diff options
| author | John Johansen <john.johansen@canonical.com> | 2020-11-13 23:36:09 -0800 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2022-10-03 14:49:03 -0700 |
| commit | 2d63dd43ae334ec6f5374d37bb06c4cc57621b3c (patch) | |
| tree | bf5ae11e7fe1defc13ee08b121b80e2bba377bce | |
| parent | 7572fea31e3e5c4c19154ccc064eb1f83dfe1333 (diff) | |
| download | linux-2d63dd43ae334ec6f5374d37bb06c4cc57621b3c.tar.bz2 | |
apparmor: convert xmatch lookup to use accept as an index
Remap xmatch dfa accept table from embedded perms to an index and then
move xmatch lookup to use accept entry to index into the xmatch table.
This is step towards unifying permission lookup and reducing the
size of permissions tables.
Signed-off-by: John Johansen <john.johansen@canonical.com>
| -rw-r--r-- | security/apparmor/domain.c | 10 | ||||
| -rw-r--r-- | security/apparmor/policy_unpack.c | 1 |
2 files changed, 7 insertions, 4 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 0df17fb236c7..45a8887021f1 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -328,7 +328,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm, size = vfs_getxattr_alloc(&init_user_ns, d, profile->xattrs[i], &value, value_size, GFP_KERNEL); if (size >= 0) { - u32 perm; + u32 index, perm; /* * Check the xattr presence before value. This ensure @@ -340,7 +340,8 @@ static int aa_xattrs_match(const struct linux_binprm *bprm, /* Check xattr value */ state = aa_dfa_match_len(profile->xmatch.dfa, state, value, size); - perm = profile->xmatch.perms[state].allow; + index = ACCEPT_TABLE(profile->xmatch.dfa)[state]; + perm = profile->xmatch.perms[index].allow; if (!(perm & MAY_EXEC)) { ret = -EINVAL; goto out; @@ -416,12 +417,13 @@ restart: */ if (profile->xmatch.dfa) { unsigned int state, count; - u32 perm; + u32 index, perm; state = aa_dfa_leftmatch(profile->xmatch.dfa, profile->xmatch.start[AA_CLASS_XMATCH], name, &count); - perm = profile->xmatch.perms[state].allow; + index = ACCEPT_TABLE(profile->xmatch.dfa)[state]; + perm = profile->xmatch.perms[index].allow; /* any accepting state means a valid match. */ if (perm & MAY_EXEC) { int ret = 0; diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 4cf62c1be388..4cdc96988783 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -930,6 +930,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) info = "failed to convert xmatch permission table"; goto fail; } + remap_dfa_accept(profile->xmatch.dfa, 1); } /* disconnected attachment string is optional */ |