[apparmor] [PATCH 3/6] libapparmor: Clean up confinement context's unconfined check

Tyler Hicks tyhicks at canonical.com
Mon Apr 13 21:56:29 UTC 2015 

Use the passed in confinement context string size to improve the
comparison by only doing the string comparison if the size matches and
removing the possibility of reading past the end of the buffer.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 libraries/libapparmor/src/kernel.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
index 14593b7..b167050 100644
--- a/libraries/libapparmor/src/kernel.c
+++ b/libraries/libapparmor/src/kernel.c
@@ -43,6 +43,9 @@
 #define default_symbol_version(real, name, version) \
 		__asm__ (".symver " #real "," #name "@@" #version)
 
+#define UNCONFINED		"unconfined"
+#define UNCONFINED_SIZE		strlen(UNCONFINED)
+
 /**
  * aa_find_mountpoint - find where the apparmor interface filesystem is mounted
  * @mnt: returns buffer with the mountpoint string
@@ -152,6 +155,19 @@ static char *procattr_path(pid_t pid, const char *attr)
 }
 
 /**
+ * parse_unconfined - check for the unconfined label
+ * @con: the confinement context
+ * @size: size of the confinement context (not including the NUL terminator)
+ *
+ * Returns: True if the con is the unconfined label or false otherwise
+ */
+static bool parse_unconfined(char *con, int size)
+{
+	return size == UNCONFINED_SIZE &&
+	       strncmp(con, UNCONFINED, UNCONFINED_SIZE) == 0;
+}
+
+/**
  * parse_confinement_mode - get the mode from the confinement context
  * @con: the confinement context
  * @size: size of the confinement context (not including the NUL terminator)
@@ -163,8 +179,7 @@ static char *procattr_path(pid_t pid, const char *attr)
  */
 static char *parse_confinement_mode(char *con, int size)
 {
-	if (strcmp(con, "unconfined") != 0 &&
-	    size > 3 && con[size - 1] == ')') {
+	if (!parse_unconfined(con, size) && size > 3 && con[size - 1] == ')') {
 		int pos = size - 2;
 
 		while (pos > 0 && !(con[pos] == ' ' && con[pos + 1] == '('))
-- 
2.1.4

More information about the AppArmor mailing list