From 2d63dd43ae334ec6f5374d37bb06c4cc57621b3c Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Fri, 13 Nov 2020 23:36:09 -0800
Subject: [PATCH] apparmor: convert xmatch lookup to use accept as an index

Remap xmatch dfa accept table from embedded perms to an index and then
move xmatch lookup to use accept entry to index into the xmatch table.

This is step towards unifying permission lookup and reducing the
size of permissions tables.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/domain.c        | 10 ++++++----
 security/apparmor/policy_unpack.c |  1 +
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 0df17fb236c78..45a8887021f10 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -328,7 +328,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
 		size = vfs_getxattr_alloc(&init_user_ns, d, profile->xattrs[i],
 					  &value, value_size, GFP_KERNEL);
 		if (size >= 0) {
-			u32 perm;
+			u32 index, perm;
 
 			/*
 			 * Check the xattr presence before value. This ensure
@@ -340,7 +340,8 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
 			/* Check xattr value */
 			state = aa_dfa_match_len(profile->xmatch.dfa, state,
 						 value, size);
-			perm = profile->xmatch.perms[state].allow;
+			index = ACCEPT_TABLE(profile->xmatch.dfa)[state];
+			perm = profile->xmatch.perms[index].allow;
 			if (!(perm & MAY_EXEC)) {
 				ret = -EINVAL;
 				goto out;
@@ -416,12 +417,13 @@ restart:
 		 */
 		if (profile->xmatch.dfa) {
 			unsigned int state, count;
-			u32 perm;
+			u32 index, perm;
 
 			state = aa_dfa_leftmatch(profile->xmatch.dfa,
 					profile->xmatch.start[AA_CLASS_XMATCH],
 					name, &count);
-			perm = profile->xmatch.perms[state].allow;
+			index = ACCEPT_TABLE(profile->xmatch.dfa)[state];
+			perm = profile->xmatch.perms[index].allow;
 			/* any accepting state means a valid match. */
 			if (perm & MAY_EXEC) {
 				int ret = 0;
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 4cf62c1be388f..4cdc969887832 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -930,6 +930,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 			info = "failed to convert xmatch permission table";
 			goto fail;
 		}
+		remap_dfa_accept(profile->xmatch.dfa, 1);
 	}
 
 	/* disconnected attachment string is optional */
-- 
2.39.5