Skip to content

Commit

Permalink
apparmor: remove no-op permission check in policy_unpack
Browse files Browse the repository at this point in the history 
The patch 736ec75: "AppArmor: policy routines for loading and
unpacking policy" from Jul 29, 2010, leads to the following static
checker warning:

    security/apparmor/policy_unpack.c:410 verify_accept()
    warn: bitwise AND condition is false here

    security/apparmor/policy_unpack.c:413 verify_accept()
    warn: bitwise AND condition is false here

security/apparmor/policy_unpack.c
   392  #define DFA_VALID_PERM_MASK             0xffffffff
   393  #define DFA_VALID_PERM2_MASK            0xffffffff
   394
   395  /**
   396   * verify_accept - verify the accept tables of a dfa
   397   * @dfa: dfa to verify accept tables of (NOT NULL)
   398   * @flags: flags governing dfa
   399   *
   400   * Returns: 1 if valid accept tables else 0 if error
   401   */
   402  static bool verify_accept(struct aa_dfa *dfa, int flags)
   403  {
   404          int i;
   405
   406          /* verify accept permissions */
   407          for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
   408                  int mode = ACCEPT_TABLE(dfa)[i];
   409
   410                  if (mode & ~DFA_VALID_PERM_MASK)
   411                          return 0;
   412
   413                  if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
   414                          return 0;

fixes: 736ec75 ("AppArmor: policy routines for loading and unpacking policy")
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: John Johansen <[email protected]>
  • Loading branch information
John Johansen committed Aug 23, 2018
1 parent 0a6b292 commit c037bd6
Showing 1 changed file with 0 additions and 32 deletions.
32 changes: 0 additions & 32 deletions security/apparmor/policy_unpack.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -389,32 +389,6 @@ static int unpack_strdup(struct aa_ext *e, char **string, const char *name)
return res;
}

#define DFA_VALID_PERM_MASK 0xffffffff
#define DFA_VALID_PERM2_MASK 0xffffffff

/**
* verify_accept - verify the accept tables of a dfa
* @dfa: dfa to verify accept tables of (NOT NULL)
* @flags: flags governing dfa
*
* Returns: 1 if valid accept tables else 0 if error
*/
static bool verify_accept(struct aa_dfa *dfa, int flags)
{
int i;

/* verify accept permissions */
for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
int mode = ACCEPT_TABLE(dfa)[i];

if (mode & ~DFA_VALID_PERM_MASK)
return 0;

if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
return 0;
}
return 1;
}

/**
* unpack_dfa - unpack a file rule dfa
Expand Down Expand Up @@ -445,15 +419,9 @@ static struct aa_dfa *unpack_dfa(struct aa_ext *e)
if (IS_ERR(dfa))
return dfa;

if (!verify_accept(dfa, flags))
goto fail;
}

return dfa;

fail:
aa_put_dfa(dfa);
return ERR_PTR(-EPROTO);
}

/**
Expand Down

0 comments on commit c037bd6

Please sign in to comment.