Commit 048d4954 authored by John Johansen's avatar John Johansen

apparmor: convert xmatch to using the new shared policydb struct

continue permission unification by converting xmatch to use the
policydb struct that is used by the other profile dfas.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 53bdc46f
......@@ -1095,7 +1095,7 @@ static int seq_profile_attach_show(struct seq_file *seq, void *v)
struct aa_profile *profile = labels_profile(label);
if (profile->attach)
seq_printf(seq, "%s\n", profile->attach);
else if (profile->xmatch)
else if (profile->xmatch.dfa)
seq_puts(seq, "<unknown>\n");
else
seq_printf(seq, "%s\n", profile->base.name);
......
......@@ -321,7 +321,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
might_sleep();
/* transition from exec match to xattr set */
state = aa_dfa_outofband_transition(profile->xmatch, state);
state = aa_dfa_outofband_transition(profile->xmatch.dfa, state);
d = bprm->file->f_path.dentry;
for (i = 0; i < profile->xattr_count; i++) {
......@@ -335,18 +335,19 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
* that not present xattr can be distinguished from a 0
* length value or rule that matches any value
*/
state = aa_dfa_null_transition(profile->xmatch, state);
state = aa_dfa_null_transition(profile->xmatch.dfa,
state);
/* Check xattr value */
state = aa_dfa_match_len(profile->xmatch, state, value,
size);
perm = profile->xmatch_perms[state].allow;
state = aa_dfa_match_len(profile->xmatch.dfa, state,
value, size);
perm = profile->xmatch.perms[state].allow;
if (!(perm & MAY_EXEC)) {
ret = -EINVAL;
goto out;
}
}
/* transition to next element */
state = aa_dfa_outofband_transition(profile->xmatch, state);
state = aa_dfa_outofband_transition(profile->xmatch.dfa, state);
if (size < 0) {
/*
* No xattr match, so verify if transition to
......@@ -413,13 +414,14 @@ static struct aa_label *find_attach(const struct linux_binprm *bprm,
* as another profile, signal a conflict and refuse to
* match.
*/
if (profile->xmatch) {
if (profile->xmatch.dfa) {
unsigned int state, count;
u32 perm;
state = aa_dfa_leftmatch(profile->xmatch, DFA_START,
state = aa_dfa_leftmatch(profile->xmatch.dfa,
profile->xmatch.start[AA_CLASS_XMATCH],
name, &count);
perm = profile->xmatch_perms[state].allow;
perm = profile->xmatch.perms[state].allow;
/* any accepting state means a valid match. */
if (perm & MAY_EXEC) {
int ret = 0;
......
......@@ -26,6 +26,7 @@
#define AA_CLASS_MOUNT 7
#define AA_CLASS_PTRACE 9
#define AA_CLASS_SIGNAL 10
#define AA_CLASS_XMATCH 11
#define AA_CLASS_NET 14
#define AA_CLASS_LABEL 16
#define AA_CLASS_POSIX_MQUEUE 17
......
......@@ -113,7 +113,6 @@ struct aa_data {
* @attach: human readable attachment string
* @xmatch: optional extended matching for unconfined executables names
* @xmatch_len: xmatch prefix len, used to determine xmatch priority
* @xmatch_perms: precomputed permissions for the xmatch DFA indexed by state
* @audit: the auditing mode of the profile
* @mode: the enforcement mode of the profile
* @path_flags: flags controlling path generation behavior
......@@ -148,9 +147,8 @@ struct aa_profile {
const char *rename;
const char *attach;
struct aa_dfa *xmatch;
struct aa_policydb xmatch;
unsigned int xmatch_len;
struct aa_perms *xmatch_perms;
enum audit_mode audit;
long mode;
......
......@@ -230,8 +230,7 @@ void aa_free_profile(struct aa_profile *profile)
kfree_sensitive(profile->secmark[i].label);
kfree_sensitive(profile->secmark);
kfree_sensitive(profile->dirname);
aa_put_dfa(profile->xmatch);
kvfree(profile->xmatch_perms);
aa_destroy_policydb(&profile->xmatch);
aa_destroy_policydb(&profile->policy);
if (profile->data) {
rht = profile->data;
......
......@@ -771,7 +771,7 @@ static struct aa_perms *compute_fperms(struct aa_dfa *dfa)
static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch)
{
struct aa_perms *perms_table;
struct aa_perms *perms;
int state;
int state_count;
......@@ -779,14 +779,13 @@ static struct aa_perms *compute_xmatch_perms(struct aa_dfa *xmatch)
state_count = xmatch->tables[YYTD_ID_BASE]->td_lolen;
/* DFAs are restricted from having a state_count of less than 2 */
perms_table = kvcalloc(state_count, sizeof(struct aa_perms),
GFP_KERNEL);
perms = kvcalloc(state_count, sizeof(struct aa_perms), GFP_KERNEL);
/* zero init so skip the trap state (state == 0) */
for (state = 1; state < state_count; state++)
perms_table[state].allow = dfa_user_allow(xmatch, state);
perms[state].allow = dfa_user_allow(xmatch, state);
return perms_table;
return perms;
}
static u32 map_other(u32 x)
......@@ -888,23 +887,23 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
(void) unpack_str(e, &profile->attach, "attach");
/* xmatch is optional and may be NULL */
profile->xmatch = unpack_dfa(e);
if (IS_ERR(profile->xmatch)) {
error = PTR_ERR(profile->xmatch);
profile->xmatch = NULL;
profile->xmatch.dfa = unpack_dfa(e);
if (IS_ERR(profile->xmatch.dfa)) {
error = PTR_ERR(profile->xmatch.dfa);
profile->xmatch.dfa = NULL;
info = "bad xmatch";
goto fail;
}
/* neither xmatch_len not xmatch_perms are optional if xmatch is set */
if (profile->xmatch) {
if (profile->xmatch.dfa) {
if (!unpack_u32(e, &tmp, NULL)) {
info = "missing xmatch len";
goto fail;
}
profile->xmatch_len = tmp;
profile->xmatch_perms = compute_xmatch_perms(profile->xmatch);
if (!profile->xmatch_perms) {
profile->xmatch.start[AA_CLASS_XMATCH] = DFA_START;
profile->xmatch.perms = compute_xmatch_perms(profile->xmatch.dfa);
if (!profile->xmatch.perms) {
info = "failed to convert xmatch permission table";
goto fail;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment