diff options
author | John Johansen <john.johansen@canonical.com> | 2020-11-13 16:30:47 -0800 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2022-10-03 14:49:02 -0700 |
commit | e48ffd24c1d87dba227225615790cd059a707adb (patch) | |
tree | 3778d8db5cc54bad9a8abe60578066b1983a46d8 /security | |
parent | 0310f093ba95e7640c886298de36560c123df5bd (diff) |
apparmor: convert xmatch to use aa_perms structure
Convert xmatch from using perms encoded in the accept entry of the
dfa to the common external aa_perms in a table.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/apparmor/domain.c | 4 | ||||
-rw-r--r-- | security/apparmor/include/policy.h | 3 | ||||
-rw-r--r-- | security/apparmor/policy_unpack.c | 13 |
3 files changed, 13 insertions, 7 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 22351b6d71e6..4fcdcc0de48c 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -339,7 +339,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm, /* Check xattr value */ state = aa_dfa_match_len(profile->xmatch, state, value, size); - perm = profile->xmatch_perms[state]; + perm = profile->xmatch_perms[state].allow; if (!(perm & MAY_EXEC)) { ret = -EINVAL; goto out; @@ -419,7 +419,7 @@ restart: state = aa_dfa_leftmatch(profile->xmatch, DFA_START, name, &count); - perm = profile->xmatch_perms[state]; + perm = profile->xmatch_perms[state].allow; /* any accepting state means a valid match. */ if (perm & MAY_EXEC) { int ret = 0; diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index 128c6a9430d4..7882d5e5096b 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -141,7 +141,8 @@ struct aa_profile { const char *attach; struct aa_dfa *xmatch; unsigned int xmatch_len; - u32 *xmatch_perms; + struct aa_perms *xmatch_perms; + enum audit_mode audit; long mode; u32 path_flags; diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 0f9a88354d63..44910c201c49 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -769,9 +769,9 @@ static struct aa_perms *compute_fperms(struct aa_dfa *dfa) return table; } -static u32 *compute_xmatch_perms(struct aa_dfa *xmatch) +static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch) { - u32 *perms_table; + struct aa_perms *perms_table; int state; int state_count; @@ -779,11 +779,12 @@ static u32 *compute_xmatch_perms(struct aa_dfa *xmatch) state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen; /* DFAs are restricted from having a state_count of less than 2 */ - perms_table = kvcalloc(state_count, sizeof(u32), GFP_KERNEL); + perms_table = kvcalloc(state_count, sizeof(struct aa_perms), + GFP_KERNEL); /* zero init so skip the trap state (state == 0) */ for (state = 1; state < state_count; state++) - perms_table[state] = dfa_user_allow(xmatch, state); + perms_table[state].allow = dfa_user_allow(xmatch, state); return perms_table; } @@ -855,6 +856,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) profile->xmatch_len = tmp; profile->xmatch_perms = compute_xmatch_perms(profile->xmatch); + if (!profile->xmatch_perms) { + info = "failed to convert xmatch permission table"; + goto fail; + } } /* disconnected attachment string is optional */ |