apparmor: allow policydb to be used as the file dfa

Newer policy will combine the file and policydb dfas, allowing for better optimizations. However to support older policy we need to keep the ability to address the "file" dfa separately. So dup the policydb as if it is the file dfa and set the appropriate start state. Signed-off-by: N John Johansen <john.johansen@canonical.com>

apparmor: allow policydb to be used as the file dfa
Newer policy will combine the file and policydb dfas, allowing for better optimizations. However to support older policy we need to keep the ability to address the "file" dfa separately. So dup the policydb as if it is the file dfa and set the appropriate start state. Signed-off-by: N John Johansen <john.johansen@canonical.com>
6604d4c1 · John Johansen · 293a4886 · 6604d4c1
显示空白变更内容
内联并排

Showing with 8 addition and 4 deletion

security/apparmor/policy_unpack.c security/apparmor/policy_unpack.c +8 -4

未找到文件。
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -611,11 +611,15 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
 		error = PTR_ERR(profile->file.dfa);
 		profile->file.dfa = NULL;
 		goto fail;
-	}
+	} else if (profile->file.dfa) {
 		if (!unpack_u32(e, &profile->file.start, "dfa_start"))
 			/* default start state */
 			profile->file.start = DFA_START;
+	} else if (profile->policy.dfa &&
+		   profile->policy.start[AA_CLASS_FILE]) {
+		profile->file.dfa = aa_get_dfa(profile->policy.dfa);
+		profile->file.start = profile->policy.start[AA_CLASS_FILE];
+	}
 	if (!unpack_trans_table(e, profile))
 		goto fail;