diff options
| author |   John Johansen <john.johansen@canonical.com> | 2019-07-30 02:42:13 -0700 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2020-01-21 06:00:20 -0800 |
| commit | 0df34a645bae00c86f383fb063cd3840862837bf (patch) | |
| tree | 1c9c5f5c44683506e63f718ffa51541e802ec1a4 /security/apparmor/match.c | |
| parent | apparmor: fail unpack if profile mode is unknown (diff) | |
| download | linux-dev-0df34a645bae00c86f383fb063cd3840862837bf.tar.xz linux-dev-0df34a645bae00c86f383fb063cd3840862837bf.zip | |
apparmor: add outofband transition and use it in xattr match
There are cases where the a special out of band transition that can
not be triggered by input is useful in separating match conditions
in the dfa encoding.
The null_transition is currently used as an out of band transition
for match conditions that can not contain a \0 in their input
but apparmor needs an out of band transition for cases where
the match condition is allowed to contain any input character.
Achieve this by allowing for an explicit transition out of input
range that can only be triggered by code.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/match.c')
| -rw-r--r-- | security/apparmor/match.c | 43 |
1 files changed, 42 insertions, 1 deletions
diff --git a/security/apparmor/match.c b/security/apparmor/match.c index 651dbb6e38b8..e605b7d53fb4 100644 --- a/security/apparmor/match.c +++ b/security/apparmor/match.c @@ -212,6 +212,16 @@ static int verify_dfa(struct aa_dfa *dfa) goto out; } } + if ((BASE_TABLE(dfa)[i] & MATCH_FLAG_OOB_TRANSITION)) { + if (base_idx(BASE_TABLE(dfa)[i]) < dfa->max_oob) { + pr_err("AppArmor DFA out of bad transition out of range"); + goto out; + } + if (!(dfa->flags & YYTH_FLAG_OOB_TRANS)) { + pr_err("AppArmor DFA out of bad transition state without header flag"); + goto out; + } + } if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) { pr_err("AppArmor DFA next/check upper bounds error\n"); goto out; @@ -314,9 +324,23 @@ struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags) goto fail; dfa->flags = ntohs(*(__be16 *) (data + 12)); - if (dfa->flags != 0 && dfa->flags != YYTH_FLAG_DIFF_ENCODE) + if (dfa->flags & ~(YYTH_FLAGS)) goto fail; + /* + * TODO: needed for dfa to support more than 1 oob + * if (dfa->flags & YYTH_FLAGS_OOB_TRANS) { + * if (hsize < 16 + 4) + * goto fail; + * dfa->max_oob = ntol(*(__be32 *) (data + 16)); + * if (dfa->max <= MAX_OOB_SUPPORTED) { + * pr_err("AppArmor DFA OOB greater than supported\n"); + * goto fail; + * } + * } + */ + dfa->max_oob = 1; + data += hsize; size -= hsize; @@ -505,6 +529,23 @@ unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state, return state; } +unsigned int aa_dfa_outofband_transition(struct aa_dfa *dfa, unsigned int state) +{ + u16 *def = DEFAULT_TABLE(dfa); + u32 *base = BASE_TABLE(dfa); + u16 *next = NEXT_TABLE(dfa); + u16 *check = CHECK_TABLE(dfa); + u32 b = (base)[(state)]; + + if (!(b & MATCH_FLAG_OOB_TRANSITION)) + return DFA_NOMATCH; + + /* No Equivalence class remapping for outofband transitions */ + match_char(state, def, base, next, check, -1); + + return state; +} + /** * aa_dfa_match_until - traverse @dfa until accept state or end of input * @dfa: the dfa to match @str against (NOT NULL) |