summaryrefslogtreecommitdiff
path: root/security/apparmor/lsm.c
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-01-16 11:42:42 +0300
committerJohn Johansen <john.johansen@canonical.com>2017-01-16 12:18:34 +0300
commit11c236b89d7c26d58c55d5613a858600a4d2ab3a (patch)
tree591f879c7a4491b17a03391343fc3c0a98bb7165 /security/apparmor/lsm.c
parent6604d4c1c1a65d3d1a6a56291d96516d1e9b7041 (diff)
downloadlinux-11c236b89d7c26d58c55d5613a858600a4d2ab3a.tar.xz
apparmor: add a default null dfa
Instead of testing whether a given dfa exists in every code path, have a default null dfa that is used when loaded policy doesn't provide a dfa. This will let us get rid of special casing and avoid dereference bugs when special casing is missed. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/lsm.c')
-rw-r--r--security/apparmor/lsm.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index e40eecbbaefa..f852cd626f2e 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -878,6 +878,12 @@ static int __init apparmor_init(void)
return 0;
}
+ error = aa_setup_dfa_engine();
+ if (error) {
+ AA_ERROR("Unable to setup dfa engine\n");
+ goto alloc_out;
+ }
+
error = aa_alloc_root_ns();
if (error) {
AA_ERROR("Unable to allocate default profile namespace\n");
@@ -905,6 +911,7 @@ static int __init apparmor_init(void)
alloc_out:
aa_destroy_aafs();
+ aa_teardown_dfa_engine();
apparmor_enabled = 0;
return error;