apparmor: convert xmatch lookup to use accept as an index

Remap xmatch dfa accept table from embedded perms to an index and then
move xmatch lookup to use accept entry to index into the xmatch table.

This is step towards unifying permission lookup and reducing the
size of permissions tables.

Signed-off-by: John Johansen <john.johansen@canonical.com>

1 files changed, 6 insertions, 4 deletions

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 0df17fb236c7..45a8887021f1 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -328,7 +328,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
 		size = vfs_getxattr_alloc(&init_user_ns, d, profile->xattrs[i],
 					  &value, value_size, GFP_KERNEL);
 		if (size >= 0) {
-			u32 perm;
+			u32 index, perm;
 
 			/*
 			 * Check the xattr presence before value. This ensure
@@ -340,7 +340,8 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
 			/* Check xattr value */
 			state = aa_dfa_match_len(profile->xmatch.dfa, state,
 						 value, size);
-			perm = profile->xmatch.perms[state].allow;
+			index = ACCEPT_TABLE(profile->xmatch.dfa)[state];
+			perm = profile->xmatch.perms[index].allow;
 			if (!(perm & MAY_EXEC)) {
 				ret = -EINVAL;
 				goto out;
@@ -416,12 +417,13 @@ restart:
 		 */
 		if (profile->xmatch.dfa) {
 			unsigned int state, count;
-			u32 perm;
+			u32 index, perm;
 
 			state = aa_dfa_leftmatch(profile->xmatch.dfa,
 					profile->xmatch.start[AA_CLASS_XMATCH],
 					name, &count);
-			perm = profile->xmatch.perms[state].allow;
+			index = ACCEPT_TABLE(profile->xmatch.dfa)[state];
+			perm = profile->xmatch.perms[index].allow;
 			/* any accepting state means a valid match. */
 			if (perm & MAY_EXEC) {
 				int ret = 0;