Commit ec6851ae authored by John Johansen's avatar John Johansen

apparmor: fix: kzalloc perms tables for shared dfas

Currently the permstables of the shared dfas are not shared, and need
to be allocated and copied. In the future this should be addressed
with a larger rework on dfa and pdb ref counts and structure sharing.

BugLink: http://bugs.launchpad.net/bugs/2017903
Fixes: 217af7e2 ("apparmor: refactor profile rules and attachments")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Reviewed-by: default avatarJon Tourville <jontourville@me.com>
parent 6f442d42
...@@ -589,7 +589,15 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name, ...@@ -589,7 +589,15 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
profile->label.flags |= FLAG_NULL; profile->label.flags |= FLAG_NULL;
rules = list_first_entry(&profile->rules, typeof(*rules), list); rules = list_first_entry(&profile->rules, typeof(*rules), list);
rules->file.dfa = aa_get_dfa(nulldfa); rules->file.dfa = aa_get_dfa(nulldfa);
rules->file.perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL);
if (!rules->file.perms)
goto fail;
rules->file.size = 2;
rules->policy.dfa = aa_get_dfa(nulldfa); rules->policy.dfa = aa_get_dfa(nulldfa);
rules->policy.perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL);
if (!rules->policy.perms)
goto fail;
rules->policy.size = 2;
if (parent) { if (parent) {
profile->path_flags = parent->path_flags; profile->path_flags = parent->path_flags;
...@@ -600,6 +608,11 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name, ...@@ -600,6 +608,11 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
} }
return profile; return profile;
fail:
aa_free_profile(profile);
return NULL;
} }
/** /**
......
...@@ -982,9 +982,14 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) ...@@ -982,9 +982,14 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
goto fail; goto fail;
} }
} }
} else } else {
rules->policy.dfa = aa_get_dfa(nulldfa); rules->policy.dfa = aa_get_dfa(nulldfa);
rules->policy.perms = kcalloc(2, sizeof(struct aa_perms),
GFP_KERNEL);
if (!rules->policy.perms)
goto fail;
rules->policy.size = 2;
}
/* get file rules */ /* get file rules */
error = unpack_pdb(e, &rules->file, false, true, &info); error = unpack_pdb(e, &rules->file, false, true, &info);
if (error) { if (error) {
...@@ -1001,9 +1006,22 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) ...@@ -1001,9 +1006,22 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
rules->policy.start[AA_CLASS_FILE]) { rules->policy.start[AA_CLASS_FILE]) {
rules->file.dfa = aa_get_dfa(rules->policy.dfa); rules->file.dfa = aa_get_dfa(rules->policy.dfa);
rules->file.start[AA_CLASS_FILE] = rules->policy.start[AA_CLASS_FILE]; rules->file.start[AA_CLASS_FILE] = rules->policy.start[AA_CLASS_FILE];
} else rules->file.perms = kcalloc(rules->policy.size,
sizeof(struct aa_perms),
GFP_KERNEL);
if (!rules->file.perms)
goto fail;
memcpy(rules->file.perms, rules->policy.perms,
rules->policy.size * sizeof(struct aa_perms));
rules->file.size = rules->policy.size;
} else {
rules->file.dfa = aa_get_dfa(nulldfa); rules->file.dfa = aa_get_dfa(nulldfa);
rules->file.perms = kcalloc(2, sizeof(struct aa_perms),
GFP_KERNEL);
if (!rules->file.perms)
goto fail;
rules->file.size = 2;
}
error = -EPROTO; error = -EPROTO;
if (aa_unpack_nameX(e, AA_STRUCT, "data")) { if (aa_unpack_nameX(e, AA_STRUCT, "data")) {
info = "out of memory"; info = "out of memory";
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment