[apparmor] [PATCH 3/6] libapparmor: Clean up confinement context's unconfined check

Seth Arnold seth.arnold at canonical.com
Wed May 13 01:33:02 UTC 2015 

On Mon, Apr 13, 2015 at 04:56:29PM -0500, Tyler Hicks wrote:
> Use the passed in confinement context string size to improve the
> comparison by only doing the string comparison if the size matches and
> removing the possibility of reading past the end of the buffer.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> ---
>  libraries/libapparmor/src/kernel.c | 19 +++++++++++++++++--
>  1 file changed, 17 insertions(+), 2 deletions(-)
> 
> diff --git a/libraries/libapparmor/src/kernel.c b/libraries/libapparmor/src/kernel.c
> index 14593b7..b167050 100644
> --- a/libraries/libapparmor/src/kernel.c
> +++ b/libraries/libapparmor/src/kernel.c
> @@ -43,6 +43,9 @@
>  #define default_symbol_version(real, name, version) \
>  		__asm__ (".symver " #real "," #name "@@" #version)
>  
> +#define UNCONFINED		"unconfined"
> +#define UNCONFINED_SIZE		strlen(UNCONFINED)
> +
>  /**
>   * aa_find_mountpoint - find where the apparmor interface filesystem is mounted
>   * @mnt: returns buffer with the mountpoint string
> @@ -152,6 +155,19 @@ static char *procattr_path(pid_t pid, const char *attr)
>  }
>  
>  /**
> + * parse_unconfined - check for the unconfined label
> + * @con: the confinement context
> + * @size: size of the confinement context (not including the NUL terminator)
> + *
> + * Returns: True if the con is the unconfined label or false otherwise
> + */
> +static bool parse_unconfined(char *con, int size)
> +{
> +	return size == UNCONFINED_SIZE &&
> +	       strncmp(con, UNCONFINED, UNCONFINED_SIZE) == 0;
> +}
> +
> +/**
>   * parse_confinement_mode - get the mode from the confinement context
>   * @con: the confinement context
>   * @size: size of the confinement context (not including the NUL terminator)
> @@ -163,8 +179,7 @@ static char *procattr_path(pid_t pid, const char *attr)
>   */
>  static char *parse_confinement_mode(char *con, int size)
>  {
> -	if (strcmp(con, "unconfined") != 0 &&
> -	    size > 3 && con[size - 1] == ')') {
> +	if (!parse_unconfined(con, size) && size > 3 && con[size - 1] == ')') {
>  		int pos = size - 2;
>  
>  		while (pos > 0 && !(con[pos] == ' ' && con[pos + 1] == '('))
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150512/d2dbbb41/attachment.pgp>

More information about the AppArmor mailing list