apparmor: preparse for state being more than just an integer

Convert from an unsigned int to a state_t for state position. This is a step in prepping for the state position carrying some additional flags, and a limited form of backtracking to support variables. Signed-off-by: John Johansen <john.johansen@canonical.com>

apparmor: preparse for state being more than just an integer
Convert from an unsigned int to a state_t for state position. This is a step in prepping for the state position carrying some additional flags, and a limited form of backtracking to support variables. Signed-off-by: John Johansen <john.johansen@canonical.com>
33fc95d8 · John Johansen · e844fe9b · 33fc95d8 · 33fc95d8 · 33fc95d8
Commit 33fc95d8 authored Jan 17, 2022 by John Johansen
15 changed files
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -613,7 +613,7 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
 {
 	struct aa_perms tmp = { };
 	struct aa_dfa *dfa;
-	unsigned int state = 0;
+	aa_state_t state = DFA_NOMATCH;
 	if (profile_unconfined(profile))
 		return;

--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -95,9 +95,9 @@ static int may_change_ptraced_domain(struct aa_label *to_label,
 * If a subns profile is not to be matched should be prescreened with
 * visibility test.
 */
-static inline unsigned int match_component(struct aa_profile *profile,
+static inline aa_state_t match_component(struct aa_profile *profile,
-					   struct aa_profile *tp,
+					 struct aa_profile *tp,
-					   bool stack, unsigned int state)
+					 bool stack, aa_state_t state)
 {
 	const char *ns_name;
@@ -132,7 +132,7 @@ static inline unsigned int match_component(struct aa_profile *profile,
 */
 static int label_compound_match(struct aa_profile *profile,
 				struct aa_label *label, bool stack,
-				unsigned int state, bool subns, u32 request,
+				aa_state_t state, bool subns, u32 request,
 				struct aa_perms *perms)
 {
 	struct aa_profile *tp;
@@ -192,14 +192,14 @@ static int label_compound_match(struct aa_profile *profile,
 */
 static int label_components_match(struct aa_profile *profile,
 				  struct aa_label *label, bool stack,
-				  unsigned int start, bool subns, u32 request,
+				  aa_state_t start, bool subns, u32 request,
 				  struct aa_perms *perms)
 {
 	struct aa_profile *tp;
 	struct label_it i;
 	struct aa_perms tmp;
 	struct path_cond cond = { };
-	unsigned int state = 0;
+	aa_state_t state = 0;
 	/* find first subcomponent to test */
 	label_for_each(i, label, tp) {
@@ -252,7 +252,7 @@ static int label_components_match(struct aa_profile *profile,
 * Returns: the state the match finished in, may be the none matching state
 */
 static int label_match(struct aa_profile *profile, struct aa_label *label,
-		       bool stack, unsigned int state, bool subns, u32 request,
+		       bool stack, aa_state_t state, bool subns, u32 request,
 		       struct aa_perms *perms)
 {
 	int error;
@@ -286,7 +286,7 @@ static int label_match(struct aa_profile *profile, struct aa_label *label,
 */
 static int change_profile_perms(struct aa_profile *profile,
 				struct aa_label *target, bool stack,
-				u32 request, unsigned int start,
+				u32 request, aa_state_t start,
 				struct aa_perms *perms)
 {
 	if (profile_unconfined(profile)) {
@@ -308,7 +308,7 @@ static int change_profile_perms(struct aa_profile *profile,
 * Returns: number of extended attributes that matched, or < 0 on error
 */
 static int aa_xattrs_match(const struct linux_binprm *bprm,
-			   struct aa_profile *profile, unsigned int state)
+			   struct aa_profile *profile, aa_state_t state)
 {
 	int i;
 	ssize_t size;
@@ -416,7 +416,8 @@ static struct aa_label *find_attach(const struct linux_binprm *bprm,
 		 * match.
 		 */
 		if (profile->xmatch.dfa) {
-			unsigned int state, count;
+			unsigned int count;
+			aa_state_t state;
 			u32 index, perm;
 			state = aa_dfa_leftmatch(profile->xmatch.dfa,
@@ -631,7 +632,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
 {
 	struct aa_label *new = NULL;
 	const char *info = NULL, *name = NULL, *target = NULL;
-	unsigned int state = profile->file.start[AA_CLASS_FILE];
+	aa_state_t state = profile->file.start[AA_CLASS_FILE];
 	struct aa_perms perms = {};
 	bool nonewprivs = false;
 	int error = 0;
@@ -727,7 +728,7 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
 			  char *buffer, struct path_cond *cond,
 			  bool *secure_exec)
 {
-	unsigned int state = profile->file.start[AA_CLASS_FILE];
+	aa_state_t state = profile->file.start[AA_CLASS_FILE];
 	struct aa_perms perms = {};
 	const char *xname = NULL, *info = "change_profile onexec";
 	int error = -EACCES;

