diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2013-07-03 17:04:58 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2013-07-03 17:04:58 -0400 |
| commit | f39d420f672f99ad9a0fe7deb951a0030d4f0d9e (patch) | |
| tree | 450e229a4305362f72cc5461aab8af4f2f5d023e /security/apparmor/match.c | |
| parent | fe489bf4505ae26d3c6d6a1f1d3064c2a9c5cd85 (diff) | |
| parent | 572e5b018ba68d634f30aef71cf04d85c884aa05 (diff) | |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"In this update, Smack learns to love IPv6 and to mount a filesystem
with a transmutable hierarchy (i.e. security labels are inherited
from parent directory upon creation rather than creating process).
The rest of the changes are maintenance"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (37 commits)
tpm/tpm_i2c_infineon: Remove unused header file
tpm: tpm_i2c_infinion: Don't modify i2c_client->driver
evm: audit integrity metadata failures
integrity: move integrity_audit_msg()
evm: calculate HMAC after initializing posix acl on tmpfs
maintainers: add Dmitry Kasatkin
Smack: Fix the bug smackcipso can't set CIPSO correctly
Smack: Fix possible NULL pointer dereference at smk_netlbl_mls()
Smack: Add smkfstransmute mount option
Smack: Improve access check performance
Smack: Local IPv6 port based controls
tpm: fix regression caused by section type conflict of tpm_dev_release() in ppc builds
maintainers: Remove Kent from maintainers
tpm: move TPM_DIGEST_SIZE defintion
tpm_tis: missing platform_driver_unregister() on error in init_tis()
security: clarify cap_inode_getsecctx description
apparmor: no need to delay vfree()
apparmor: fix fully qualified name parsing
apparmor: fix setprocattr arg processing for onexec
apparmor: localize getting the security context to a few macros
...
Diffstat (limited to 'security/apparmor/match.c')
| -rw-r--r-- | security/apparmor/match.c | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/security/apparmor/match.c b/security/apparmor/match.c index 90971a8c3789..727eb4200d5c 100644 --- a/security/apparmor/match.c +++ b/security/apparmor/match.c | |||
| @@ -4,7 +4,7 @@ | |||
| 4 | * This file contains AppArmor dfa based regular expression matching engine | 4 | * This file contains AppArmor dfa based regular expression matching engine |
| 5 | * | 5 | * |
| 6 | * Copyright (C) 1998-2008 Novell/SUSE | 6 | * Copyright (C) 1998-2008 Novell/SUSE |
| 7 | * Copyright 2009-2010 Canonical Ltd. | 7 | * Copyright 2009-2012 Canonical Ltd. |
| 8 | * | 8 | * |
| 9 | * This program is free software; you can redistribute it and/or | 9 | * This program is free software; you can redistribute it and/or |
| 10 | * modify it under the terms of the GNU General Public License as | 10 | * modify it under the terms of the GNU General Public License as |
| @@ -23,6 +23,8 @@ | |||
| 23 | #include "include/apparmor.h" | 23 | #include "include/apparmor.h" |
| 24 | #include "include/match.h" | 24 | #include "include/match.h" |
| 25 | 25 | ||
| 26 | #define base_idx(X) ((X) & 0xffffff) | ||
| 27 | |||
| 26 | /** | 28 | /** |
| 27 | * unpack_table - unpack a dfa table (one of accept, default, base, next check) | 29 | * unpack_table - unpack a dfa table (one of accept, default, base, next check) |
| 28 | * @blob: data to unpack (NOT NULL) | 30 | * @blob: data to unpack (NOT NULL) |
| @@ -30,7 +32,7 @@ | |||
| 30 | * | 32 | * |
| 31 | * Returns: pointer to table else NULL on failure | 33 | * Returns: pointer to table else NULL on failure |
| 32 | * | 34 | * |
| 33 | * NOTE: must be freed by kvfree (not kmalloc) | 35 | * NOTE: must be freed by kvfree (not kfree) |
| 34 | */ | 36 | */ |
| 35 | static struct table_header *unpack_table(char *blob, size_t bsize) | 37 | static struct table_header *unpack_table(char *blob, size_t bsize) |
| 36 | { | 38 | { |
| @@ -57,7 +59,7 @@ static struct table_header *unpack_table(char *blob, size_t bsize) | |||
| 57 | if (bsize < tsize) | 59 | if (bsize < tsize) |
| 58 | goto out; | 60 | goto out; |
| 59 | 61 | ||
| 60 | table = kvmalloc(tsize); | 62 | table = kvzalloc(tsize); |
