summaryrefslogtreecommitdiffstats
path: root/security/apparmor/include
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-09-06 23:57:59 +0200
committerJohn Johansen <john.johansen@canonical.com>2018-02-09 20:30:01 +0100
commit6e0654d20ed9679cbf75a0ff7cd786e364f7f09a (patch)
tree9c15e28e85b9cc66984e3a6fdb7101a2ae2b0a58 /security/apparmor/include
parentapparmor: add first substr match to dfa (diff)
downloadlinux-6e0654d20ed9679cbf75a0ff7cd786e364f7f09a.tar.xz
linux-6e0654d20ed9679cbf75a0ff7cd786e364f7f09a.zip
apparmor: use the dfa to do label parse string splitting
The current split scheme is actually wrong in that it splits ///& where that is invalid and should fail. Use the dfa to do a proper bounded split without having to worry about getting the string processing right in code. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
Diffstat (limited to 'security/apparmor/include')
-rw-r--r--security/apparmor/include/label.h25
-rw-r--r--security/apparmor/include/match.h1
2 files changed, 26 insertions, 0 deletions
diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
index af22dcbbcb8a..80e9ba9d172c 100644
--- a/security/apparmor/include/label.h
+++ b/security/apparmor/include/label.h
@@ -330,6 +330,31 @@ void aa_label_printk(struct aa_label *label, gfp_t gfp);
struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
gfp_t gfp, bool create, bool force_stack);
+static inline const char *aa_label_strn_split(const char *str, int n)
+{
+ const char *pos;
+ unsigned int state;
+
+ state = aa_dfa_matchn_until(stacksplitdfa, DFA_START, str, n, &pos);
+ if (!ACCEPT_TABLE(stacksplitdfa)[state])
+ return NULL;
+
+ return pos - 3;
+}
+
+static inline const char *aa_label_str_split(const char *str)
+{
+ const char *pos;
+ unsigned int state;
+
+ state = aa_dfa_match_until(stacksplitdfa, DFA_START, str, &pos);
+ if (!ACCEPT_TABLE(stacksplitdfa)[state])
+ return NULL;
+
+ return pos - 3;
+}
+
+
struct aa_perms;
int aa_label_match(struct aa_profile *profile, struct aa_label *label,
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index 72b9b89670e6..cd8aeab6ac57 100644
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -101,6 +101,7 @@ struct aa_dfa {
};
extern struct aa_dfa *nulldfa;
+extern struct aa_dfa *stacksplitdfa;
#define byte_to_byte(X) (X)