>> -	aa_profile_match_label(profile, rules, &target->label, type, request,
>> -			       &perms);
>> -	aa_apply_modes_to_perms(profile, &perms);
>> -	*deny |= request & perms.deny;
>> -	return aa_check_perms(profile, &perms, request, ad, aa_audit_perms_cb);
>> -}
>> -
>>   /**
>>    * aa_check_perms - do audit mode selection based on perms set
>>    * @profile: profile being checked
>> diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
>> index 14df15e35695..74c854e8889f 100644
>> --- a/security/apparmor/policy.c
>> +++ b/security/apparmor/policy.c
>> @@ -580,11 +580,6 @@ struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
>>   	return profile;
>>   }
>>   
>> -struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *hname)
>> -{
>> -	return aa_lookupn_profile(ns, hname, strlen(hname));
>> -}
>> -
>>   struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
>>   					const char *fqname, size_t n)
>>   {
>> diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
>> index 83d3d1e6d9dc..a52c789d4f18 100644
>> --- a/security/apparmor/secid.c
>> +++ b/security/apparmor/secid.c
>> @@ -39,20 +39,6 @@ int apparmor_display_secid_mode;
>>    * TODO: use secid_update in label replace
>>    */
>>   
>> -/**
>> - * aa_secid_update - update a secid mapping to a new label
>> - * @secid: secid to update
>> - * @label: label the secid will now map to
>> - */
>> -void aa_secid_update(u32 secid, struct aa_label *label)
>> -{
>> -	unsigned long flags;
>> -
>> -	xa_lock_irqsave(&aa_secids, flags);
>> -	__xa_store(&aa_secids, secid, label, 0);
>> -	xa_unlock_irqrestore(&aa_secids, flags);
>> -}
>> -
>>   /*
>>    * see label for inverse aa_label_to_secid
>>    */
>> -- 
>> 2.46.1
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