diff options
author | John Johansen <john.johansen@canonical.com> | 2022-01-18 00:43:49 +0300 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2022-10-04 00:49:03 +0300 |
commit | 33fc95d8293cfca352ac875668857293e22d7d51 (patch) | |
tree | 045b3ba1a1fb5d6e08845d650b19806c6f44f4d4 /security/apparmor/include | |
parent | e844fe9b51c984472ea98be3b2d1201ba9ee3213 (diff) | |
download | linux-33fc95d8293cfca352ac875668857293e22d7d51.tar.xz |
apparmor: preparse for state being more than just an integer
Convert from an unsigned int to a state_t for state position. This is
a step in prepping for the state position carrying some additional
flags, and a limited form of backtracking to support variables.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/include')
-rw-r--r-- | security/apparmor/include/file.h | 8 | ||||
-rw-r--r-- | security/apparmor/include/label.h | 6 | ||||
-rw-r--r-- | security/apparmor/include/lib.h | 4 | ||||
-rw-r--r-- | security/apparmor/include/match.h | 28 | ||||
-rw-r--r-- | security/apparmor/include/policy.h | 14 |
5 files changed, 30 insertions, 30 deletions
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h index 736b8f655404..8c82cf279dc2 100644 --- a/security/apparmor/include/file.h +++ b/security/apparmor/include/file.h @@ -166,10 +166,10 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, const char *info, int error); struct aa_perms *aa_lookup_fperms(struct aa_policydb *file_rules, - unsigned int state, struct path_cond *cond); -unsigned int aa_str_perms(struct aa_policydb *file_rules, unsigned int start, - const char *name, struct path_cond *cond, - struct aa_perms *perms); + aa_state_t state, struct path_cond *cond); +aa_state_t aa_str_perms(struct aa_policydb *file_rules, aa_state_t start, + const char *name, struct path_cond *cond, + struct aa_perms *perms); int __aa_path_perm(const char *op, struct aa_profile *profile, const char *name, u32 request, struct path_cond *cond, diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h index 860484c6f99a..1130ba10a152 100644 --- a/security/apparmor/include/label.h +++ b/security/apparmor/include/label.h @@ -333,7 +333,7 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str, static inline const char *aa_label_strn_split(const char *str, int n) { const char *pos; - unsigned int state; + aa_state_t state; state = aa_dfa_matchn_until(stacksplitdfa, DFA_START, str, n, &pos); if (!ACCEPT_TABLE(stacksplitdfa)[state]) @@ -345,7 +345,7 @@ static inline const char *aa_label_strn_split(const char *str, int n) static inline const char *aa_label_str_split(const char *str) { const char *pos; - unsigned int state; + aa_state_t state; state = aa_dfa_match_until(stacksplitdfa, DFA_START, str, &pos); if (!ACCEPT_TABLE(stacksplitdfa)[state]) @@ -358,7 +358,7 @@ static inline const char *aa_label_str_split(const char *str) struct aa_perms; int aa_label_match(struct aa_profile *profile, struct aa_label *label, - unsigned int state, bool subns, u32 request, + aa_state_t state, bool subns, u32 request, struct aa_perms *perms); diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h index f42359f58eb5..f176f3ced2a3 100644 --- a/security/apparmor/include/lib.h +++ b/security/apparmor/include/lib.h @@ -87,8 +87,8 @@ static inline bool aa_strneq(const char *str, const char *sub, int len) * character which is not used in standard matching and is only * used to separate pairs. */ -static inline unsigned int aa_dfa_null_transition(struct aa_dfa *dfa, - unsigned int start) +static inline aa_state_t aa_dfa_null_transition(struct aa_dfa *dfa, + aa_state_t start) { /* the null transition only needs the string's null terminator byte */ return aa_dfa_next(dfa, start, 0); diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h index 884489590588..58fbf67139b9 100644 --- a/security/apparmor/include/match.h +++ b/security/apparmor/include/match.h @@ -125,19 +125,19 @@ static inline size_t table_size(size_t len, size_t el_size) int aa_setup_dfa_engine(void); void aa_teardown_dfa_engine(void); +#define aa_state_t unsigned int + struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags); -unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start, - const char *str, int len); -unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start, - const char *str); -unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state, - const char c); -unsigned int aa_dfa_outofband_transition(struct aa_dfa *dfa, - unsigned int state); -unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start, - const char *str, const char **retpos); -unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start, - const char *str, int n, const char **retpos); +aa_state_t aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start, + const char *str, int len); +aa_state_t aa_dfa_match(struct aa_dfa *dfa, aa_state_t start, + const char *str); +aa_state_t aa_dfa_next(struct aa_dfa *dfa, aa_state_t state, const char c); +aa_state_t aa_dfa_outofband_transition(struct aa_dfa *dfa, aa_state_t state); +aa_state_t aa_dfa_match_until(struct aa_dfa *dfa, aa_state_t start, + const char *str, const char **retpos); +aa_state_t aa_dfa_matchn_until(struct aa_dfa *dfa, aa_state_t start, + const char *str, int n, const char **retpos); void aa_dfa_free_kref(struct kref *kref); @@ -156,8 +156,8 @@ struct match_workbuf N = { \ .len = 0, \ } -unsigned int aa_dfa_leftmatch(struct aa_dfa *dfa, unsigned int start, - const char *str, unsigned int *count); +aa_state_t aa_dfa_leftmatch(struct aa_dfa *dfa, aa_state_t start, + const char *str, unsigned int *count); /** * aa_get_dfa - increment refcount on dfa @p diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index 31c0af876250..3a7d165e8fcc 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -78,7 +78,7 @@ struct aa_policydb { struct aa_dfa *dfa; struct aa_perms *perms; struct aa_domain trans; - unsigned int start[AA_CLASS_LAST + 1]; + aa_state_t start[AA_CLASS_LAST + 1]; }; static inline void aa_destroy_policydb(struct aa_policydb *policy) @@ -91,7 +91,7 @@ static inline void aa_destroy_policydb(struct aa_policydb *policy) } static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy, - unsigned int state) + aa_state_t state) { unsigned int index = ACCEPT_TABLE(policy->dfa)[state]; @@ -239,7 +239,7 @@ static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p) return labels_profile(aa_get_newest_label(&p->label)); } -static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile, +static inline aa_state_t PROFILE_MEDIATES(struct aa_profile *profile, unsigned char class) { if (class <= AA_CLASS_LAST) @@ -249,13 +249,13 @@ static inline unsigned int PROFILE_MEDIATES(struct aa_profile *profile, profile->policy.start[0], &class, 1); } -static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile, - u16 AF) { - unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET); +static inline aa_state_t PROFILE_MEDIATES_AF(struct aa_profile *profile, + u16 AF) { + aa_state_t state = PROFILE_MEDIATES(profile, AA_CLASS_NET); __be16 be_af = cpu_to_be16(AF); if (!state) - return 0; + return DFA_NOMATCH; return aa_dfa_match_len(profile->policy.dfa, state, (char *) &be_af, 2); } |