diff options
author | John Johansen <john.johansen@canonical.com> | 2017-09-06 23:57:59 +0200 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2018-02-09 20:30:01 +0100 |
commit | 6e0654d20ed9679cbf75a0ff7cd786e364f7f09a (patch) | |
tree | 9c15e28e85b9cc66984e3a6fdb7101a2ae2b0a58 /security/apparmor/include | |
parent | apparmor: add first substr match to dfa (diff) | |
download | linux-6e0654d20ed9679cbf75a0ff7cd786e364f7f09a.tar.xz linux-6e0654d20ed9679cbf75a0ff7cd786e364f7f09a.zip |
apparmor: use the dfa to do label parse string splitting
The current split scheme is actually wrong in that it splits
///&
where that is invalid and should fail. Use the dfa to do a proper
bounded split without having to worry about getting the string
processing right in code.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Diffstat (limited to 'security/apparmor/include')
-rw-r--r-- | security/apparmor/include/label.h | 25 | ||||
-rw-r--r-- | security/apparmor/include/match.h | 1 |
2 files changed, 26 insertions, 0 deletions
diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h index af22dcbbcb8a..80e9ba9d172c 100644 --- a/security/apparmor/include/label.h +++ b/security/apparmor/include/label.h @@ -330,6 +330,31 @@ void aa_label_printk(struct aa_label *label, gfp_t gfp); struct aa_label *aa_label_parse(struct aa_label *base, const char *str, gfp_t gfp, bool create, bool force_stack); +static inline const char *aa_label_strn_split(const char *str, int n) +{ + const char *pos; + unsigned int state; + + state = aa_dfa_matchn_until(stacksplitdfa, DFA_START, str, n, &pos); + if (!ACCEPT_TABLE(stacksplitdfa)[state]) + return NULL; + + return pos - 3; +} + +static inline const char *aa_label_str_split(const char *str) +{ + const char *pos; + unsigned int state; + + state = aa_dfa_match_until(stacksplitdfa, DFA_START, str, &pos); + if (!ACCEPT_TABLE(stacksplitdfa)[state]) + return NULL; + + return pos - 3; +} + + struct aa_perms; int aa_label_match(struct aa_profile *profile, struct aa_label *label, diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h index 72b9b89670e6..cd8aeab6ac57 100644 --- a/security/apparmor/include/match.h +++ b/security/apparmor/include/match.h @@ -101,6 +101,7 @@ struct aa_dfa { }; extern struct aa_dfa *nulldfa; +extern struct aa_dfa *stacksplitdfa; #define byte_to_byte(X) (X) |