summaryrefslogtreecommitdiffstats
path: root/security/apparmor
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2018-08-22 02:19:53 +0200
committerJohn Johansen <john.johansen@canonical.com>2018-08-23 03:44:42 +0200
commitc037bd615885f1d9d3bdb48531bace79fae1505d (patch)
tree0c1d606cf7c4de645658b3b9f97bfbbb319442db /security/apparmor
parentapparmor: fix an error code in __aa_create_ns() (diff)
downloadlinux-c037bd615885f1d9d3bdb48531bace79fae1505d.tar.xz
linux-c037bd615885f1d9d3bdb48531bace79fae1505d.zip
apparmor: remove no-op permission check in policy_unpack
The patch 736ec752d95e: "AppArmor: policy routines for loading and unpacking policy" from Jul 29, 2010, leads to the following static checker warning: security/apparmor/policy_unpack.c:410 verify_accept() warn: bitwise AND condition is false here security/apparmor/policy_unpack.c:413 verify_accept() warn: bitwise AND condition is false here security/apparmor/policy_unpack.c 392 #define DFA_VALID_PERM_MASK 0xffffffff 393 #define DFA_VALID_PERM2_MASK 0xffffffff 394 395 /** 396 * verify_accept - verify the accept tables of a dfa 397 * @dfa: dfa to verify accept tables of (NOT NULL) 398 * @flags: flags governing dfa 399 * 400 * Returns: 1 if valid accept tables else 0 if error 401 */ 402 static bool verify_accept(struct aa_dfa *dfa, int flags) 403 { 404 int i; 405 406 /* verify accept permissions */ 407 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { 408 int mode = ACCEPT_TABLE(dfa)[i]; 409 410 if (mode & ~DFA_VALID_PERM_MASK) 411 return 0; 412 413 if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK) 414 return 0; fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor')
-rw-r--r--security/apparmor/policy_unpack.c32
1 files changed, 0 insertions, 32 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 0e566a01d217..21cb384d712a 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -389,32 +389,6 @@ static int unpack_strdup(struct aa_ext *e, char **string, const char *name)
return res;
}
-#define DFA_VALID_PERM_MASK 0xffffffff
-#define DFA_VALID_PERM2_MASK 0xffffffff
-
-/**
- * verify_accept - verify the accept tables of a dfa
- * @dfa: dfa to verify accept tables of (NOT NULL)
- * @flags: flags governing dfa
- *
- * Returns: 1 if valid accept tables else 0 if error
- */
-static bool verify_accept(struct aa_dfa *dfa, int flags)
-{
- int i;
-
- /* verify accept permissions */
- for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
- int mode = ACCEPT_TABLE(dfa)[i];
-
- if (mode & ~DFA_VALID_PERM_MASK)
- return 0;
-
- if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
- return 0;
- }
- return 1;
-}
/**
* unpack_dfa - unpack a file rule dfa
@@ -445,15 +419,9 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e)
if (IS_ERR(dfa))
return dfa;
- if (!verify_accept(dfa, flags))
- goto fail;
}
return dfa;
-
-fail:
- aa_put_dfa(dfa);
- return ERR_PTR(-EPROTO);
}
/**