--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -186,7 +186,7 @@ static int path_name(const char *op, struct aa_label *label,
 */
 struct aa_perms default_perms = {};
 struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules,
-				 unsigned int state, struct path_cond *cond)
+				 aa_state_t state, struct path_cond *cond)
 {
 	unsigned int index = ACCEPT_TABLE(file_rules->dfa)[state];
@@ -209,11 +209,11 @@ struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules,
 *
 * Returns: the final state in @dfa when beginning @start and walking @name
 */
-unsigned int aa_str_perms(struct aa_policydb *file_rules, unsigned int start,
+aa_state_t aa_str_perms(struct aa_policydb *file_rules, aa_state_t start,
-			  const char *name, struct path_cond *cond,
+			const char *name, struct path_cond *cond,
-			  struct aa_perms *perms)
+			struct aa_perms *perms)
 {
-	unsigned int state;
+	aa_state_t state;
 	state = aa_dfa_match(file_rules->dfa, start, name);
 	*perms = *(aa_lookup_fperms(file_rules, state, cond));
@@ -320,7 +320,7 @@ static int profile_path_link(struct aa_profile *profile,
 	struct aa_perms lperms = {}, perms;
 	const char *info = NULL;
 	u32 request = AA_MAY_LINK;
-	unsigned int state;
+	aa_state_t state;
 	int error;
 	error = path_name(OP_LINK, &profile->label, link, profile->path_flags,

--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -166,10 +166,10 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
 		  const char *info, int error);
 struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules,
-				  unsigned int state, struct path_cond *cond);
+				  aa_state_t state, struct path_cond *cond);
-unsigned int aa_str_perms(struct aa_policydb *file_rules, unsigned int start,
+aa_state_t aa_str_perms(struct aa_policydb *file_rules, aa_state_t start,
-			  const char *name, struct path_cond *cond,
+			const char *name, struct path_cond *cond,
-			  struct aa_perms *perms);
+			struct aa_perms *perms);
 int __aa_path_perm(const char *op, struct aa_profile *profile,
 		   const char *name, u32 request, struct path_cond *cond,

--- a/security/apparmor/include/label.h
+++ b/security/apparmor/include/label.h
@@ -333,7 +333,7 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
 static inline const char *aa_label_strn_split(const char *str, int n)
 {
 	const char *pos;
-	unsigned int state;
+	aa_state_t state;
 	state = aa_dfa_matchn_until(stacksplitdfa, DFA_START, str, n, &pos);
 	if (!ACCEPT_TABLE(stacksplitdfa)[state])
@@ -345,7 +345,7 @@ static inline const char *aa_label_strn_split(const char *str, int n)
 static inline const char *aa_label_str_split(const char *str)
 {
 	const char *pos;
-	unsigned int state;
+	aa_state_t state;
 	state = aa_dfa_match_until(stacksplitdfa, DFA_START, str, &pos);
 	if (!ACCEPT_TABLE(stacksplitdfa)[state])
@@ -358,7 +358,7 @@ static inline const char *aa_label_str_split(const char *str)
 struct aa_perms;
 int aa_label_match(struct aa_profile *profile, struct aa_label *label,
-		   unsigned int state, bool subns, u32 request,
+		   aa_state_t state, bool subns, u32 request,
 		   struct aa_perms *perms);

