summaryrefslogtreecommitdiff
path: root/security/apparmor/policy_unpack.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/apparmor/policy_unpack.c')
-rw-r--r--security/apparmor/policy_unpack.c70
1 files changed, 56 insertions, 14 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 59a1a25b7d43..b9e6b2cafa69 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -23,7 +23,7 @@
#include "include/apparmor.h"
#include "include/audit.h"
-#include "include/context.h"
+#include "include/cred.h"
#include "include/crypto.h"
#include "include/match.h"
#include "include/path.h"
@@ -37,7 +37,8 @@
#define v5 5 /* base version */
#define v6 6 /* per entry policydb mediation check */
-#define v7 7 /* full network masking */
+#define v7 7
+#define v8 8 /* full network masking */
/*
* The AppArmor interface treats data as a type byte followed by the
@@ -164,8 +165,9 @@ static void do_loaddata_free(struct work_struct *work)
}
kzfree(d->hash);
- kfree(d->name);
- kvfree(d);
+ kzfree(d->name);
+ kvfree(d->data);
+ kzfree(d);
}
void aa_loaddata_kref(struct kref *kref)
@@ -180,10 +182,16 @@ void aa_loaddata_kref(struct kref *kref)
struct aa_loaddata *aa_loaddata_alloc(size_t size)
{
- struct aa_loaddata *d = kvzalloc(sizeof(*d) + size, GFP_KERNEL);
+ struct aa_loaddata *d;
+ d = kzalloc(sizeof(*d), GFP_KERNEL);
if (d == NULL)
return ERR_PTR(-ENOMEM);
+ d->data = kvzalloc(size, GFP_KERNEL);
+ if (!d->data) {
+ kfree(d);
+ return ERR_PTR(-ENOMEM);
+ }
kref_init(&d->count);
INIT_LIST_HEAD(&d->list);
@@ -196,6 +204,15 @@ static bool inbounds(struct aa_ext *e, size_t size)
return (size <= e->end - e->pos);
}
+static void *kvmemdup(const void *src, size_t len)
+{
+ void *p = kvmalloc(len, GFP_KERNEL);
+
+ if (p)
+ memcpy(p, src, len);
+ return p;
+}
+
/**
* aa_u16_chunck - test and do bounds checking for a u16 size based chunk
* @e: serialized data read head (NOT NULL)
@@ -515,6 +532,35 @@ fail:
return 0;
}
+static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)
+{
+ void *pos = e->pos;
+
+ if (unpack_nameX(e, AA_STRUCT, "xattrs")) {
+ int i, size;
+
+ size = unpack_array(e, NULL);
+ profile->xattr_count = size;
+ profile->xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL);
+ if (!profile->xattrs)
+ goto fail;
+ for (i = 0; i < size; i++) {
+ if (!unpack_strdup(e, &profile->xattrs[i], NULL))
+ goto fail;
+ }
+ if (!unpack_nameX(e, AA_ARRAYEND, NULL))
+ goto fail;
+ if (!unpack_nameX(e, AA_STRUCTEND, NULL))
+ goto fail;
+ }
+
+ return 1;
+
+fail:
+ e->pos = pos;
+ return 0;
+}
+
static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile)
{
void *pos = e->pos;
@@ -549,15 +595,6 @@ fail:
return 0;
}
-static void *kvmemdup(const void *src, size_t len)
-{
- void *p = kvmalloc(len, GFP_KERNEL);
-
- if (p)
- memcpy(p, src, len);
- return p;
-}
-
static u32 strhash(const void *data, u32 len, u32 seed)
{
const char * const *key = data;
@@ -712,6 +749,11 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
goto fail;
}
+ if (!unpack_xattrs(e, profile)) {
+ info = "failed to unpack profile xattrs";
+ goto fail;
+ }
+
if (!unpack_rlimits(e, profile)) {
info = "failed to unpack profile rlimits";
goto fail;