diff options
| author | John Johansen <john.johansen@canonical.com> | 2018-08-21 20:19:53 -0400 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2018-08-22 21:44:42 -0400 |
| commit | c037bd615885f1d9d3bdb48531bace79fae1505d (patch) | |
| tree | 0c1d606cf7c4de645658b3b9f97bfbbb319442db | |
| parent | 0a6b29230ec336189bab32498df3f06c8a6944d8 (diff) | |
apparmor: remove no-op permission check in policy_unpack
The patch 736ec752d95e: "AppArmor: policy routines for loading and
unpacking policy" from Jul 29, 2010, leads to the following static
checker warning:
security/apparmor/policy_unpack.c:410 verify_accept()
warn: bitwise AND condition is false here
security/apparmor/policy_unpack.c:413 verify_accept()
warn: bitwise AND condition is false here
security/apparmor/policy_unpack.c
392 #define DFA_VALID_PERM_MASK 0xffffffff
393 #define DFA_VALID_PERM2_MASK 0xffffffff
394
395 /**
396 * verify_accept - verify the accept tables of a dfa
397 * @dfa: dfa to verify accept tables of (NOT NULL)
398 * @flags: flags governing dfa
399 *
400 * Returns: 1 if valid accept tables else 0 if error
401 */
402 static bool verify_accept(struct aa_dfa *dfa, int flags)
403 {
404 int i;
405
406 /* verify accept permissions */
407 for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
408 int mode = ACCEPT_TABLE(dfa)[i];
409
410 if (mode & ~DFA_VALID_PERM_MASK)
411 return 0;
412
413 if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
414 return 0;
fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking policy")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
| -rw-r--r-- | security/apparmor/policy_unpack.c | 32 |
1 files changed, 0 insertions, 32 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 0e566a01d217..21cb384d712a 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c | |||
| @@ -389,32 +389,6 @@ static int unpack_strdup(struct aa_ext *e, char **string, const char *name) | |||
| 389 | return res; | 389 | return res; |
| 390 | } | 390 | } |
| 391 | 391 | ||
| 392 | #define DFA_VALID_PERM_MASK 0xffffffff | ||
| 393 | #define DFA_VALID_PERM2_MASK 0xffffffff | ||
| 394 | |||
| 395 | /** | ||
| 396 | * verify_accept - verify the accept tables of a dfa | ||
| 397 | * @dfa: dfa to verify accept tables of (NOT NULL) | ||
| 398 | * @flags: flags governing dfa | ||
| 399 | * | ||
| 400 | * Returns: 1 if valid accept tables else 0 if error | ||
| 401 | */ | ||
| 402 | static bool verify_accept(struct aa_dfa *dfa, int flags) | ||
| 403 | { | ||
| 404 | int i; | ||
| 405 | |||
| 406 | /* verify accept permissions */ | ||
| 407 | for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { | ||
| 408 | int mode = ACCEPT_TABLE(dfa)[i]; | ||
| 409 | |||
| 410 | if (mode & ~DFA_VALID_PERM_MASK) | ||
| 411 | return 0; | ||
| 412 | |||
| 413 | if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK) | ||
| 414 | return 0; | ||
| 415 | } | ||
| 416 | return 1; | ||
| 417 | } | ||
| 418 | 392 | ||
| 419 | /** | 393 | /** |
| 420 | * unpack_dfa - unpack a file rule dfa | 394 | * unpack_dfa - unpack a file rule dfa |
| @@ -445,15 +419,9 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e) | |||
| 445 | if (IS_ERR(dfa)) | 419 | if (IS_ERR(dfa)) |
| 446 | return dfa; | 420 | return dfa; |
| 447 | 421 | ||
| 448 | if (!verify_accept(dfa, flags)) | ||
| 449 | goto fail; | ||
| 450 | } | 422 | } |
| 451 | 423 | ||
| 452 | return dfa; | 424 | return dfa; |
| 453 | |||
| 454 | fail: | ||
| 455 | aa_put_dfa(dfa); | ||
| 456 | return ERR_PTR(-EPROTO); | ||
| 457 | } | 425 | } |
| 458 | 426 | ||
| 459 | /** | 427 | /** |