apparmor: misc cleanup of match

tidying up comments, includes and defines

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
This commit is contained in:
John Johansen 2013-02-18 16:08:34 -08:00
parent cf47aede3b
commit 8e4ff109d0
2 changed files with 14 additions and 8 deletions

View File

@ -4,7 +4,7 @@
* This file contains AppArmor policy dfa matching engine definitions. * This file contains AppArmor policy dfa matching engine definitions.
* *
* Copyright (C) 1998-2008 Novell/SUSE * Copyright (C) 1998-2008 Novell/SUSE
* Copyright 2009-2010 Canonical Ltd. * Copyright 2009-2012 Canonical Ltd.
* *
* This program is free software; you can redistribute it and/or * This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as * modify it under the terms of the GNU General Public License as
@ -16,7 +16,6 @@
#define __AA_MATCH_H #define __AA_MATCH_H
#include <linux/kref.h> #include <linux/kref.h>
#include <linux/workqueue.h>
#define DFA_NOMATCH 0 #define DFA_NOMATCH 0
#define DFA_START 1 #define DFA_START 1
@ -29,12 +28,20 @@
* file format (--tables-file option; see Table File Format in the flex * file format (--tables-file option; see Table File Format in the flex
* info pages and the flex sources for documentation). The magic number * info pages and the flex sources for documentation). The magic number
* used in the header is 0x1B5E783D instead of 0xF13C57B1 though, because * used in the header is 0x1B5E783D instead of 0xF13C57B1 though, because
* the YY_ID_CHK (check) and YY_ID_DEF (default) tables are used * new tables have been defined and others YY_ID_CHK (check) and YY_ID_DEF
* slightly differently (see the apparmor-parser package). * (default) tables are used slightly differently (see the apparmor-parser
* package).
*
*
* The data in the packed dfa is stored in network byte order, and the tables
* are arranged for flexibility. We convert the table data to host native
* byte order.
*
* The dfa begins with a table set header, and is followed by the actual
* tables.
*/ */
#define YYTH_MAGIC 0x1B5E783D #define YYTH_MAGIC 0x1B5E783D
#define YYTH_DEF_RECURSE 0x1 /* DEF Table is recursive */
struct table_set_header { struct table_set_header {
u32 th_magic; /* YYTH_MAGIC */ u32 th_magic; /* YYTH_MAGIC */
@ -63,7 +70,7 @@ struct table_set_header {
#define YYTD_DATA32 4 #define YYTD_DATA32 4
#define YYTD_DATA64 8 #define YYTD_DATA64 8
/* Each ACCEPT2 table gets 6 dedicated flags, YYTD_DATAX define the /* ACCEPT & ACCEPT2 tables gets 6 dedicated flags, YYTD_DATAX define the
* first flags * first flags
*/ */
#define ACCEPT1_FLAGS(X) ((X) & 0x3f) #define ACCEPT1_FLAGS(X) ((X) & 0x3f)

View File

@ -4,7 +4,7 @@
* This file contains AppArmor dfa based regular expression matching engine * This file contains AppArmor dfa based regular expression matching engine
* *
* Copyright (C) 1998-2008 Novell/SUSE * Copyright (C) 1998-2008 Novell/SUSE
* Copyright 2009-2010 Canonical Ltd. * Copyright 2009-2012 Canonical Ltd.
* *
* This program is free software; you can redistribute it and/or * This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as * modify it under the terms of the GNU General Public License as
@ -137,7 +137,6 @@ static int verify_dfa(struct aa_dfa *dfa, int flags)
for (i = 0; i < state_count; i++) { for (i = 0; i < state_count; i++) {
if (DEFAULT_TABLE(dfa)[i] >= state_count) if (DEFAULT_TABLE(dfa)[i] >= state_count)
goto out; goto out;
/* TODO: do check that DEF state recursion terminates */
if (BASE_TABLE(dfa)[i] + 255 >= trans_count) { if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
printk(KERN_ERR "AppArmor DFA next/check upper " printk(KERN_ERR "AppArmor DFA next/check upper "
"bounds error\n"); "bounds error\n");