apparmor: convert xmatch to use aa_perms structure

Convert xmatch from using perms encoded in the accept entry of the
dfa to the common external aa_perms in a table.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 22351b6d71e657623a65c61b78b8e0e70de1aea1..4fcdcc0de48cc1d8fd99e670f5c9993a64f8f4fd 100644 (file)
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -339,7 +339,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
                        /* Check xattr value */
                        state = aa_dfa_match_len(profile->xmatch, state, value,
                                                 size);
-                       perm = profile->xmatch_perms[state];
+                       perm = profile->xmatch_perms[state].allow;
                        if (!(perm & MAY_EXEC)) {
                                ret = -EINVAL;
                                goto out;
@@ -419,7 +419,7 @@ restart:
 
                        state = aa_dfa_leftmatch(profile->xmatch, DFA_START,
                                                 name, &count);
-                       perm = profile->xmatch_perms[state];
+                       perm = profile->xmatch_perms[state].allow;
                        /* any accepting state means a valid match. */
                        if (perm & MAY_EXEC) {
                                int ret = 0;

diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 128c6a9430d4686af6f6f2c8edaf56ebb50791cb..7882d5e5096b18b170ccb762f93887a583648d00 100644 (file)
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -141,7 +141,8 @@ struct aa_profile {
        const char *attach;
        struct aa_dfa *xmatch;
        unsigned int xmatch_len;
-       u32 *xmatch_perms;
+       struct aa_perms *xmatch_perms;
+
        enum audit_mode audit;
        long mode;
        u32 path_flags;

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 0f9a88354d6399bedc59410ca1f37f4cda62f161..44910c201c49251dbc45345fcf81b44d4a19592c 100644 (file)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -769,9 +769,9 @@ static struct aa_perms *compute_fperms(struct aa_dfa *dfa)
        return table;
 }
 
-static u32 *compute_xmatch_perms(struct aa_dfa *xmatch)
+static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch)
 {
-       u32 *perms_table;
+       struct aa_perms *perms_table;
        int state;
        int state_count;
 
@@ -779,11 +779,12 @@ static u32 *compute_xmatch_perms(struct aa_dfa *xmatch)
 
        state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen;
        /* DFAs are restricted from having a state_count of less than 2 */
-       perms_table = kvcalloc(state_count, sizeof(u32), GFP_KERNEL);
+         perms_table = kvcalloc(state_count, sizeof(struct aa_perms),
+                              GFP_KERNEL);
 
        /* zero init so skip the trap state (state == 0) */
        for (state = 1; state < state_count; state++)
-               perms_table[state] = dfa_user_allow(xmatch, state);
+               perms_table[state].allow = dfa_user_allow(xmatch, state);
 
        return perms_table;
 }
@@ -855,6 +856,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
                profile->xmatch_len = tmp;
 
                profile->xmatch_perms = compute_xmatch_perms(profile->xmatch);
+               if (!profile->xmatch_perms) {
+                       info = "failed to convert xmatch permission table";
+                       goto fail;
+               }
        }
 
        /* disconnected attachment string is optional */