Commit e48ffd24 authored by John Johansen's avatar John Johansen
Browse files

apparmor: convert xmatch to use aa_perms structure 



Convert xmatch from using perms encoded in the accept entry of the
dfa to the common external aa_perms in a table.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 0310f093

security/apparmor/domain.c

+2 −2
Original line number Diff line number Diff line
@@ -339,7 +339,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm, 
			/* Check xattr value */

			state = aa_dfa_match_len(profile->xmatch, state, value,

						 size);

			perm = profile->xmatch_perms[state];

			perm = profile->xmatch_perms[state].allow;

			if (!(perm & MAY_EXEC)) {

				ret = -EINVAL;

				goto out;
@@ -419,7 +419,7 @@ static struct aa_label *find_attach(const struct linux_binprm *bprm, 


			state = aa_dfa_leftmatch(profile->xmatch, DFA_START,

						 name, &count);

			perm = profile->xmatch_perms[state];

			perm = profile->xmatch_perms[state].allow;

			/* any accepting state means a valid match. */

			if (perm & MAY_EXEC) {

				int ret = 0;

security/apparmor/include/policy.h

+2 −1
Original line number Diff line number Diff line
@@ -141,7 +141,8 @@ struct aa_profile { 
	const char *attach;

	struct aa_dfa *xmatch;

	unsigned int xmatch_len;

	u32 *xmatch_perms;

	struct aa_perms *xmatch_perms;



	enum audit_mode audit;

	long mode;

	u32 path_flags;

security/apparmor/policy_unpack.c

+9 −4
Original line number Diff line number Diff line
@@ -769,9 +769,9 @@ static struct aa_perms *compute_fperms(struct aa_dfa *dfa) 
	return table;

}



static u32 *compute_xmatch_perms(struct aa_dfa *xmatch)

static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch)

{

	u32 *perms_table;

	struct aa_perms *perms_table;

	int state;

	int state_count;
@@ -779,11 +779,12 @@ static u32 *compute_xmatch_perms(struct aa_dfa *xmatch) 


	state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen;

	/* DFAs are restricted from having a state_count of less than 2 */

	perms_table = kvcalloc(state_count, sizeof(u32), GFP_KERNEL);

	  perms_table = kvcalloc(state_count, sizeof(struct aa_perms),

			       GFP_KERNEL);



	/* zero init so skip the trap state (state == 0) */

	for (state = 1; state < state_count; state++)

		perms_table[state] = dfa_user_allow(xmatch, state);

		perms_table[state].allow = dfa_user_allow(xmatch, state);



	return perms_table;

}
@@ -855,6 +856,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) 
		profile->xmatch_len = tmp;



		profile->xmatch_perms = compute_xmatch_perms(profile->xmatch);

		if (!profile->xmatch_perms) {

			info = "failed to convert xmatch permission table";

			goto fail;

		}

	}



	/* disconnected attachment string is optional */