diff options
| author | John Johansen <john.johansen@canonical.com> | 2017-01-16 11:42:42 +0300 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2017-01-16 12:18:34 +0300 |
| commit | 11c236b89d7c26d58c55d5613a858600a4d2ab3a (patch) | |
| tree | 591f879c7a4491b17a03391343fc3c0a98bb7165 /security/apparmor/policy_unpack.c | |
| parent | 6604d4c1c1a65d3d1a6a56291d96516d1e9b7041 (diff) | |
| download | linux-11c236b89d7c26d58c55d5613a858600a4d2ab3a.tar.xz | |
apparmor: add a default null dfa
Instead of testing whether a given dfa exists in every code path, have
a default null dfa that is used when loaded policy doesn't provide a
dfa.
This will let us get rid of special casing and avoid dereference bugs
when special casing is missed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/policy_unpack.c')
| -rw-r--r-- | security/apparmor/policy_unpack.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 7160addb11be..51a7f9fc8a3e 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -603,7 +603,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e) } if (!unpack_nameX(e, AA_STRUCTEND, NULL)) goto fail; - } + } else + profile->policy.dfa = aa_get_dfa(nulldfa); /* get file rules */ profile->file.dfa = unpack_dfa(e); @@ -619,7 +620,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e) profile->policy.start[AA_CLASS_FILE]) { profile->file.dfa = aa_get_dfa(profile->policy.dfa); profile->file.start = profile->policy.start[AA_CLASS_FILE]; - } + } else + profile->file.dfa = aa_get_dfa(nulldfa); if (!unpack_trans_table(e, profile)) goto fail; |