[apparmor] [PATCH 2/6] libapparmor: Don't count NUL terminator byte

Tyler Hicks tyhicks at canonical.com
Mon Apr 13 21:56:28 UTC 2015


When passing the size of the confinement context to
parse_confinement_mode(), don't include the NUL terminator byte in the
size.

It is confusing to count the NUL terminator as part of the string's
length. This change makes it so that, after a few additional changes,
parse_confinement_mode() can be exposed as part of libapparmor's public
API.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 libraries/libapparmor/src/kernel.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
index 9d5f45d..14593b7 100644
--- a/libraries/libapparmor/src/kernel.c
+++ b/libraries/libapparmor/src/kernel.c
@@ -154,7 +154,7 @@ static char *procattr_path(pid_t pid, const char *attr)
 /**
  * parse_confinement_mode - get the mode from the confinement context
  * @con: the confinement context
- * @size: size of the confinement context
+ * @size: size of the confinement context (not including the NUL terminator)
  *
  * Modifies con to NUL-terminate the label string and the mode string.
  *
@@ -164,14 +164,14 @@ static char *procattr_path(pid_t pid, const char *attr)
 static char *parse_confinement_mode(char *con, int size)
 {
 	if (strcmp(con, "unconfined") != 0 &&
-	    size > 4 && con[size - 2] == ')') {
-		int pos = size - 3;
+	    size > 3 && con[size - 1] == ')') {
+		int pos = size - 2;
 
 		while (pos > 0 && !(con[pos] == ' ' && con[pos + 1] == '('))
 			pos--;
 		if (pos > 0) {
 			con[pos] = 0; /* overwrite ' ' */
-			con[size - 2] = 0; /* overwrite trailing ) */
+			con[size - 1] = 0; /* overwrite trailing ) */
 			return &con[pos + 2]; /* skip '(' */
 		}
 	}
@@ -236,18 +236,21 @@ int aa_getprocattr_raw(pid_t tid, const char *attr, char *buf, int len,
 		errno = saved;
 		goto out;
 	} else if (size > 0 && buf[size - 1] != 0) {
+		char *nul;
+
 		/* check for null termination */
 		if (buf[size - 1] == '\n') {
-			buf[size - 1] = 0;
+			nul = &buf[size - 1];
 		} else if (len == 0) {
 			errno = ERANGE;
 			goto out2;
 		} else {
-			buf[size] = 0;
+			nul = &buf[size];
 			size++;
 		}
 
-		mode_str = parse_confinement_mode(buf, size);
+		*nul = 0;
+		mode_str = parse_confinement_mode(buf, nul - buf);
 		if (mode)
 			*mode = mode_str;
 	}
@@ -614,7 +617,7 @@ int aa_getpeercon_raw(int fd, char *buf, int *len, char **mode)
 		}
 	}
 
-	mode_str = parse_confinement_mode(buf, optlen);
+	mode_str = parse_confinement_mode(buf, optlen - 1);
 	if (mode)
 		*mode = mode_str;
 
-- 
2.1.4




More information about the AppArmor mailing list