summaryrefslogtreecommitdiffstats
path: root/security/apparmor/match.c
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-09-06 23:57:59 +0200
committerJohn Johansen <john.johansen@canonical.com>2018-02-09 20:30:01 +0100
commit6e0654d20ed9679cbf75a0ff7cd786e364f7f09a (patch)
tree9c15e28e85b9cc66984e3a6fdb7101a2ae2b0a58 /security/apparmor/match.c
parentapparmor: add first substr match to dfa (diff)
downloadlinux-6e0654d20ed9679cbf75a0ff7cd786e364f7f09a.tar.xz
linux-6e0654d20ed9679cbf75a0ff7cd786e364f7f09a.zip
apparmor: use the dfa to do label parse string splitting
The current split scheme is actually wrong in that it splits ///& where that is invalid and should fail. Use the dfa to do a proper bounded split without having to worry about getting the string processing right in code. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
Diffstat (limited to 'security/apparmor/match.c')
-rw-r--r--security/apparmor/match.c29
1 files changed, 23 insertions, 6 deletions
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 6c6dc1a22f9a..5d95caeddebc 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -30,6 +30,11 @@ static char nulldfa_src[] = {
};
struct aa_dfa *nulldfa;
+static char stacksplitdfa_src[] = {
+ #include "stacksplitdfa.in"
+};
+struct aa_dfa *stacksplitdfa;
+
int aa_setup_dfa_engine(void)
{
int error;
@@ -37,19 +42,31 @@ int aa_setup_dfa_engine(void)
nulldfa = aa_dfa_unpack(nulldfa_src, sizeof(nulldfa_src),
TO_ACCEPT1_FLAG(YYTD_DATA32) |
TO_ACCEPT2_FLAG(YYTD_DATA32));
- if (!IS_ERR(nulldfa))
- return 0;
+ if (IS_ERR(nulldfa)) {
+ error = PTR_ERR(nulldfa);
+ nulldfa = NULL;
+ return error;
+ }
- error = PTR_ERR(nulldfa);
- nulldfa = NULL;
+ stacksplitdfa = aa_dfa_unpack(stacksplitdfa_src,
+ sizeof(stacksplitdfa_src),
+ TO_ACCEPT1_FLAG(YYTD_DATA32) |
+ TO_ACCEPT2_FLAG(YYTD_DATA32));
+ if (IS_ERR(stacksplitdfa)) {
+ aa_put_dfa(nulldfa);
+ nulldfa = NULL;
+ error = PTR_ERR(stacksplitdfa);
+ stacksplitdfa = NULL;
+ return error;
+ }
- return error;
+ return 0;
}
void aa_teardown_dfa_engine(void)
{
+ aa_put_dfa(stacksplitdfa);
aa_put_dfa(nulldfa);
- nulldfa = NULL;
}
/**