--- a/security/apparmor/include/lib.h
+++ b/security/apparmor/include/lib.h
@@ -87,8 +87,8 @@ static inline bool aa_strneq(const char *str, const char *sub, int len)
 * character which is not used in standard matching and is only
 * used to separate pairs.
 */
-static inline unsigned int aa_dfa_null_transition(struct aa_dfa *dfa,
+static inline aa_state_t aa_dfa_null_transition(struct aa_dfa *dfa,
-						  unsigned int start)
+						aa_state_t start)
 {
 	/* the null transition only needs the string's null terminator byte */
 	return aa_dfa_next(dfa, start, 0);

--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -125,19 +125,19 @@ static inline size_t table_size(size_t len, size_t el_size)
 int aa_setup_dfa_engine(void);
 void aa_teardown_dfa_engine(void);
+#define aa_state_t unsigned int
 struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags);
-unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
+aa_state_t aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start,
-			      const char *str, int len);
+			    const char *str, int len);
-unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
+aa_state_t aa_dfa_match(struct aa_dfa *dfa, aa_state_t start,
-			  const char *str);
+			const char *str);
-unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
+aa_state_t aa_dfa_next(struct aa_dfa *dfa, aa_state_t state, const char c);
-			 const char c);
+aa_state_t aa_dfa_outofband_transition(struct aa_dfa *dfa, aa_state_t state);
-unsigned int aa_dfa_outofband_transition(struct aa_dfa *dfa,
+aa_state_t aa_dfa_match_until(struct aa_dfa *dfa, aa_state_t start,
-					 unsigned int state);
+			      const char *str, const char **retpos);
-unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start,
+aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start,
-				const char *str, const char **retpos);
+			       const char *str, int n, const char **retpos);
-unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start,
-				 const char *str, int n, const char **retpos);
 void aa_dfa_free_kref(struct kref *kref);
@@ -156,8 +156,8 @@ struct match_workbuf N = {		\
 	.len = 0,			\
 }
-unsigned int aa_dfa_leftmatch(struct aa_dfa *dfa, unsigned int start,
+aa_state_t aa_dfa_leftmatch(struct aa_dfa *dfa, aa_state_t start,
-			      const char *str, unsigned int *count);
+			    const char *str, unsigned int *count);
 /**
 * aa_get_dfa - increment refcount on dfa @p

--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -78,7 +78,7 @@ struct aa_policydb {
 	struct aa_dfa *dfa;
 	struct aa_perms *perms;
 	struct aa_domain trans;
-	unsigned int start[AA_CLASS_LAST + 1];
+	aa_state_t start[AA_CLASS_LAST + 1];
 };
 static inline void aa_destroy_policydb(struct aa_policydb *policy)
@@ -91,7 +91,7 @@ static inline void aa_destroy_policydb(struct aa_policydb *policy)
 }
 static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy,
-					       unsigned int state)
+					       aa_state_t state)
 {
 	unsigned int index = ACCEPT_TABLE(policy->dfa)[state];
@@ -239,7 +239,7 @@ static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
 	return labels_profile(aa_get_newest_label(&p->label));
 }
-static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile,
+static inline aa_state_t PROFILE_MEDIATES(struct aa_profile *profile,
 					    unsigned char class)
 {
 	if (class <= AA_CLASS_LAST)
@@ -249,13 +249,13 @@ static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile,
 					profile->policy.start[0], &class, 1);
 }
-static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
+static inline aa_state_t PROFILE_MEDIATES_AF(struct aa_profile *profile,
-					       u16 AF) {
+					     u16 AF) {
-	unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
+	aa_state_t state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
 	__be16 be_af = cpu_to_be16(AF);
 	if (!state)
-		return 0;
+		return DFA_NOMATCH;
 	return aa_dfa_match_len(profile->policy.dfa, state, (char *) &be_af, 2);
 }

--- a/security/apparmor/ipc.c
+++ b/security/apparmor/ipc.c
@@ -79,7 +79,7 @@ static int profile_signal_perm(struct aa_profile *profile,
 			       struct common_audit_data *sa)
 {
 	struct aa_perms perms;
-	unsigned int state;
+	aa_state_t state;
 	if (profile_unconfined(profile) ||
 	    !PROFILE_MEDIATES(profile, AA_CLASS_SIGNAL))

