summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2020-11-14 01:30:47 +0100
committerJohn Johansen <john.johansen@canonical.com>2022-10-03 23:49:02 +0200
commite48ffd24c1d87dba227225615790cd059a707adb (patch)
tree3778d8db5cc54bad9a8abe60578066b1983a46d8 /security
parentapparmor: rework and cleanup fperm computation (diff)
downloadlinux-e48ffd24c1d87dba227225615790cd059a707adb.tar.xz
linux-e48ffd24c1d87dba227225615790cd059a707adb.zip
apparmor: convert xmatch to use aa_perms structure
Convert xmatch from using perms encoded in the accept entry of the dfa to the common external aa_perms in a table. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/domain.c4
-rw-r--r--security/apparmor/include/policy.h3
-rw-r--r--security/apparmor/policy_unpack.c13
3 files changed, 13 insertions, 7 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 22351b6d71e6..4fcdcc0de48c 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -339,7 +339,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
/* Check xattr value */
state = aa_dfa_match_len(profile->xmatch, state, value,
size);
- perm = profile->xmatch_perms[state];
+ perm = profile->xmatch_perms[state].allow;
if (!(perm & MAY_EXEC)) {
ret = -EINVAL;
goto out;
@@ -419,7 +419,7 @@ restart:
state = aa_dfa_leftmatch(profile->xmatch, DFA_START,
name, &count);
- perm = profile->xmatch_perms[state];
+ perm = profile->xmatch_perms[state].allow;
/* any accepting state means a valid match. */
if (perm & MAY_EXEC) {
int ret = 0;
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 128c6a9430d4..7882d5e5096b 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -141,7 +141,8 @@ struct aa_profile {
const char *attach;
struct aa_dfa *xmatch;
unsigned int xmatch_len;
- u32 *xmatch_perms;
+ struct aa_perms *xmatch_perms;
+
enum audit_mode audit;
long mode;
u32 path_flags;
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 0f9a88354d63..44910c201c49 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -769,9 +769,9 @@ static struct aa_perms *compute_fperms(struct aa_dfa *dfa)
return table;
}
-static u32 *compute_xmatch_perms(struct aa_dfa *xmatch)
+static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch)
{
- u32 *perms_table;
+ struct aa_perms *perms_table;
int state;
int state_count;
@@ -779,11 +779,12 @@ static u32 *compute_xmatch_perms(struct aa_dfa *xmatch)
state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen;
/* DFAs are restricted from having a state_count of less than 2 */
- perms_table = kvcalloc(state_count, sizeof(u32), GFP_KERNEL);
+ perms_table = kvcalloc(state_count, sizeof(struct aa_perms),
+ GFP_KERNEL);
/* zero init so skip the trap state (state == 0) */
for (state = 1; state < state_count; state++)
- perms_table[state] = dfa_user_allow(xmatch, state);
+ perms_table[state].allow = dfa_user_allow(xmatch, state);
return perms_table;
}
@@ -855,6 +856,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
profile->xmatch_len = tmp;
profile->xmatch_perms = compute_xmatch_perms(profile->xmatch);
+ if (!profile->xmatch_perms) {
+ info = "failed to convert xmatch permission table";
+ goto fail;
+ }
}
/* disconnected attachment string is optional */