diff options
author | John Johansen <john.johansen@canonical.com> | 2019-07-30 02:42:13 -0700 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2020-01-21 06:00:20 -0800 |
commit | 0df34a645bae00c86f383fb063cd3840862837bf (patch) | |
tree | 1c9c5f5c44683506e63f718ffa51541e802ec1a4 /security/apparmor/domain.c | |
parent | f05841a940df995b784b5e3ec6f76141e8337245 (diff) | |
download | lwn-0df34a645bae00c86f383fb063cd3840862837bf.tar.gz lwn-0df34a645bae00c86f383fb063cd3840862837bf.zip |
apparmor: add outofband transition and use it in xattr match
There are cases where the a special out of band transition that can
not be triggered by input is useful in separating match conditions
in the dfa encoding.
The null_transition is currently used as an out of band transition
for match conditions that can not contain a \0 in their input
but apparmor needs an out of band transition for cases where
the match condition is allowed to contain any input character.
Achieve this by allowing for an explicit transition out of input
range that can only be triggered by code.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/domain.c')
-rw-r--r-- | security/apparmor/domain.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index f73ba303ba24..0a91d5f7d0e9 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -320,8 +320,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm, might_sleep(); /* transition from exec match to xattr set */ - state = aa_dfa_null_transition(profile->xmatch, state); - + state = aa_dfa_outofband_transition(profile->xmatch, state); d = bprm->file->f_path.dentry; for (i = 0; i < profile->xattr_count; i++) { @@ -330,7 +329,13 @@ static int aa_xattrs_match(const struct linux_binprm *bprm, if (size >= 0) { u32 perm; - /* Check the xattr value, not just presence */ + /* + * Check the xattr presence before value. This ensure + * that not present xattr can be distinguished from a 0 + * length value or rule that matches any value + */ + state = aa_dfa_null_transition(profile->xmatch, state); + /* Check xattr value */ state = aa_dfa_match_len(profile->xmatch, state, value, size); perm = dfa_user_allow(profile->xmatch, state); @@ -340,7 +345,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm, } } /* transition to next element */ - state = aa_dfa_null_transition(profile->xmatch, state); + state = aa_dfa_outofband_transition(profile->xmatch, state); if (size < 0) { /* * No xattr match, so verify if transition to |