diff options
author | John Johansen <john.johansen@canonical.com> | 2017-01-16 09:42:42 +0100 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2017-01-16 10:18:34 +0100 |
commit | 11c236b89d7c26d58c55d5613a858600a4d2ab3a (patch) | |
tree | 591f879c7a4491b17a03391343fc3c0a98bb7165 /security/apparmor/match.c | |
parent | apparmor: allow policydb to be used as the file dfa (diff) | |
download | linux-11c236b89d7c26d58c55d5613a858600a4d2ab3a.tar.xz linux-11c236b89d7c26d58c55d5613a858600a4d2ab3a.zip |
apparmor: add a default null dfa
Instead of testing whether a given dfa exists in every code path, have
a default null dfa that is used when loaded policy doesn't provide a
dfa.
This will let us get rid of special casing and avoid dereference bugs
when special casing is missed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/match.c')
-rw-r--r-- | security/apparmor/match.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/security/apparmor/match.c b/security/apparmor/match.c index 0e04bcf91154..8f0806b35a75 100644 --- a/security/apparmor/match.c +++ b/security/apparmor/match.c @@ -25,6 +25,33 @@ #define base_idx(X) ((X) & 0xffffff) +static char nulldfa_src[] = { + #include "nulldfa.in" +}; +struct aa_dfa *nulldfa; + +int aa_setup_dfa_engine(void) +{ + int error; + + nulldfa = aa_dfa_unpack(nulldfa_src, sizeof(nulldfa_src), + TO_ACCEPT1_FLAG(YYTD_DATA32) | + TO_ACCEPT2_FLAG(YYTD_DATA32)); + if (!IS_ERR(nulldfa)) + return 0; + + error = PTR_ERR(nulldfa); + nulldfa = NULL; + + return error; +} + +void aa_teardown_dfa_engine(void) +{ + aa_put_dfa(nulldfa); + nulldfa = NULL; +} + /** * unpack_table - unpack a dfa table (one of accept, default, base, next check) * @blob: data to unpack (NOT NULL) |