--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -1265,9 +1265,9 @@ static inline bool label_is_visible(struct aa_profile *profile,
 * If a subns profile is not to be matched should be prescreened with
 * visibility test.
 */
-static inline unsigned int match_component(struct aa_profile *profile,
+static inline aa_state_t match_component(struct aa_profile *profile,
-					   struct aa_profile *tp,
+					 struct aa_profile *tp,
-					   unsigned int state)
+					 aa_state_t state)
 {
 	const char *ns_name;
@@ -1299,7 +1299,7 @@ static inline unsigned int match_component(struct aa_profile *profile,
 */
 static int label_compound_match(struct aa_profile *profile,
 				struct aa_label *label,
-				unsigned int state, bool subns, u32 request,
+				aa_state_t state, bool subns, u32 request,
 				struct aa_perms *perms)
 {
 	struct aa_profile *tp;
@@ -1356,14 +1356,14 @@ static int label_compound_match(struct aa_profile *profile,
 *        check to be stacked.
 */
 static int label_components_match(struct aa_profile *profile,
-				  struct aa_label *label, unsigned int start,
+				  struct aa_label *label, aa_state_t start,
 				  bool subns, u32 request,
 				  struct aa_perms *perms)
 {
 	struct aa_profile *tp;
 	struct label_it i;
 	struct aa_perms tmp;
-	unsigned int state = 0;
+	aa_state_t state = 0;
 	/* find first subcomponent to test */
 	label_for_each(i, label, tp) {
@@ -1415,7 +1415,7 @@ static int label_components_match(struct aa_profile *profile,
 * Returns: the state the match finished in, may be the none matching state
 */
 int aa_label_match(struct aa_profile *profile, struct aa_label *label,
-		   unsigned int state, bool subns, u32 request,
+		   aa_state_t state, bool subns, u32 request,
 		   struct aa_perms *perms)
 {
 	int error = label_compound_match(profile, label, state, subns, request,

--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -357,7 +357,7 @@ void aa_profile_match_label(struct aa_profile *profile, struct aa_label *label,
 			    int type, u32 request, struct aa_perms *perms)
 {
 	/* TODO: doesn't yet handle extended types */
-	unsigned int state;
+	aa_state_t state;
 	state = aa_dfa_next(profile->policy.dfa,
 			    profile->policy.start[AA_CLASS_LABEL],

