diff options
author | John Johansen <john.johansen@canonical.com> | 2017-09-06 23:57:59 +0200 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2018-02-09 20:30:01 +0100 |
commit | 6e0654d20ed9679cbf75a0ff7cd786e364f7f09a (patch) | |
tree | 9c15e28e85b9cc66984e3a6fdb7101a2ae2b0a58 /security/apparmor/match.c | |
parent | apparmor: add first substr match to dfa (diff) | |
download | linux-6e0654d20ed9679cbf75a0ff7cd786e364f7f09a.tar.xz linux-6e0654d20ed9679cbf75a0ff7cd786e364f7f09a.zip |
apparmor: use the dfa to do label parse string splitting
The current split scheme is actually wrong in that it splits
///&
where that is invalid and should fail. Use the dfa to do a proper
bounded split without having to worry about getting the string
processing right in code.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Diffstat (limited to 'security/apparmor/match.c')
-rw-r--r-- | security/apparmor/match.c | 29 |
1 files changed, 23 insertions, 6 deletions
diff --git a/security/apparmor/match.c b/security/apparmor/match.c index 6c6dc1a22f9a..5d95caeddebc 100644 --- a/security/apparmor/match.c +++ b/security/apparmor/match.c @@ -30,6 +30,11 @@ static char nulldfa_src[] = { }; struct aa_dfa *nulldfa; +static char stacksplitdfa_src[] = { + #include "stacksplitdfa.in" +}; +struct aa_dfa *stacksplitdfa; + int aa_setup_dfa_engine(void) { int error; @@ -37,19 +42,31 @@ int aa_setup_dfa_engine(void) nulldfa = aa_dfa_unpack(nulldfa_src, sizeof(nulldfa_src), TO_ACCEPT1_FLAG(YYTD_DATA32) | TO_ACCEPT2_FLAG(YYTD_DATA32)); - if (!IS_ERR(nulldfa)) - return 0; + if (IS_ERR(nulldfa)) { + error = PTR_ERR(nulldfa); + nulldfa = NULL; + return error; + } - error = PTR_ERR(nulldfa); - nulldfa = NULL; + stacksplitdfa = aa_dfa_unpack(stacksplitdfa_src, + sizeof(stacksplitdfa_src), + TO_ACCEPT1_FLAG(YYTD_DATA32) | + TO_ACCEPT2_FLAG(YYTD_DATA32)); + if (IS_ERR(stacksplitdfa)) { + aa_put_dfa(nulldfa); + nulldfa = NULL; + error = PTR_ERR(stacksplitdfa); + stacksplitdfa = NULL; + return error; + } - return error; + return 0; } void aa_teardown_dfa_engine(void) { + aa_put_dfa(stacksplitdfa); aa_put_dfa(nulldfa); - nulldfa = NULL; } /** |