summaryrefslogtreecommitdiffstats
path: root/security/apparmor/match.c
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-01-16 09:42:42 +0100
committerJohn Johansen <john.johansen@canonical.com>2017-01-16 10:18:34 +0100
commit11c236b89d7c26d58c55d5613a858600a4d2ab3a (patch)
tree591f879c7a4491b17a03391343fc3c0a98bb7165 /security/apparmor/match.c
parentapparmor: allow policydb to be used as the file dfa (diff)
downloadlinux-11c236b89d7c26d58c55d5613a858600a4d2ab3a.tar.xz
linux-11c236b89d7c26d58c55d5613a858600a4d2ab3a.zip
apparmor: add a default null dfa
Instead of testing whether a given dfa exists in every code path, have a default null dfa that is used when loaded policy doesn't provide a dfa. This will let us get rid of special casing and avoid dereference bugs when special casing is missed. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/match.c')
-rw-r--r--security/apparmor/match.c27
1 files changed, 27 insertions, 0 deletions
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 0e04bcf91154..8f0806b35a75 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -25,6 +25,33 @@
#define base_idx(X) ((X) & 0xffffff)
+static char nulldfa_src[] = {
+ #include "nulldfa.in"
+};
+struct aa_dfa *nulldfa;
+
+int aa_setup_dfa_engine(void)
+{
+ int error;
+
+ nulldfa = aa_dfa_unpack(nulldfa_src, sizeof(nulldfa_src),
+ TO_ACCEPT1_FLAG(YYTD_DATA32) |
+ TO_ACCEPT2_FLAG(YYTD_DATA32));
+ if (!IS_ERR(nulldfa))
+ return 0;
+
+ error = PTR_ERR(nulldfa);
+ nulldfa = NULL;
+
+ return error;
+}
+
+void aa_teardown_dfa_engine(void)
+{
+ aa_put_dfa(nulldfa);
+ nulldfa = NULL;
+}
+
/**
* unpack_table - unpack a dfa table (one of accept, default, base, next check)
* @blob: data to unpack (NOT NULL)