--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -436,17 +436,17 @@ do {							\
 *
 * Returns: final state reached after input is consumed
 */
-unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
+aa_state_t aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start,
-			      const char *str, int len)
+			    const char *str, int len)
 {
 	u16 *def = DEFAULT_TABLE(dfa);
 	u32 *base = BASE_TABLE(dfa);
 	u16 *next = NEXT_TABLE(dfa);
 	u16 *check = CHECK_TABLE(dfa);
-	unsigned int state = start;
+	aa_state_t state = start;
-	if (state == 0)
+	if (state == DFA_NOMATCH)
-		return 0;
+		return DFA_NOMATCH;
 	/* current state is <state>, matching character *str */
 	if (dfa->tables[YYTD_ID_EC]) {
@@ -476,17 +476,16 @@ unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
 *
 * Returns: final state reached after input is consumed
 */
-unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
+aa_state_t aa_dfa_match(struct aa_dfa *dfa, aa_state_t start, const char *str)
-			  const char *str)
 {
 	u16 *def = DEFAULT_TABLE(dfa);
 	u32 *base = BASE_TABLE(dfa);
 	u16 *next = NEXT_TABLE(dfa);
 	u16 *check = CHECK_TABLE(dfa);
-	unsigned int state = start;
+	aa_state_t state = start;
-	if (state == 0)
+	if (state == DFA_NOMATCH)
-		return 0;
+		return DFA_NOMATCH;
 	/* current state is <state>, matching character *str */
 	if (dfa->tables[YYTD_ID_EC]) {
@@ -515,8 +514,7 @@ unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
 *
 * Returns: state reach after input @c
 */
-unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
+aa_state_t aa_dfa_next(struct aa_dfa *dfa, aa_state_t state, const char c)
-			  const char c)
 {
 	u16 *def = DEFAULT_TABLE(dfa);
 	u32 *base = BASE_TABLE(dfa);
@@ -534,7 +532,7 @@ unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
 	return state;
 }
-unsigned int aa_dfa_outofband_transition(struct aa_dfa *dfa, unsigned int state)
+aa_state_t aa_dfa_outofband_transition(struct aa_dfa *dfa, aa_state_t state)
 {
 	u16 *def = DEFAULT_TABLE(dfa);
 	u32 *base = BASE_TABLE(dfa);
@@ -564,7 +562,7 @@ unsigned int aa_dfa_outofband_transition(struct aa_dfa *dfa, unsigned int state)
 *
 * Returns: final state reached after input is consumed
 */
-unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start,
+aa_state_t aa_dfa_match_until(struct aa_dfa *dfa, aa_state_t start,
 				const char *str, const char **retpos)
 {
 	u16 *def = DEFAULT_TABLE(dfa);
@@ -572,10 +570,10 @@ unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start,
 	u16 *next = NEXT_TABLE(dfa);
 	u16 *check = CHECK_TABLE(dfa);
 	u32 *accept = ACCEPT_TABLE(dfa);
-	unsigned int state = start, pos;
+	aa_state_t state = start, pos;
-	if (state == 0)
+	if (state == DFA_NOMATCH)
-		return 0;
+		return DFA_NOMATCH;
 	/* current state is <state>, matching character *str */
 	if (dfa->tables[YYTD_ID_EC]) {
@@ -625,7 +623,7 @@ unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start,
 *
 * Returns: final state reached after input is consumed
 */
-unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start,
+aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start,
 				 const char *str, int n, const char **retpos)
 {
 	u16 *def = DEFAULT_TABLE(dfa);
@@ -633,11 +631,11 @@ unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start,
 	u16 *next = NEXT_TABLE(dfa);
 	u16 *check = CHECK_TABLE(dfa);
 	u32 *accept = ACCEPT_TABLE(dfa);
-	unsigned int state = start, pos;
+	aa_state_t state = start, pos;
 	*retpos = NULL;
-	if (state == 0)
+	if (state == DFA_NOMATCH)
-		return 0;
+		return DFA_NOMATCH;
 	/* current state is <state>, matching character *str */
 	if (dfa->tables[YYTD_ID_EC]) {
@@ -677,11 +675,11 @@ do {								\
 } while (0)
 /* For DFAs that don't support extended tagging of states */
-static bool is_loop(struct match_workbuf *wb, unsigned int state,
+static bool is_loop(struct match_workbuf *wb, aa_state_t state,
 		    unsigned int *adjust)
 {
-	unsigned int pos = wb->pos;
+	aa_state_t pos = wb->pos;
-	unsigned int i;
+	aa_state_t i;
 	if (wb->history[pos] < state)
 		return false;
@@ -700,7 +698,7 @@ static bool is_loop(struct match_workbuf *wb, unsigned int state,
 	return true;
 }
-static unsigned int leftmatch_fb(struct aa_dfa *dfa, unsigned int start,
+static aa_state_t leftmatch_fb(struct aa_dfa *dfa, aa_state_t start,
 				 const char *str, struct match_workbuf *wb,
 				 unsigned int *count)
 {
@@ -708,7 +706,7 @@ static unsigned int leftmatch_fb(struct aa_dfa *dfa, unsigned int start,
 	u32 *base = BASE_TABLE(dfa);
 	u16 *next = NEXT_TABLE(dfa);
 	u16 *check = CHECK_TABLE(dfa);
-	unsigned int state = start, pos;
+	aa_state_t state = start, pos;
 	AA_BUG(!dfa);
 	AA_BUG(!str);
@@ -716,8 +714,8 @@ static unsigned int leftmatch_fb(struct aa_dfa *dfa, unsigned int start,
 	AA_BUG(!count);
 	*count = 0;
-	if (state == 0)
+	if (state == DFA_NOMATCH)
-		return 0;
+		return DFA_NOMATCH;
 	/* current state is <state>, matching character *str */
 	if (dfa->tables[YYTD_ID_EC]) {
@@ -781,8 +779,8 @@ static unsigned int leftmatch_fb(struct aa_dfa *dfa, unsigned int start,
 *
 * Returns: final state reached after input is consumed
 */
-unsigned int aa_dfa_leftmatch(struct aa_dfa *dfa, unsigned int start,
+aa_state_t aa_dfa_leftmatch(struct aa_dfa *dfa, aa_state_t start,
-			      const char *str, unsigned int *count)
+			    const char *str, unsigned int *count)
 {
 	DEFINE_MATCH_WB(wb);

