state = aa_dfa_match_len(dfa, profile->policy.start[0],
match_str, match_len);
if (state)
- tmp = *aa_lookup_perms(profile->policy.perms, state);
+ tmp = *aa_lookup_perms(&profile->policy, state);
}
aa_apply_modes_to_perms(profile, &tmp);
aa_perms_accum_raw(perms, &tmp);
extern struct aa_perms default_perms;
-static inline struct aa_perms *aa_lookup_perms(struct aa_perms *perms,
- unsigned int state)
-{
- if (!(perms))
- return &default_perms;
-
- return &(perms[state]);
-}
void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs,
u32 mask);
}
+static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy,
+ unsigned int state)
+{
+ unsigned int index = ACCEPT_TABLE(policy->dfa)[state];
+
+ if (!(policy->perms))
+ return &default_perms;
+
+ return &(policy->perms[index]);
+}
+
+
/* struct aa_data - generic data structure
* key: name for retrieving this data
* size: size of data in bytes
if (!state)
goto fail;
}
- *perms = *aa_lookup_perms(profile->policy.perms, state);
+ *perms = *aa_lookup_perms(&profile->policy, state);
aa_apply_modes_to_perms(profile, perms);
if ((perms->allow & request) != request)
return -EACCES;
return 0;
next:
- tmp = *aa_lookup_perms(profile->policy.perms, state);
+ tmp = *aa_lookup_perms(&profile->policy, state);
aa_apply_modes_to_perms(profile, &tmp);
aa_perms_accum(perms, &tmp);
label_for_each_cont(i, label, tp) {
state = match_component(profile, tp, start);
if (!state)
goto fail;
- tmp = *aa_lookup_perms(profile->policy.perms, state);
+ tmp = *aa_lookup_perms(&profile->policy, state);
aa_apply_modes_to_perms(profile, &tmp);
aa_perms_accum(perms, &tmp);
}
state = match_mnt_flags(policy->dfa, state, flags);
if (!state)
return 4;
- *perms = *aa_lookup_perms(policy->perms, state);
+ *perms = *aa_lookup_perms(policy, state);
if (perms->allow & AA_MAY_MOUNT)
return 0;
state = aa_dfa_match(policy->dfa, state, data);
if (!state)
return 5;
- *perms = *aa_lookup_perms(policy->perms, state);
+ *perms = *aa_lookup_perms(policy, state);
if (perms->allow & AA_MAY_MOUNT)
return 0;
}
state = aa_dfa_match(profile->policy.dfa,
profile->policy.start[AA_CLASS_MOUNT],
name);
- perms = *aa_lookup_perms(profile->policy.perms, state);
+ perms = *aa_lookup_perms(&profile->policy, state);
if (AA_MAY_UMOUNT & ~perms.allow)
error = -EACCES;
new_name);
state = aa_dfa_null_transition(profile->policy.dfa, state);
state = aa_dfa_match(profile->policy.dfa, state, old_name);
- perms = *aa_lookup_perms(profile->policy.perms, state);
+ perms = *aa_lookup_perms(&profile->policy, state);
if (AA_MAY_PIVOTROOT & perms.allow)
error = 0;
buffer[1] = cpu_to_be16((u16) type);
state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
4);
- perms = *aa_lookup_perms(profile->policy.perms, state);
+ perms = *aa_lookup_perms(&profile->policy, state);
aa_apply_modes_to_perms(profile, &perms);
return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
}
if (!unpack_nameX(e, AA_STRUCTEND, NULL))
goto fail;
+ profile->policy.perms = compute_perms(profile->policy.dfa);
+ if (!profile->policy.perms) {
+ info = "failed to remap policydb permission table";
+ goto fail;
+ }
+ /* Do not remap internal dfas */
+ remap_dfa_accept(profile->policy.dfa, 1);
} else
profile->policy.dfa = aa_get_dfa(nulldfa);
- profile->policy.perms = compute_perms(profile->policy.dfa);
- if (!profile->policy.perms) {
- info = "failed to remap policydb permission table";
- goto fail;
- }
/* get file rules */
profile->file.dfa = unpack_dfa(e);
*/
static int verify_profile(struct aa_profile *profile)
{
- if (profile->file.dfa &&
+ if ((profile->file.dfa &&
!verify_dfa_xindex(profile->file.dfa,
- profile->file.trans.size)) {
+ profile->file.trans.size)) ||
+ (profile->policy.dfa &&
+ !verify_dfa_xindex(profile->policy.dfa,
+ profile->policy.trans.size))) {
audit_iface(profile, NULL, NULL,
"Unpack: Invalid named transition", NULL, -EPROTO);
return -EPROTO;