apparmor: fix: kzalloc perms tables for shared dfas
commitec6851ae0a
upstream. Currently the permstables of the shared dfas are not shared, and need to be allocated and copied. In the future this should be addressed with a larger rework on dfa and pdb ref counts and structure sharing. BugLink: http://bugs.launchpad.net/bugs/2017903 Fixes:217af7e2f4
("apparmor: refactor profile rules and attachments") Cc: stable@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Jon Tourville <jontourville@me.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
773ccad902
commit
ca456dfa51
|
@ -591,7 +591,15 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
|
|||
profile->label.flags |= FLAG_NULL;
|
||||
rules = list_first_entry(&profile->rules, typeof(*rules), list);
|
||||
rules->file.dfa = aa_get_dfa(nulldfa);
|
||||
rules->file.perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL);
|
||||
if (!rules->file.perms)
|
||||
goto fail;
|
||||
rules->file.size = 2;
|
||||
rules->policy.dfa = aa_get_dfa(nulldfa);
|
||||
rules->policy.perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL);
|
||||
if (!rules->policy.perms)
|
||||
goto fail;
|
||||
rules->policy.size = 2;
|
||||
|
||||
if (parent) {
|
||||
profile->path_flags = parent->path_flags;
|
||||
|
@ -602,6 +610,11 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
|
|||
}
|
||||
|
||||
return profile;
|
||||
|
||||
fail:
|
||||
aa_free_profile(profile);
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -988,9 +988,14 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
|
|||
info = "failed to remap policydb permission table";
|
||||
goto fail;
|
||||
}
|
||||
} else
|
||||
} else {
|
||||
rules->policy.dfa = aa_get_dfa(nulldfa);
|
||||
|
||||
rules->policy.perms = kcalloc(2, sizeof(struct aa_perms),
|
||||
GFP_KERNEL);
|
||||
if (!rules->policy.perms)
|
||||
goto fail;
|
||||
rules->policy.size = 2;
|
||||
}
|
||||
/* get file rules */
|
||||
error = unpack_pdb(e, &rules->file, false, true, &info);
|
||||
if (error) {
|
||||
|
@ -1005,9 +1010,22 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
|
|||
rules->policy.start[AA_CLASS_FILE]) {
|
||||
rules->file.dfa = aa_get_dfa(rules->policy.dfa);
|
||||
rules->file.start[AA_CLASS_FILE] = rules->policy.start[AA_CLASS_FILE];
|
||||
} else
|
||||
rules->file.perms = kcalloc(rules->policy.size,
|
||||
sizeof(struct aa_perms),
|
||||
GFP_KERNEL);
|
||||
if (!rules->file.perms)
|
||||
goto fail;
|
||||
memcpy(rules->file.perms, rules->policy.perms,
|
||||
rules->policy.size * sizeof(struct aa_perms));
|
||||
rules->file.size = rules->policy.size;
|
||||
} else {
|
||||
rules->file.dfa = aa_get_dfa(nulldfa);
|
||||
|
||||
rules->file.perms = kcalloc(2, sizeof(struct aa_perms),
|
||||
GFP_KERNEL);
|
||||
if (!rules->file.perms)
|
||||
goto fail;
|
||||
rules->file.size = 2;
|
||||
}
|
||||
error = -EPROTO;
|
||||
if (aa_unpack_nameX(e, AA_STRUCT, "data")) {
|
||||
info = "out of memory";
|
||||
|
|
Loading…
Reference in New Issue