apparmor: extend xindex size

Allow the xindex to have 2^24 entries.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
index 4212426..521c856 100644 (file)
--- a/security/apparmor/include/file.h
+++ b/security/apparmor/include/file.h
@@ -88,18 +88,17 @@ static inline struct aa_label *aa_get_file_label(struct aa_file_ctx *ctx)
  * - exec type - which determines how the executable name and index are used
  * - flags - which modify how the destination name is applied
  */
-#define AA_X_INDEX_MASK                0x03ff
-
-#define AA_X_TYPE_MASK         0x0c00
-#define AA_X_TYPE_SHIFT                10
-#define AA_X_NONE              0x0000
-#define AA_X_NAME              0x0400  /* use executable name px */
-#define AA_X_TABLE             0x0800  /* use a specified name ->n# */
-
-#define AA_X_UNSAFE            0x1000
-#define AA_X_CHILD             0x2000  /* make >AA_X_NONE apply to children */
-#define AA_X_INHERIT           0x4000
-#define AA_X_UNCONFINED                0x8000
+#define AA_X_INDEX_MASK                0x00ffffff
+
+#define AA_X_TYPE_MASK         0x0c000000
+#define AA_X_NONE              0x00000000
+#define AA_X_NAME              0x04000000 /* use executable name px */
+#define AA_X_TABLE             0x08000000 /* use a specified name ->n# */
+
+#define AA_X_UNSAFE            0x10000000
+#define AA_X_CHILD             0x20000000
+#define AA_X_INHERIT           0x40000000
+#define AA_X_UNCONFINED                0x80000000
 
 /* need to make conditional which ones are being set */
 struct path_cond {

diff --git a/security/apparmor/include/perms.h b/security/apparmor/include/perms.h
index 1014a7b..8739cef 100644 (file)
--- a/security/apparmor/include/perms.h
+++ b/security/apparmor/include/perms.h
@@ -78,7 +78,7 @@ struct aa_perms {
        u32 quiet;      /* set only when ~allow | deny */
        u32 hide;       /* set only when  ~allow | deny */
 
-       u16 xindex;
+       u32 xindex;
 };
 
 #define ALL_PERMS_MASK 0xffffffff

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 32cca5f..c578d9a 100644 (file)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -489,8 +489,8 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
                int i, size;
 
                size = unpack_array(e, NULL);
-               /* currently 4 exec bits and entries 0-3 are reserved iupcx */
-               if (size > 16 - 4)
+               /* currently 2^24 bits entries 0-3 */
+               if (size > (1 << 24))
                        goto fail;
                profile->file.trans.table = kcalloc(size, sizeof(char *),
                                                    GFP_KERNEL);
@@ -672,10 +672,10 @@ static int datacmp(struct rhashtable_compare_arg *arg, const void *obj)
 }
 
 /* remap old accept table embedded permissions to separate permission table */
-static u16 dfa_map_xindex(u16 mask)
+static u32 dfa_map_xindex(u16 mask)
 {
        u16 old_index = (mask >> 10) & 0xf;
-       u16 index = 0;
+       u32 index = 0;
 
        if (mask & 0x100)
                index |= AA_X_UNSAFE;