xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

apparmor: convert attaching profiles via xattrs to use dfa matching

Browse Source 
This converts profile attachment based on xattrs to a fixed extended
conditional using dfa matching.

This has a couple of advantages
- pattern matching can be used for the xattr match

- xattrs can be optional for an attachment or marked as required

- the xattr attachment conditional will be able to be combined with
  other extended conditionals when the flexible extended conditional
  work lands.

The xattr fixed extended conditional is appended to the xmatch
conditional. If an xattr attachment is specified the profile xmatch
will be generated regardless of whether there is a pattern match on
the executable name.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
John Johansen
2017-12-12 15:28:05 -08:00
parent 8e51f9087f
commit 73f488cd90
5 changed files with 46 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
security/apparmor/policy_unpack.c
View File

@@ -540,8 +540,7 @@ static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)
size = unpack_array(e, NULL);
profile->xattr_count = size;
profile->xattrs = kcalloc(size, sizeof(char *),
GFP_KERNEL);
profile->xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL);
if (!profile->xattrs)
goto fail;
for (i = 0; i < size; i++) {
@@ -554,38 +553,6 @@ static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)
goto fail;
}
if (unpack_nameX(e, AA_STRUCT, "xattr_values")) {
int i, size;
size = unpack_array(e, NULL);
/* Must be the same number of xattr values as xattrs */
if (size != profile->xattr_count)
goto fail;
profile->xattr_lens = kcalloc(size, sizeof(size_t),
GFP_KERNEL);
if (!profile->xattr_lens)
goto fail;
profile->xattr_values = kcalloc(size, sizeof(char *),
GFP_KERNEL);
if (!profile->xattr_values)
goto fail;
for (i = 0; i < size; i++) {
profile->xattr_lens[i] = unpack_blob(e,
&profile->xattr_values[i], NULL);
profile->xattr_values[i] =
kvmemdup(profile->xattr_values[i],
profile->xattr_lens[i]);
}
if (!unpack_nameX(e, AA_ARRAYEND, NULL))
goto fail;
if (!unpack_nameX(e, AA_STRUCTEND, NULL))
goto fail;
}
return 1;
fail: