aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-09-06 17:57:59 -0400
committerJohn Johansen <john.johansen@canonical.com>2018-02-09 14:30:01 -0500
commit6e0654d20ed9679cbf75a0ff7cd786e364f7f09a (patch)
tree9c15e28e85b9cc66984e3a6fdb7101a2ae2b0a58
parentcf65fabc2a2c8c12031678d86a2bd4a660865011 (diff)
apparmor: use the dfa to do label parse string splitting
The current split scheme is actually wrong in that it splits ///& where that is invalid and should fail. Use the dfa to do a proper bounded split without having to worry about getting the string processing right in code. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
Diffstat
-rw-r--r--security/apparmor/include/label.h25
-rw-r--r--security/apparmor/include/match.h1
-rw-r--r--security/apparmor/label.c12
-rw-r--r--security/apparmor/match.c29
-rw-r--r--security/apparmor/stacksplitdfa.in114
5 files changed, 170 insertions, 11 deletions
diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
index af22dcbbcb8a..80e9ba9d172c 100644
--- a/security/apparmor/include/label.h
+++ b/security/apparmor/include/label.h
@@ -330,6 +330,31 @@ void aa_label_printk(struct aa_label *label, gfp_t gfp);
330struct aa_label *aa_label_parse(struct aa_label *base, const char *str, 330struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
331 gfp_t gfp, bool create, bool force_stack); 331 gfp_t gfp, bool create, bool force_stack);
332 332
333static inline const char *aa_label_strn_split(const char *str, int n)
334{
335 const char *pos;
336 unsigned int state;
337
338 state = aa_dfa_matchn_until(stacksplitdfa, DFA_START, str, n, &pos);
339 if (!ACCEPT_TABLE(stacksplitdfa)[state])
340 return NULL;
341
342 return pos - 3;
343}
344
345static inline const char *aa_label_str_split(const char *str)
346{
347 const char *pos;
348 unsigned int state;
349
350 state = aa_dfa_match_until(stacksplitdfa, DFA_START, str, &pos);
351 if (!ACCEPT_TABLE(stacksplitdfa)[state])
352 return NULL;
353
354 return pos - 3;
355}
356
357
333 358
334struct aa_perms; 359struct aa_perms;
335int aa_label_match(struct aa_profile *profile, struct aa_label *label, 360int aa_label_match(struct aa_profile *profile, struct aa_label *label,
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index 72b9b89670e6..cd8aeab6ac57 100644
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -101,6 +101,7 @@ struct aa_dfa {
101}; 101};
102 102
103extern struct aa_dfa *nulldfa; 103extern struct aa_dfa *nulldfa;
104extern struct aa_dfa *stacksplitdfa;
104 105
105#define byte_to_byte(X) (X) 106#define byte_to_byte(X) (X)
106 107
diff --git a/security/apparmor/label.c b/security/apparmor/label.c
index 324fe5c60f87..31e2f701d971 100644
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -1815,7 +1815,9 @@ static int label_count_str_entries(const char *str)
1815 1815
1816 AA_BUG(!str); 1816 AA_BUG(!str);
1817 1817
1818 for (split = strstr(str, "//&"); split; split = strstr(str, "//&")) { 1818 for (split = aa_label_str_split(str);
1819 split;
1820 split = aa_label_str_split(str)) {
1819 count++; 1821 count++;
1820 str = split + 3; 1822 str = split + 3;
1821 } 1823 }
@@ -1859,7 +1861,7 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
1859 DEFINE_VEC(profile, vec); 1861 DEFINE_VEC(profile, vec);
1860 struct aa_label *label, *currbase = base; 1862 struct aa_label *label, *currbase = base;
1861 int i, len, stack = 0, error; 1863 int i, len, stack = 0, error;
1862 char *split; 1864 const char *split;
1863 1865
1864 AA_BUG(!base); 1866 AA_BUG(!base);
1865 AA_BUG(!str); 1867 AA_BUG(!str);
@@ -1883,7 +1885,8 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
1883 for (i = 0; i < stack; i++) 1885 for (i = 0; i < stack; i++)
1884 vec[i] = aa_get_profile(base->vec[i]); 1886 vec[i] = aa_get_profile(base->vec[i]);
1885 1887
1886 for (split = strstr(str, "//&"), i = stack; split && i < len; i++) { 1888 for (split = aa_label_str_split(str), i = stack;
1889 split && i < len; i++) {
1887 vec[i] = fqlookupn_profile(base, currbase, str, split - str); 1890 vec[i] = fqlookupn_profile(base, currbase, str, split - str);
1888 if (!vec[i]) 1891 if (!vec[i])
1889 goto fail; 1892 goto fail;
@@ -1894,7 +1897,7 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
1894 if (vec[i]->ns != labels_ns(currbase)) 1897 if (vec[i]->ns != labels_ns(currbase))
1895 currbase = &vec[i]->label; 1898 currbase = &vec[i]->label;
1896 str = split + 3; 1899 str = split + 3;
1897 split = strstr(str, "//&"); 1900 split = aa_label_str_split(str);
1898 } 1901 }
1899 /* last element doesn't have a split */ 1902 /* last element doesn't have a split */
1900 if (i < len) { 1903 if (i < len) {
@@ -1930,7 +1933,6 @@ fail:
1930 goto out; 1933 goto out;
1931} 1934}
1932 1935
1933
1934/** 1936/**
1935 * aa_labelset_destroy - remove all labels from the label set 1937 * aa_labelset_destroy - remove all labels from the label set
1936 * @ls: label set to cleanup (NOT NULL) 1938 * @ls: label set to cleanup (NOT NULL)
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 6c6dc1a22f9a..5d95caeddebc 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -30,6 +30,11 @@ static char nulldfa_src[] = {
30}; 30};
31struct aa_dfa *nulldfa; 31struct aa_dfa *nulldfa;
32 32
33static char stacksplitdfa_src[] = {
34 #include "stacksplitdfa.in"
35};
36struct aa_dfa *stacksplitdfa;
37
33int aa_setup_dfa_engine(void) 38int aa_setup_dfa_engine(void)
34{ 39{
35 int error; 40 int error;
@@ -37,19 +42,31 @@ int aa_setup_dfa_engine(void)
37 nulldfa = aa_dfa_unpack(nulldfa_src, sizeof(nulldfa_src), 42 nulldfa = aa_dfa_unpack(nulldfa_src, sizeof(nulldfa_src),
38 TO_ACCEPT1_FLAG(YYTD_DATA32) | 43 TO_ACCEPT1_FLAG(YYTD_DATA32) |
39 TO_ACCEPT2_FLAG(YYTD_DATA32)); 44 TO_ACCEPT2_FLAG(YYTD_DATA32));
40 if (!IS_ERR(nulldfa)) 45 if (IS_ERR(nulldfa)) {
41 return 0; 46 error = PTR_ERR(nulldfa);
47 nulldfa = NULL;
48 return error;
49 }
42 50
43 error = PTR_ERR(nulldfa); 51 stacksplitdfa = aa_dfa_unpack(stacksplitdfa_src,
44 nulldfa = NULL; 52 sizeof(stacksplitdfa_src),
53 TO_ACCEPT1_FLAG(YYTD_DATA32) |
54 TO_ACCEPT2_FLAG(YYTD_DATA32));
55 if (IS_ERR(stacksplitdfa)) {
56 aa_put_dfa(nulldfa);
57 nulldfa = NULL;
58 error = PTR_ERR(stacksplitdfa);
59 stacksplitdfa = NULL;
60 return error;
61 }
45 62
46 return error; 63 return 0;
47} 64}
48 65
49void aa_teardown_dfa_engine(void) 66void aa_teardown_dfa_engine(void)
50{ 67{
68 aa_put_dfa(stacksplitdfa);
51 aa_put_dfa(nulldfa); 69 aa_put_dfa(nulldfa);
52 nulldfa = NULL;
53} 70}
54 71
55/** 72/**
diff --git a/security/apparmor/stacksplitdfa.in b/security/apparmor/stacksplitdfa.in
new file mode 100644
index 000000000000..4bddd10b62a9
--- /dev/null
+++ b/security/apparmor/stacksplitdfa.in
@@ -0,0 +1,114 @@
1/* 0x1 [^\000]*[^/\000]//& */ 0x1B, 0x5E, 0x78, 0x3D, 0x00, 0x00,
