aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2013-02-18 19:08:34 -0500
committerJohn Johansen <john.johansen@canonical.com>2013-04-28 03:36:55 -0400
commit8e4ff109d0d2194d98e9e16325bb4102f6463b43 (patch)
tree6014b4e4356a977dbba01851d981aa677ab040dd
parentcf47aede3b9e197d3b4a028e2157bf7736665ac4 (diff)
apparmor: misc cleanup of match
tidying up comments, includes and defines Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
-rw-r--r--security/apparmor/include/match.h19
-rw-r--r--security/apparmor/match.c3
2 files changed, 14 insertions, 8 deletions
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index 775843e7f984..bbbf56f5ba78 100644
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -4,7 +4,7 @@
4 * This file contains AppArmor policy dfa matching engine definitions. 4 * This file contains AppArmor policy dfa matching engine definitions.
5 * 5 *
6 * Copyright (C) 1998-2008 Novell/SUSE 6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd. 7 * Copyright 2009-2012 Canonical Ltd.
8 * 8 *
9 * This program is free software; you can redistribute it and/or 9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as 10 * modify it under the terms of the GNU General Public License as
@@ -16,7 +16,6 @@
16#define __AA_MATCH_H 16#define __AA_MATCH_H
17 17
18#include <linux/kref.h> 18#include <linux/kref.h>
19#include <linux/workqueue.h>
20 19
21#define DFA_NOMATCH 0 20#define DFA_NOMATCH 0
22#define DFA_START 1 21#define DFA_START 1
@@ -29,12 +28,20 @@
29 * file format (--tables-file option; see Table File Format in the flex 28 * file format (--tables-file option; see Table File Format in the flex
30 * info pages and the flex sources for documentation). The magic number 29 * info pages and the flex sources for documentation). The magic number
31 * used in the header is 0x1B5E783D instead of 0xF13C57B1 though, because 30 * used in the header is 0x1B5E783D instead of 0xF13C57B1 though, because
32 * the YY_ID_CHK (check) and YY_ID_DEF (default) tables are used 31 * new tables have been defined and others YY_ID_CHK (check) and YY_ID_DEF
33 * slightly differently (see the apparmor-parser package). 32 * (default) tables are used slightly differently (see the apparmor-parser
33 * package).
34 *
35 *
36 * The data in the packed dfa is stored in network byte order, and the tables
37 * are arranged for flexibility. We convert the table data to host native
38 * byte order.
39 *
40 * The dfa begins with a table set header, and is followed by the actual
41 * tables.
34 */ 42 */
35 43
36#define YYTH_MAGIC 0x1B5E783D 44#define YYTH_MAGIC 0x1B5E783D
37#define YYTH_DEF_RECURSE 0x1 /* DEF Table is recursive */
38 45
39struct table_set_header { 46struct table_set_header {
40 u32 th_magic; /* YYTH_MAGIC */ 47 u32 th_magic; /* YYTH_MAGIC */
@@ -63,7 +70,7 @@ struct table_set_header {
63#define YYTD_DATA32 4 70#define YYTD_DATA32 4
64#define YYTD_DATA64 8 71#define YYTD_DATA64 8
65 72
66/* Each ACCEPT2 table gets 6 dedicated flags, YYTD_DATAX define the 73/* ACCEPT & ACCEPT2 tables gets 6 dedicated flags, YYTD_DATAX define the
67 * first flags 74 * first flags
68 */ 75 */
69#define ACCEPT1_FLAGS(X) ((X) & 0x3f) 76#define ACCEPT1_FLAGS(X) ((X) & 0x3f)
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index dfd25a9c9a69..1ff823031c73 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -4,7 +4,7 @@
4 * This file contains AppArmor dfa based regular expression matching engine 4 * This file contains AppArmor dfa based regular expression matching engine
5 * 5 *
6 * Copyright (C) 1998-2008 Novell/SUSE 6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd. 7 * Copyright 2009-2012 Canonical Ltd.
8 * 8 *
9 * This program is free software; you can redistribute it and/or 9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as 10 * modify it under the terms of the GNU General Public License as
@@ -137,7 +137,6 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
137 for (i = 0; i < state_count; i++) { 137 for (i = 0; i < state_count; i++) {
138 if (DEFAULT_TABLE(dfa)[i] >= state_count) 138 if (DEFAULT_TABLE(dfa)[i] >= state_count)
139 goto out; 139 goto out;
140 /* TODO: do check that DEF state recursion terminates */
141 if (BASE_TABLE(dfa)[i] + 255 >= trans_count) { 140 if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
142 printk(KERN_ERR "AppArmor DFA next/check upper " 141 printk(KERN_ERR "AppArmor DFA next/check upper "
143 "bounds error\n"); 142 "bounds error\n");