| 61 | if (table) { | 63 | if (table) { |
| 62 | *table = th; | 64 | *table = th; |
| 63 | if (th.td_flags == YYTD_DATA8) | 65 | if (th.td_flags == YYTD_DATA8) |
| @@ -137,8 +139,7 @@ static int verify_dfa(struct aa_dfa *dfa, int flags) | |||
| 137 | for (i = 0; i < state_count; i++) { | 139 | for (i = 0; i < state_count; i++) { |
| 138 | if (DEFAULT_TABLE(dfa)[i] >= state_count) | 140 | if (DEFAULT_TABLE(dfa)[i] >= state_count) |
| 139 | goto out; | 141 | goto out; |
| 140 | /* TODO: do check that DEF state recursion terminates */ | 142 | if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) { |
| 141 | if (BASE_TABLE(dfa)[i] + 255 >= trans_count) { | ||
| 142 | printk(KERN_ERR "AppArmor DFA next/check upper " | 143 | printk(KERN_ERR "AppArmor DFA next/check upper " |
| 143 | "bounds error\n"); | 144 | "bounds error\n"); |
| 144 | goto out; | 145 | goto out; |
| @@ -314,7 +315,7 @@ unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start, | |||
| 314 | u8 *equiv = EQUIV_TABLE(dfa); | 315 | u8 *equiv = EQUIV_TABLE(dfa); |
| 315 | /* default is direct to next state */ | 316 | /* default is direct to next state */ |
| 316 | for (; len; len--) { | 317 | for (; len; len--) { |
| 317 | pos = base[state] + equiv[(u8) *str++]; | 318 | pos = base_idx(base[state]) + equiv[(u8) *str++]; |
| 318 | if (check[pos] == state) | 319 | if (check[pos] == state) |
| 319 | state = next[pos]; | 320 | state = next[pos]; |
| 320 | else | 321 | else |
| @@ -323,7 +324,7 @@ unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start, | |||
| 323 | } else { | 324 | } else { |
| 324 | /* default is direct to next state */ | 325 | /* default is direct to next state */ |
| 325 | for (; len; len--) { | 326 | for (; len; len--) { |
| 326 | pos = base[state] + (u8) *str++; | 327 | pos = base_idx(base[state]) + (u8) *str++; |
| 327 | if (check[pos] == state) | 328 | if (check[pos] == state) |
| 328 | state = next[pos]; | 329 | state = next[pos]; |
| 329 | else | 330 | else |
| @@ -364,7 +365,7 @@ unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start, | |||
| 364 | u8 *equiv = EQUIV_TABLE(dfa); | 365 | u8 *equiv = EQUIV_TABLE(dfa); |
| 365 | /* default is direct to next state */ | 366 | /* default is direct to next state */ |
| 366 | while (*str) { | 367 | while (*str) { |
| 367 | pos = base[state] + equiv[(u8) *str++]; | 368 | pos = base_idx(base[state]) + equiv[(u8) *str++]; |
| 368 | if (check[pos] == state) | 369 | if (check[pos] == state) |
| 369 | state = next[pos]; | 370 | state = next[pos]; |
| 370 | else | 371 | else |
| @@ -373,7 +374,7 @@ unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start, | |||
| 373 | } else { | 374 | } else { |
| 374 | /* default is direct to next state */ | 375 | /* default is direct to next state */ |
| 375 | while (*str) { | 376 | while (*str) { |
| 376 | pos = base[state] + (u8) *str++; | 377 | pos = base_idx(base[state]) + (u8) *str++; |
| 377 | if (check[pos] == state) | 378 | if (check[pos] == state) |
| 378 | state = next[pos]; | 379 | state = next[pos]; |
| 379 | else | 380 | else |
| @@ -409,14 +410,14 @@ unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state, | |||
| 409 | u8 *equiv = EQUIV_TABLE(dfa); | 410 | u8 *equiv = EQUIV_TABLE(dfa); |
| 410 | /* default is direct to next state */ | 411 | /* default is direct to next state */ |
| 411 | 412 | ||
| 412 | pos = base[state] + equiv[(u8) c]; | 413 | pos = base_idx(base[state]) + equiv[(u8) c]; |
| 413 | if (check[pos] == state) | 414 | if (check[pos] == state) |
| 414 | state = next[pos]; | 415 | state = next[pos]; |
| 415 | else | 416 | else |
| 416 | state = def[state]; | 417 | state = def[state]; |
| 417 | } else { | 418 | } else { |
| 418 | /* default is direct to next state */ | 419 | /* default is direct to next state */ |
| 419 | pos = base[state] + (u8) c; | 420 | pos = base_idx(base[state]) + (u8) c; |
| 420 | if (check[pos] == state) | 421 | if (check[pos] == state) |
| 421 | state = next[pos]; | 422 | state = next[pos]; |
| 422 | else | 423 | else |