summaryrefslogtreecommitdiffstats
path: root/security/apparmor/label.c
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-09-06 23:57:59 +0200
committerJohn Johansen <john.johansen@canonical.com>2018-02-09 20:30:01 +0100
commit6e0654d20ed9679cbf75a0ff7cd786e364f7f09a (patch)
tree9c15e28e85b9cc66984e3a6fdb7101a2ae2b0a58 /security/apparmor/label.c
parentapparmor: add first substr match to dfa (diff)
downloadlinux-6e0654d20ed9679cbf75a0ff7cd786e364f7f09a.tar.xz
linux-6e0654d20ed9679cbf75a0ff7cd786e364f7f09a.zip
apparmor: use the dfa to do label parse string splitting
The current split scheme is actually wrong in that it splits ///& where that is invalid and should fail. Use the dfa to do a proper bounded split without having to worry about getting the string processing right in code. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
Diffstat (limited to 'security/apparmor/label.c')
-rw-r--r--security/apparmor/label.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/security/apparmor/label.c b/security/apparmor/label.c
index 324fe5c60f87..31e2f701d971 100644
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -1815,7 +1815,9 @@ static int label_count_str_entries(const char *str)
AA_BUG(!str);
- for (split = strstr(str, "//&"); split; split = strstr(str, "//&")) {
+ for (split = aa_label_str_split(str);
+ split;
+ split = aa_label_str_split(str)) {
count++;
str = split + 3;
}
@@ -1859,7 +1861,7 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
DEFINE_VEC(profile, vec);
struct aa_label *label, *currbase = base;
int i, len, stack = 0, error;
- char *split;
+ const char *split;
AA_BUG(!base);
AA_BUG(!str);
@@ -1883,7 +1885,8 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
for (i = 0; i < stack; i++)
vec[i] = aa_get_profile(base->vec[i]);
- for (split = strstr(str, "//&"), i = stack; split && i < len; i++) {
+ for (split = aa_label_str_split(str), i = stack;
+ split && i < len; i++) {
vec[i] = fqlookupn_profile(base, currbase, str, split - str);
if (!vec[i])
goto fail;
@@ -1894,7 +1897,7 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
if (vec[i]->ns != labels_ns(currbase))
currbase = &vec[i]->label;
str = split + 3;
- split = strstr(str, "//&");
+ split = aa_label_str_split(str);
}
/* last element doesn't have a split */
if (i < len) {
@@ -1930,7 +1933,6 @@ fail:
goto out;
}
-
/**
* aa_labelset_destroy - remove all labels from the label set
* @ls: label set to cleanup (NOT NULL)