diff options
author | John Johansen <john.johansen@canonical.com> | 2013-02-18 19:08:34 -0500 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2013-04-28 03:36:55 -0400 |
commit | 8e4ff109d0d2194d98e9e16325bb4102f6463b43 (patch) | |
tree | 6014b4e4356a977dbba01851d981aa677ab040dd | |
parent | cf47aede3b9e197d3b4a028e2157bf7736665ac4 (diff) |
apparmor: misc cleanup of match
tidying up comments, includes and defines
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
-rw-r--r-- | security/apparmor/include/match.h | 19 | ||||
-rw-r--r-- | security/apparmor/match.c | 3 |
2 files changed, 14 insertions, 8 deletions
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h index 775843e7f984..bbbf56f5ba78 100644 --- a/security/apparmor/include/match.h +++ b/security/apparmor/include/match.h | |||
@@ -4,7 +4,7 @@ | |||
4 | * This file contains AppArmor policy dfa matching engine definitions. | 4 | * This file contains AppArmor policy dfa matching engine definitions. |
5 | * | 5 | * |
6 | * Copyright (C) 1998-2008 Novell/SUSE | 6 | * Copyright (C) 1998-2008 Novell/SUSE |
7 | * Copyright 2009-2010 Canonical Ltd. | 7 | * Copyright 2009-2012 Canonical Ltd. |
8 | * | 8 | * |
9 | * This program is free software; you can redistribute it and/or | 9 | * This program is free software; you can redistribute it and/or |
10 | * modify it under the terms of the GNU General Public License as | 10 | * modify it under the terms of the GNU General Public License as |
@@ -16,7 +16,6 @@ | |||
16 | #define __AA_MATCH_H | 16 | #define __AA_MATCH_H |
17 | 17 | ||
18 | #include <linux/kref.h> | 18 | #include <linux/kref.h> |
19 | #include <linux/workqueue.h> | ||
20 | 19 | ||
21 | #define DFA_NOMATCH 0 | 20 | #define DFA_NOMATCH 0 |
22 | #define DFA_START 1 | 21 | #define DFA_START 1 |
@@ -29,12 +28,20 @@ | |||
29 | * file format (--tables-file option; see Table File Format in the flex | 28 | * file format (--tables-file option; see Table File Format in the flex |
30 | * info pages and the flex sources for documentation). The magic number | 29 | * info pages and the flex sources for documentation). The magic number |
31 | * used in the header is 0x1B5E783D instead of 0xF13C57B1 though, because | 30 | * used in the header is 0x1B5E783D instead of 0xF13C57B1 though, because |
32 | * the YY_ID_CHK (check) and YY_ID_DEF (default) tables are used | 31 | * new tables have been defined and others YY_ID_CHK (check) and YY_ID_DEF |
33 | * slightly differently (see the apparmor-parser package). | 32 | * (default) tables are used slightly differently (see the apparmor-parser |
33 | * package). | ||
34 | * | ||
35 | * | ||
36 | * The data in the packed dfa is stored in network byte order, and the tables | ||
37 | * are arranged for flexibility. We convert the table data to host native | ||
38 | * byte order. | ||
39 | * | ||
40 | * The dfa begins with a table set header, and is followed by the actual | ||
41 | * tables. | ||
34 | */ | 42 | */ |
35 | 43 | ||
36 | #define YYTH_MAGIC 0x1B5E783D | 44 | #define YYTH_MAGIC 0x1B5E783D |
37 | #define YYTH_DEF_RECURSE 0x1 /* DEF Table is recursive */ | ||
38 | 45 | ||
39 | struct table_set_header { | 46 | struct table_set_header { |
40 | u32 th_magic; /* YYTH_MAGIC */ | 47 | u32 th_magic; /* YYTH_MAGIC */ |
@@ -63,7 +70,7 @@ struct table_set_header { | |||
63 | #define YYTD_DATA32 4 | 70 | #define YYTD_DATA32 4 |
64 | #define YYTD_DATA64 8 | 71 | #define YYTD_DATA64 8 |
65 | 72 | ||
66 | /* Each ACCEPT2 table gets 6 dedicated flags, YYTD_DATAX define the | 73 | /* ACCEPT & ACCEPT2 tables gets 6 dedicated flags, YYTD_DATAX define the |
67 | * first flags | 74 | * first flags |
68 | */ | 75 | */ |
69 | #define ACCEPT1_FLAGS(X) ((X) & 0x3f) | 76 | #define ACCEPT1_FLAGS(X) ((X) & 0x3f) |
diff --git a/security/apparmor/match.c b/security/apparmor/match.c index dfd25a9c9a69..1ff823031c73 100644 --- a/security/apparmor/match.c +++ b/security/apparmor/match.c | |||
@@ -4,7 +4,7 @@ | |||
4 | * This file contains AppArmor dfa based regular expression matching engine | 4 | * This file contains AppArmor dfa based regular expression matching engine |
5 | * | 5 | * |
6 | * Copyright (C) 1998-2008 Novell/SUSE | 6 | * Copyright (C) 1998-2008 Novell/SUSE |
7 | * Copyright 2009-2010 Canonical Ltd. | 7 | * Copyright 2009-2012 Canonical Ltd. |
8 | * | 8 | * |
9 | * This program is free software; you can redistribute it and/or | 9 | * This program is free software; you can redistribute it and/or |
10 | * modify it under the terms of the GNU General Public License as | 10 | * modify it under the terms of the GNU General Public License as |
@@ -137,7 +137,6 @@ static int verify_dfa(struct aa_dfa *dfa, int flags) | |||
137 | for (i = 0; i < state_count; i++) { | 137 | for (i = 0; i < state_count; i++) { |
138 | if (DEFAULT_TABLE(dfa)[i] >= state_count) | 138 | if (DEFAULT_TABLE(dfa)[i] >= state_count) |
139 | goto out; | 139 | goto out; |
140 | /* TODO: do check that DEF state recursion terminates */ | ||
141 | if (BASE_TABLE(dfa)[i] + 255 >= trans_count) { | 140 | if (BASE_TABLE(dfa)[i] + 255 >= trans_count) { |
142 | printk(KERN_ERR "AppArmor DFA next/check upper " | 141 | printk(KERN_ERR "AppArmor DFA next/check upper " |
143 | "bounds error\n"); | 142 | "bounds error\n"); |