apparmor: convert xmatch to use aa_perms structure

Convert xmatch from using perms encoded in the accept entry of the dfa to the common external aa_perms in a table. Signed-off-by: John Johansen <john.johansen@canonical.com>

apparmor: convert xmatch to use aa_perms structure
Convert xmatch from using perms encoded in the accept entry of the dfa to the common external aa_perms in a table. Signed-off-by: John Johansen <john.johansen@canonical.com>
e48ffd24 · John Johansen · 0310f093 · e48ffd24 · e48ffd24 · e48ffd24
Commit e48ffd24 authored Nov 13, 2020 by John Johansen
Showing with 13 additions and 7 deletions

security/apparmor/domain.c security/apparmor/domain.c +2 -2

security/apparmor/include/policy.h security/apparmor/include/policy.h +2 -1

security/apparmor/policy_unpack.c security/apparmor/policy_unpack.c +9 -4

No files found.
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -339,7 +339,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
 			/* Check xattr value */
 			state = aa_dfa_match_len(profile->xmatch, state, value,
 						 size);
-			perm = profile->xmatch_perms[state];
+			perm = profile->xmatch_perms[state].allow;
 			if (!(perm & MAY_EXEC)) {
 				ret = -EINVAL;
 				goto out;
@@ -419,7 +419,7 @@ static struct aa_label *find_attach(const struct linux_binprm *bprm,
 			state = aa_dfa_leftmatch(profile->xmatch, DFA_START,
 						 name, &count);
-			perm = profile->xmatch_perms[state];
+			perm = profile->xmatch_perms[state].allow;
 			/* any accepting state means a valid match. */
 			if (perm & MAY_EXEC) {
 				int ret = 0;

--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -141,7 +141,8 @@ struct aa_profile {
 	const char *attach;
 	struct aa_dfa *xmatch;
 	unsigned int xmatch_len;
-	u32 *xmatch_perms;
+	struct aa_perms *xmatch_perms;
 	enum audit_mode audit;
 	long mode;
 	u32 path_flags;

--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -769,9 +769,9 @@ static struct aa_perms *compute_fperms(struct aa_dfa *dfa)
 	return table;
 }
-static u32 *compute_xmatch_perms(struct aa_dfa *xmatch)
+static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch)
 {
-	u32 *perms_table;
+	struct aa_perms *perms_table;
 	int state;
 	int state_count;
@@ -779,11 +779,12 @@ static u32 *compute_xmatch_perms(struct aa_dfa *xmatch)
 	state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen;
 	/* DFAs are restricted from having a state_count of less than 2 */
-	perms_table = kvcalloc(state_count, sizeof(u32), GFP_KERNEL);
+	  perms_table = kvcalloc(state_count, sizeof(struct aa_perms),
+			       GFP_KERNEL);
 	/* zero init so skip the trap state (state == 0) */
 	for (state = 1; state < state_count; state++)
-		perms_table[state] = dfa_user_allow(xmatch, state);
+		perms_table[state].allow = dfa_user_allow(xmatch, state);
 	return perms_table;
 }
@@ -855,6 +856,10 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 		profile->xmatch_len = tmp;
 		profile->xmatch_perms = compute_xmatch_perms(profile->xmatch);
+		if (!profile->xmatch_perms) {
+			info = "failed to convert xmatch permission table";
+			goto fail;
+		}
 	}
 	/* disconnected attachment string is optional */