apparmor: compute xmatch permissions on profile load

Rather than computing xmatch permissions each time access is requested, these permissions can be computed once on profile load and stored for lookup. Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
author: Mike Salvatore <mike.salvatore@canonical.com> 2020-05-31 10:52:06 -0400
committer: John Johansen <john.johansen@canonical.com> 2022-10-03 14:49:02 -0700
commit: b5b57993504f91785fa70e002e5e494fb549726e (patch)
tree: 3d3a6cc40d0949486554351e6889ed5fc594fb98 /security/apparmor/domain.c
parent: 408d53e923bd852d5d80243a642004163db53a87 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 2c99edd8953a..22351b6d71e6 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -339,7 +339,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
 			/* Check xattr value */
 			state = aa_dfa_match_len(profile->xmatch, state, value,
 						 size);
-			perm = dfa_user_allow(profile->xmatch, state);
+			perm = profile->xmatch_perms[state];
 			if (!(perm & MAY_EXEC)) {
 				ret = -EINVAL;
 				goto out;
@@ -419,7 +419,7 @@ restart:
 
 			state = aa_dfa_leftmatch(profile->xmatch, DFA_START,
 						 name, &count);
-			perm = dfa_user_allow(profile->xmatch, state);
+			perm = profile->xmatch_perms[state];
 			/* any accepting state means a valid match. */
 			if (perm & MAY_EXEC) {
 				int ret = 0;
author	Mike Salvatore <mike.salvatore@canonical.com>	2020-05-31 10:52:06 -0400
committer	John Johansen <john.johansen@canonical.com>	2022-10-03 14:49:02 -0700
commit	b5b57993504f91785fa70e002e5e494fb549726e (patch)
tree	3d3a6cc40d0949486554351e6889ed5fc594fb98 /security/apparmor/domain.c
parent	408d53e923bd852d5d80243a642004163db53a87 (diff)