Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c037bd61 authored by John Johansen's avatar John Johansen
Browse files

apparmor: remove no-op permission check in policy_unpack 



The patch 736ec752: "AppArmor: policy routines for loading and
unpacking policy" from Jul 29, 2010, leads to the following static
checker warning:

    security/apparmor/policy_unpack.c:410 verify_accept()
    warn: bitwise AND condition is false here

    security/apparmor/policy_unpack.c:413 verify_accept()
    warn: bitwise AND condition is false here

security/apparmor/policy_unpack.c
   392  #define DFA_VALID_PERM_MASK             0xffffffff
   393  #define DFA_VALID_PERM2_MASK            0xffffffff
   394
   395  /**
   396   * verify_accept - verify the accept tables of a dfa
   397   * @dfa: dfa to verify accept tables of (NOT NULL)
   398   * @flags: flags governing dfa
   399   *
   400   * Returns: 1 if valid accept tables else 0 if error
   401   */
   402  static bool verify_accept(struct aa_dfa *dfa, int flags)
   403  {
   404          int i;
   405
   406          /* verify accept permissions */
   407          for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
   408                  int mode = ACCEPT_TABLE(dfa)[i];
   409
   410                  if (mode & ~DFA_VALID_PERM_MASK)
   411                          return 0;
   412
   413                  if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
   414                          return 0;

fixes: 736ec752 ("AppArmor: policy routines for loading and unpacking policy")
Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 0a6b2923

security/apparmor/policy_unpack.c

+0 −32
Original line number Diff line number Diff line
@@ -389,32 +389,6 @@ static int unpack_strdup(struct aa_ext *e, char **string, const char *name) 
	return res;

}



#define DFA_VALID_PERM_MASK		0xffffffff

#define DFA_VALID_PERM2_MASK		0xffffffff



/**

 * verify_accept - verify the accept tables of a dfa

 * @dfa: dfa to verify accept tables of (NOT NULL)

 * @flags: flags governing dfa

 *

 * Returns: 1 if valid accept tables else 0 if error

 */

static bool verify_accept(struct aa_dfa *dfa, int flags)

{

	int i;



	/* verify accept permissions */

	for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {

		int mode = ACCEPT_TABLE(dfa)[i];



		if (mode & ~DFA_VALID_PERM_MASK)

			return 0;



		if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)

			return 0;

	}

	return 1;

}



/**

 * unpack_dfa - unpack a file rule dfa
@@ -445,15 +419,9 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e) 
		if (IS_ERR(dfa))

			return dfa;



		if (!verify_accept(dfa, flags))

			goto fail;

	}



	return dfa;



fail:

	aa_put_dfa(dfa);

	return ERR_PTR(-EPROTO);

}



/**