apparmor: convert xmatch to using the new shared policydb struct (048d4954) · Commits · EulixOS / Software / Kernel

security/apparmor/apparmorfs.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1095,7 +1095,7 @@ static int seq_profile_attach_show(struct seq_file seq, void v)
		struct aa_profile *profile = labels_profile(label);
		if (profile->attach)
		seq_printf(seq, "%s\n", profile->attach);
		else if (profile->xmatch)
		else if (profile->xmatch.dfa)
		seq_puts(seq, "<unknown>\n");
		else
		seq_printf(seq, "%s\n", profile->base.name);

security/apparmor/domain.c

+12 −10

Original line number	Diff line number	Diff line
		@@ -321,7 +321,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
		might_sleep();

		/* transition from exec match to xattr set */
		state = aa_dfa_outofband_transition(profile->xmatch, state);
		state = aa_dfa_outofband_transition(profile->xmatch.dfa, state);
		d = bprm->file->f_path.dentry;

		for (i = 0; i < profile->xattr_count; i++) {
		@@ -335,18 +335,19 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
		* that not present xattr can be distinguished from a 0
		* length value or rule that matches any value
		*/
		state = aa_dfa_null_transition(profile->xmatch, state);
		state = aa_dfa_null_transition(profile->xmatch.dfa,
		state);
		/* Check xattr value */
		state = aa_dfa_match_len(profile->xmatch, state, value,
		size);
		perm = profile->xmatch_perms[state].allow;
		state = aa_dfa_match_len(profile->xmatch.dfa, state,
		value, size);
		perm = profile->xmatch.perms[state].allow;
		if (!(perm & MAY_EXEC)) {
		ret = -EINVAL;
		goto out;
		}
		}
		/* transition to next element */
		state = aa_dfa_outofband_transition(profile->xmatch, state);
		state = aa_dfa_outofband_transition(profile->xmatch.dfa, state);
		if (size < 0) {
		/*
		* No xattr match, so verify if transition to
		@@ -413,13 +414,14 @@ static struct aa_label find_attach(const struct linux_binprm bprm,
		* as another profile, signal a conflict and refuse to
		* match.
		*/
		if (profile->xmatch) {
		if (profile->xmatch.dfa) {
		unsigned int state, count;
		u32 perm;

		state = aa_dfa_leftmatch(profile->xmatch, DFA_START,
		state = aa_dfa_leftmatch(profile->xmatch.dfa,
		profile->xmatch.start[AA_CLASS_XMATCH],
		name, &count);
		perm = profile->xmatch_perms[state].allow;
		perm = profile->xmatch.perms[state].allow;
		/* any accepting state means a valid match. */
		if (perm & MAY_EXEC) {
		int ret = 0;

security/apparmor/include/apparmor.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -26,6 +26,7 @@
		#define AA_CLASS_MOUNT 7
		#define AA_CLASS_PTRACE 9
		#define AA_CLASS_SIGNAL 10
		#define AA_CLASS_XMATCH 11
		#define AA_CLASS_NET 14
		#define AA_CLASS_LABEL 16
		#define AA_CLASS_POSIX_MQUEUE 17

security/apparmor/include/policy.h

+1 −3

Original line number	Diff line number	Diff line
		@@ -113,7 +113,6 @@ struct aa_data {
		* @attach: human readable attachment string
		* @xmatch: optional extended matching for unconfined executables names
		* @xmatch_len: xmatch prefix len, used to determine xmatch priority
		* @xmatch_perms: precomputed permissions for the xmatch DFA indexed by state
		* @audit: the auditing mode of the profile
		* @mode: the enforcement mode of the profile
		* @path_flags: flags controlling path generation behavior
		@@ -148,9 +147,8 @@ struct aa_profile {
		const char *rename;

		const char *attach;
		struct aa_dfa *xmatch;
		struct aa_policydb xmatch;
		unsigned int xmatch_len;
		struct aa_perms *xmatch_perms;

		enum audit_mode audit;
		long mode;

security/apparmor/policy.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -230,8 +230,7 @@ void aa_free_profile(struct aa_profile *profile)
		kfree_sensitive(profile->secmark[i].label);
		kfree_sensitive(profile->secmark);
		kfree_sensitive(profile->dirname);
		aa_put_dfa(profile->xmatch);
		kvfree(profile->xmatch_perms);
		aa_destroy_policydb(&profile->xmatch);
		aa_destroy_policydb(&profile->policy);
		if (profile->data) {
		rht = profile->data;