leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity

apparmor: remove no-op permission check in policy_unpack

Browse Source 
The patch 736ec752d9: "AppArmor: policy routines for loading and
unpacking policy" from Jul 29, 2010, leads to the following static
checker warning:

    security/apparmor/policy_unpack.c:410 verify_accept()
    warn: bitwise AND condition is false here

    security/apparmor/policy_unpack.c:413 verify_accept()
    warn: bitwise AND condition is false here

security/apparmor/policy_unpack.c
   392  #define DFA_VALID_PERM_MASK             0xffffffff
   393  #define DFA_VALID_PERM2_MASK            0xffffffff
   394
   395  /**
   396   * verify_accept - verify the accept tables of a dfa
   397   * @dfa: dfa to verify accept tables of (NOT NULL)
   398   * @flags: flags governing dfa
   399   *
   400   * Returns: 1 if valid accept tables else 0 if error
   401   */
   402  static bool verify_accept(struct aa_dfa *dfa, int flags)
   403  {
   404          int i;
   405
   406          /* verify accept permissions */
   407          for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
   408                  int mode = ACCEPT_TABLE(dfa)[i];
   409
   410                  if (mode & ~DFA_VALID_PERM_MASK)
   411                          return 0;
   412
   413                  if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
   414                          return 0;

fixes: 736ec752d9 ("AppArmor: policy routines for loading and unpacking policy")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2018-08-21 17:19:53 -07:00
parent 0a6b29230e
commit c037bd6158
1 changed files with 0 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
security/apparmor/policy_unpack.c
View File

@ -389,32 +389,6 @@ static int unpack_strdup(struct aa_ext *e, char **string, const char *name)
return res;
}
#define DFA_VALID_PERM_MASK 0xffffffff
#define DFA_VALID_PERM2_MASK 0xffffffff
/**
* verify_accept - verify the accept tables of a dfa
* @dfa: dfa to verify accept tables of (NOT NULL)
* @flags: flags governing dfa
*
* Returns: 1 if valid accept tables else 0 if error
*/
static bool verify_accept(struct aa_dfa *dfa, int flags)
{
int i;
/* verify accept permissions */
for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
int mode = ACCEPT_TABLE(dfa)[i];
if (mode & ~DFA_VALID_PERM_MASK)
return 0;
if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
return 0;
}
return 1;
}
/**
* unpack_dfa - unpack a file rule dfa
@ -445,15 +419,9 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e)
if (IS_ERR(dfa))
return dfa;
if (!verify_accept(dfa, flags))
goto fail;
}
return dfa;
fail:
aa_put_dfa(dfa);
return ERR_PTR(-EPROTO);
}
/**