diff options
author | John Johansen <john.johansen@canonical.com> | 2017-09-06 23:57:59 +0200 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2018-02-09 20:30:01 +0100 |
commit | 6e0654d20ed9679cbf75a0ff7cd786e364f7f09a (patch) | |
tree | 9c15e28e85b9cc66984e3a6fdb7101a2ae2b0a58 /security/apparmor/label.c | |
parent | apparmor: add first substr match to dfa (diff) | |
download | linux-6e0654d20ed9679cbf75a0ff7cd786e364f7f09a.tar.xz linux-6e0654d20ed9679cbf75a0ff7cd786e364f7f09a.zip |
apparmor: use the dfa to do label parse string splitting
The current split scheme is actually wrong in that it splits
///&
where that is invalid and should fail. Use the dfa to do a proper
bounded split without having to worry about getting the string
processing right in code.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Diffstat (limited to 'security/apparmor/label.c')
-rw-r--r-- | security/apparmor/label.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/security/apparmor/label.c b/security/apparmor/label.c index 324fe5c60f87..31e2f701d971 100644 --- a/security/apparmor/label.c +++ b/security/apparmor/label.c @@ -1815,7 +1815,9 @@ static int label_count_str_entries(const char *str) AA_BUG(!str); - for (split = strstr(str, "//&"); split; split = strstr(str, "//&")) { + for (split = aa_label_str_split(str); + split; + split = aa_label_str_split(str)) { count++; str = split + 3; } @@ -1859,7 +1861,7 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str, DEFINE_VEC(profile, vec); struct aa_label *label, *currbase = base; int i, len, stack = 0, error; - char *split; + const char *split; AA_BUG(!base); AA_BUG(!str); @@ -1883,7 +1885,8 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str, for (i = 0; i < stack; i++) vec[i] = aa_get_profile(base->vec[i]); - for (split = strstr(str, "//&"), i = stack; split && i < len; i++) { + for (split = aa_label_str_split(str), i = stack; + split && i < len; i++) { vec[i] = fqlookupn_profile(base, currbase, str, split - str); if (!vec[i]) goto fail; @@ -1894,7 +1897,7 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str, if (vec[i]->ns != labels_ns(currbase)) currbase = &vec[i]->label; str = split + 3; - split = strstr(str, "//&"); + split = aa_label_str_split(str); } /* last element doesn't have a split */ if (i < len) { @@ -1930,7 +1933,6 @@ fail: goto out; } - /** * aa_labelset_destroy - remove all labels from the label set * @ls: label set to cleanup (NOT NULL) |