Commit 33fc95d8 authored by John Johansen's avatar John Johansen
Browse files

apparmor: preparse for state being more than just an integer 



Convert from an unsigned int to a state_t for state position. This is
a step in prepping for the state position carrying some additional
flags, and a limited form of backtracking to support variables.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent e844fe9b

security/apparmor/apparmorfs.c

+1 −1
Original line number Diff line number Diff line
@@ -613,7 +613,7 @@ static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms, 
{

	struct aa_perms tmp = { };

	struct aa_dfa *dfa;

	unsigned int state = 0;

	aa_state_t state = DFA_NOMATCH;



	if (profile_unconfined(profile))

		return;

security/apparmor/domain.c

+13 −12
Original line number Diff line number Diff line
@@ -95,9 +95,9 @@ static int may_change_ptraced_domain(struct aa_label *to_label, 
 * If a subns profile is not to be matched should be prescreened with

 * visibility test.

 */

static inline unsigned int match_component(struct aa_profile *profile,

static inline aa_state_t match_component(struct aa_profile *profile,

					 struct aa_profile *tp,

					   bool stack, unsigned int state)

					 bool stack, aa_state_t state)

{

	const char *ns_name;
@@ -132,7 +132,7 @@ static inline unsigned int match_component(struct aa_profile *profile, 
 */

static int label_compound_match(struct aa_profile *profile,

				struct aa_label *label, bool stack,

				unsigned int state, bool subns, u32 request,

				aa_state_t state, bool subns, u32 request,

				struct aa_perms *perms)

{

	struct aa_profile *tp;
@@ -192,14 +192,14 @@ static int label_compound_match(struct aa_profile *profile, 
 */

static int label_components_match(struct aa_profile *profile,

				  struct aa_label *label, bool stack,

				  unsigned int start, bool subns, u32 request,

				  aa_state_t start, bool subns, u32 request,

				  struct aa_perms *perms)

{

	struct aa_profile *tp;

	struct label_it i;

	struct aa_perms tmp;

	struct path_cond cond = { };

	unsigned int state = 0;

	aa_state_t state = 0;



	/* find first subcomponent to test */

	label_for_each(i, label, tp) {
@@ -252,7 +252,7 @@ static int label_components_match(struct aa_profile *profile, 
 * Returns: the state the match finished in, may be the none matching state

 */

static int label_match(struct aa_profile *profile, struct aa_label *label,

		       bool stack, unsigned int state, bool subns, u32 request,

		       bool stack, aa_state_t state, bool subns, u32 request,

		       struct aa_perms *perms)

{

	int error;
@@ -286,7 +286,7 @@ static int label_match(struct aa_profile *profile, struct aa_label *label, 
 */

static int change_profile_perms(struct aa_profile *profile,

				struct aa_label *target, bool stack,

				u32 request, unsigned int start,

				u32 request, aa_state_t start,

				struct aa_perms *perms)

{

	if (profile_unconfined(profile)) {
@@ -308,7 +308,7 @@ static int change_profile_perms(struct aa_profile *profile, 
 * Returns: number of extended attributes that matched, or < 0 on error

 */

static int aa_xattrs_match(const struct linux_binprm *bprm,

			   struct aa_profile *profile, unsigned int state)

			   struct aa_profile *profile, aa_state_t state)

{

	int i;

	ssize_t size;
@@ -416,7 +416,8 @@ static struct aa_label *find_attach(const struct linux_binprm *bprm, 
		 * match.

		 */

		if (profile->xmatch.dfa) {

			unsigned int state, count;

			unsigned int count;

			aa_state_t state;

			u32 index, perm;



			state = aa_dfa_leftmatch(profile->xmatch.dfa,
@@ -631,7 +632,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile, 
{

	struct aa_label *new = NULL;

	const char *info = NULL, *name = NULL, *target = NULL;

	unsigned int state = profile->file.start[AA_CLASS_FILE];

	aa_state_t state = profile->file.start[AA_CLASS_FILE];

	struct aa_perms perms = {};

	bool nonewprivs = false;

	int error = 0;
@@ -727,7 +728,7 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec, 
			  char *buffer, struct path_cond *cond,

			  bool *secure_exec)

{

	unsigned int state = profile->file.start[AA_CLASS_FILE];

	aa_state_t state = profile->file.start[AA_CLASS_FILE];

	struct aa_perms perms = {};

	const char *xname = NULL, *info = "change_profile onexec";

	int error = -EACCES;

security/apparmor/file.c

+6 −6
Original line number Diff line number Diff line
@@ -186,7 +186,7 @@ static int path_name(const char *op, struct aa_label *label, 
 */

struct aa_perms default_perms = {};

struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules,

				 unsigned int state, struct path_cond *cond)

				 aa_state_t state, struct path_cond *cond)

{

	unsigned int index = ACCEPT_TABLE(file_rules->dfa)[state];
@@ -209,11 +209,11 @@ struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules, 
 *

 * Returns: the final state in @dfa when beginning @start and walking @name

 */

unsigned int aa_str_perms(struct aa_policydb *file_rules, unsigned int start,

aa_state_t aa_str_perms(struct aa_policydb *file_rules, aa_state_t start,

			const char *name, struct path_cond *cond,

			struct aa_perms *perms)

{

	unsigned int state;

	aa_state_t state;

	state = aa_dfa_match(file_rules->dfa, start, name);

	*perms = *(aa_lookup_fperms(file_rules, state, cond));
@@ -320,7 +320,7 @@ static int profile_path_link(struct aa_profile *profile, 
	struct aa_perms lperms = {}, perms;

	const char *info = NULL;

	u32 request = AA_MAY_LINK;

	unsigned int state;

	aa_state_t state;

	int error;



	error = path_name(OP_LINK, &profile->label, link, profile->path_flags,

security/apparmor/include/file.h

+4 −4
Original line number Diff line number Diff line
@@ -166,8 +166,8 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, 
		  const char *info, int error);



struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules,

				  unsigned int state, struct path_cond *cond);

unsigned int aa_str_perms(struct aa_policydb *file_rules, unsigned int start,

				  aa_state_t state, struct path_cond *cond);

aa_state_t aa_str_perms(struct aa_policydb *file_rules, aa_state_t start,

			const char *name, struct path_cond *cond,

			struct aa_perms *perms);

security/apparmor/include/label.h

+3 −3
Original line number Diff line number Diff line
@@ -333,7 +333,7 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str, 
static inline const char *aa_label_strn_split(const char *str, int n)

{

	const char *pos;

	unsigned int state;

	aa_state_t state;



	state = aa_dfa_matchn_until(stacksplitdfa, DFA_START, str, n, &pos);

	if (!ACCEPT_TABLE(stacksplitdfa)[state])
@@ -345,7 +345,7 @@ static inline const char *aa_label_strn_split(const char *str, int n) 
static inline const char *aa_label_str_split(const char *str)

{

	const char *pos;

	unsigned int state;

	aa_state_t state;



	state = aa_dfa_match_until(stacksplitdfa, DFA_START, str, &pos);

	if (!ACCEPT_TABLE(stacksplitdfa)[state])
@@ -358,7 +358,7 @@ static inline const char *aa_label_str_split(const char *str) 


struct aa_perms;

int aa_label_match(struct aa_profile *profile, struct aa_label *label,

		   unsigned int state, bool subns, u32 request,

		   aa_state_t state, bool subns, u32 request,

		   struct aa_perms *perms);