20x00, 0x18, 0x00, 0x00, 0x04, 0xD8, 0x00, 0x00, 0x6E, 0x6F, 0x74,
30x66, 0x6C, 0x65, 0x78, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x04,
40x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
50x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
60x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
70x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
80x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
90x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
100x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
110x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
120x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
130x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
140x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00,
150x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x02,
160x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x08, 0x00,
170x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x05, 0x00, 0x00,
180x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
190x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
200x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
210x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
220x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
230x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
240x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
250x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00,
260x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x03, 0x00,
270x04, 0x00, 0x01, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
280x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
290x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
300x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
310x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
320x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
330x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
340x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
350x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
360x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
370x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
380x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
390x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
400x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
410x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
420x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
430x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
440x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
450x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
460x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
470x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
480x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
490x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
500x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
510x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
520x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
530x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
540x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
550x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
560x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
570x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
580x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
590x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
600x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
610x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
620x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
630x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
640x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
650x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x02, 0x00, 0x00,
660x00, 0x00, 0x00, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x01, 0x00,
670x02, 0x00, 0x03, 0x00, 0x04, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00,
680x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
690x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
700x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
710x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
720x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
730x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
740x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
750x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x03, 0x00, 0x04,
760x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
770x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
780x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
790x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
800x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
810x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
820x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
830x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
840x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
850x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
860x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
870x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
880x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
890x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
900x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
910x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
920x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
930x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
940x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
950x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
960x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
970x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
980x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
990x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1000x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1010x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1020x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1030x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1040x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1050x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1060x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1070x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1080x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1090x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1100x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1110x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1120x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1130x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1140x00, 0x00
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-18 11:55:50 -0400