From b5b57993504f91785fa70e002e5e494fb549726e Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Sun, 31 May 2020 10:52:06 -0400 Subject: apparmor: compute xmatch permissions on profile load Rather than computing xmatch permissions each time access is requested, these permissions can be computed once on profile load and stored for lookup. Signed-off-by: Mike Salvatore Signed-off-by: John Johansen --- security/apparmor/include/policy.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'security/apparmor/include') diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index 639b5b248e63..128c6a9430d4 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -104,6 +104,7 @@ struct aa_data { * @attach: human readable attachment string * @xmatch: optional extended matching for unconfined executables names * @xmatch_len: xmatch prefix len, used to determine xmatch priority + * @xmatch_perms: precomputed permissions for the xmatch DFA indexed by state * @audit: the auditing mode of the profile * @mode: the enforcement mode of the profile * @path_flags: flags controlling path generation behavior @@ -140,6 +141,7 @@ struct aa_profile { const char *attach; struct aa_dfa *xmatch; unsigned int xmatch_len; + u32 *xmatch_perms; enum audit_mode audit; long mode; u32 path_flags; -- cgit v1.2.3