summaryrefslogtreecommitdiffstats
path: root/security/apparmor/policy_unpack.c
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-01-16 09:42:42 +0100
committerJohn Johansen <john.johansen@canonical.com>2017-01-16 10:18:34 +0100
commit11c236b89d7c26d58c55d5613a858600a4d2ab3a (patch)
tree591f879c7a4491b17a03391343fc3c0a98bb7165 /security/apparmor/policy_unpack.c
parentapparmor: allow policydb to be used as the file dfa (diff)
downloadlinux-11c236b89d7c26d58c55d5613a858600a4d2ab3a.tar.xz
linux-11c236b89d7c26d58c55d5613a858600a4d2ab3a.zip
apparmor: add a default null dfa
Instead of testing whether a given dfa exists in every code path, have a default null dfa that is used when loaded policy doesn't provide a dfa. This will let us get rid of special casing and avoid dereference bugs when special casing is missed. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/policy_unpack.c')
-rw-r--r--security/apparmor/policy_unpack.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 7160addb11be..51a7f9fc8a3e 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -603,7 +603,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
}
if (!unpack_nameX(e, AA_STRUCTEND, NULL))
goto fail;
- }
+ } else
+ profile->policy.dfa = aa_get_dfa(nulldfa);
/* get file rules */
profile->file.dfa = unpack_dfa(e);
@@ -619,7 +620,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
profile->policy.start[AA_CLASS_FILE]) {
profile->file.dfa = aa_get_dfa(profile->policy.dfa);
profile->file.start = profile->policy.start[AA_CLASS_FILE];
- }
+ } else
+ profile->file.dfa = aa_get_dfa(nulldfa);
if (!unpack_trans_table(e, profile))
goto fail;