--- a/security/apparmor/mount.c
+++ b/security/apparmor/mount.c
@@ -190,7 +190,7 @@ static int audit_mount(struct aa_profile *profile, const char *op,
 *
 * Returns: next state after flags match
 */
-static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state,
+static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state,
 				    unsigned long flags)
 {
 	unsigned int i;
@@ -217,12 +217,12 @@ static const char * const mnt_info_table[] = {
 * Returns 0 on success else element that match failed in, this is the
 * index into the mnt_info_table above
 */
-static int do_match_mnt(struct aa_policydb *policy, unsigned int start,
+static int do_match_mnt(struct aa_policydb *policy, aa_state_t start,
 			const char *mntpnt, const char *devname,
 			const char *type, unsigned long flags,
 			void *data, bool binary, struct aa_perms *perms)
 {
-	unsigned int state;
+	aa_state_t state;
 	AA_BUG(!policy);
 	AA_BUG(!policy->dfa);
@@ -567,7 +567,7 @@ static int profile_umount(struct aa_profile *profile, const struct path *path,
 {
 	struct aa_perms perms = { };
 	const char *name = NULL, *info = NULL;
-	unsigned int state;
+	aa_state_t state;
 	int error;
 	AA_BUG(!profile);
@@ -627,7 +627,7 @@ static struct aa_label *build_pivotroot(struct aa_profile *profile,
 	const char *old_name, *new_name = NULL, *info = NULL;
 	const char *trans_name = NULL;
 	struct aa_perms perms = { };
-	unsigned int state;
+	aa_state_t state;
 	int error;
 	AA_BUG(!profile);

--- a/security/apparmor/net.c
+++ b/security/apparmor/net.c
@@ -109,7 +109,7 @@ int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
 		       u32 request, u16 family, int type)
 {
 	struct aa_perms perms = { };
-	unsigned int state;
+	aa_state_t state;
 	__be16 buffer[2];
 	AA_BUG(family >= AF_MAX);

--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -698,7 +698,7 @@ static u32 map_old_perms(u32 old)
 }
 static void compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa,
-				 unsigned int state)
+				 aa_state_t state)
 {
 	perms->allow |= AA_MAY_GETATTR;
@@ -710,7 +710,7 @@ static void compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa,
 }
 static struct aa_perms compute_fperms_user(struct aa_dfa *dfa,
-					   unsigned int state)
+					   aa_state_t state)
 {
 	struct aa_perms perms = { };
@@ -725,7 +725,7 @@ static struct aa_perms compute_fperms_user(struct aa_dfa *dfa,
 }
 static struct aa_perms compute_fperms_other(struct aa_dfa *dfa,
-					    unsigned int state)
+					    aa_state_t state)
 {
 	struct aa_perms perms = { };
@@ -748,8 +748,8 @@ static struct aa_perms compute_fperms_other(struct aa_dfa *dfa,
 */
 static struct aa_perms *compute_fperms(struct aa_dfa *dfa)
 {
-	int state;
+	aa_state_t state;
-	int state_count;
+	unsigned int state_count;
 	struct aa_perms *table;
 	AA_BUG(!dfa);
@@ -796,7 +796,7 @@ static u32 map_other(u32 x)
 }
 static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
-					   unsigned int state)
+					   aa_state_t state)
 {
 	struct aa_perms perms = { };
@@ -817,8 +817,8 @@ static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
 static struct aa_perms *compute_perms(struct aa_dfa *dfa)
 {
-	int state;
+	unsigned int state;
-	int state_count;
+	unsigned int state_count;
 	struct aa_perms *table;
 	AA_BUG(!dfa);