Skip to content

Commit ec6851a

Browse files
committed
apparmor: fix: kzalloc perms tables for shared dfas
Currently the permstables of the shared dfas are not shared, and need to be allocated and copied. In the future this should be addressed with a larger rework on dfa and pdb ref counts and structure sharing. BugLink: http://bugs.launchpad.net/bugs/2017903 Fixes: 217af7e ("apparmor: refactor profile rules and attachments") Cc: [email protected] Signed-off-by: John Johansen <[email protected]> Reviewed-by: Jon Tourville <[email protected]>
1 parent 6f442d4 commit ec6851a

File tree

2 files changed

+35
-4
lines changed

2 files changed

+35
-4
lines changed

security/apparmor/policy.c

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -589,7 +589,15 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
589589
profile->label.flags |= FLAG_NULL;
590590
rules = list_first_entry(&profile->rules, typeof(*rules), list);
591591
rules->file.dfa = aa_get_dfa(nulldfa);
592+
rules->file.perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL);
593+
if (!rules->file.perms)
594+
goto fail;
595+
rules->file.size = 2;
592596
rules->policy.dfa = aa_get_dfa(nulldfa);
597+
rules->policy.perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL);
598+
if (!rules->policy.perms)
599+
goto fail;
600+
rules->policy.size = 2;
593601

594602
if (parent) {
595603
profile->path_flags = parent->path_flags;
@@ -600,6 +608,11 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
600608
}
601609

602610
return profile;
611+
612+
fail:
613+
aa_free_profile(profile);
614+
615+
return NULL;
603616
}
604617

605618
/**

security/apparmor/policy_unpack.c

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -982,9 +982,14 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
982982
goto fail;
983983
}
984984
}
985-
} else
985+
} else {
986986
rules->policy.dfa = aa_get_dfa(nulldfa);
987-
987+
rules->policy.perms = kcalloc(2, sizeof(struct aa_perms),
988+
GFP_KERNEL);
989+
if (!rules->policy.perms)
990+
goto fail;
991+
rules->policy.size = 2;
992+
}
988993
/* get file rules */
989994
error = unpack_pdb(e, &rules->file, false, true, &info);
990995
if (error) {
@@ -1001,9 +1006,22 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
10011006
rules->policy.start[AA_CLASS_FILE]) {
10021007
rules->file.dfa = aa_get_dfa(rules->policy.dfa);
10031008
rules->file.start[AA_CLASS_FILE] = rules->policy.start[AA_CLASS_FILE];
1004-
} else
1009+
rules->file.perms = kcalloc(rules->policy.size,
1010+
sizeof(struct aa_perms),
1011+
GFP_KERNEL);
1012+
if (!rules->file.perms)
1013+
goto fail;
1014+
memcpy(rules->file.perms, rules->policy.perms,
1015+
rules->policy.size * sizeof(struct aa_perms));
1016+
rules->file.size = rules->policy.size;
1017+
} else {
10051018
rules->file.dfa = aa_get_dfa(nulldfa);
1006-
1019+
rules->file.perms = kcalloc(2, sizeof(struct aa_perms),
1020+
GFP_KERNEL);
1021+
if (!rules->file.perms)
1022+
goto fail;
1023+
rules->file.size = 2;
1024+
}
10071025
error = -EPROTO;
10081026
if (aa_unpack_nameX(e, AA_STRUCT, "data")) {
10091027
info = "out of memory";

0 commit comments

Comments
 (0)