apparmor: convert xmatch lookup to use accept as an index

Remap xmatch dfa accept table from embedded perms to an index and then
move xmatch lookup to use accept entry to index into the xmatch table.

This is step towards unifying permission lookup and reducing the
size of permissions tables.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 0df17fb236c7864f7a59d55843b977899d90ee05..45a8887021f10acb4830e9a329842d6c25d0d95c 100644 (file)
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -328,7 +328,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
                size = vfs_getxattr_alloc(&init_user_ns, d, profile->xattrs[i],
                                          &value, value_size, GFP_KERNEL);
                if (size >= 0) {
-                       u32 perm;
+                       u32 index, perm;
 
                        /*
                         * Check the xattr presence before value. This ensure
@@ -340,7 +340,8 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
                        /* Check xattr value */
                        state = aa_dfa_match_len(profile->xmatch.dfa, state,
                                                 value, size);
-                       perm = profile->xmatch.perms[state].allow;
+                       index = ACCEPT_TABLE(profile->xmatch.dfa)[state];
+                       perm = profile->xmatch.perms[index].allow;
                        if (!(perm & MAY_EXEC)) {
                                ret = -EINVAL;
                                goto out;
@@ -416,12 +417,13 @@ restart:
                 */
                if (profile->xmatch.dfa) {
                        unsigned int state, count;
-                       u32 perm;
+                       u32 index, perm;
 
                        state = aa_dfa_leftmatch(profile->xmatch.dfa,
                                        profile->xmatch.start[AA_CLASS_XMATCH],
                                        name, &count);
-                       perm = profile->xmatch.perms[state].allow;
+                       index = ACCEPT_TABLE(profile->xmatch.dfa)[state];
+                       perm = profile->xmatch.perms[index].allow;
                        /* any accepting state means a valid match. */
                        if (perm & MAY_EXEC) {
                                int ret = 0;

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 4cf62c1be388f32e161a768554d91b68ce97d6bb..4cdc9698878324f32a8f9256690e1667a3cb93fa 100644 (file)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -930,6 +930,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
                        info = "failed to convert xmatch permission table";
                        goto fail;
                }
+               remap_dfa_accept(profile->xmatch.dfa, 1);
        }
 
        /* disconnected attachment string is optional */