xref: /kernel/linux/linux-6.6/security/apparmor/policy_compat.c

51  * map old dfa inline permissions to new format
53 #define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \
54 				    ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
55 #define dfa_user_xbits(dfa, state) (((ACCEPT_TABLE(dfa)[state]) >> 7) & 0x7f)
56 #define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f)
57 #define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f)
58 #define dfa_user_xindex(dfa, state) \
59 	(dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff))
61 #define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \
63 				     ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
64 #define dfa_other_xbits(dfa, state) \
65 	((((ACCEPT_TABLE(dfa)[state]) >> 7) >> 14) & 0x7f)
66 #define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f)
67 #define dfa_other_quiet(dfa, state) \
68 	((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f)
69 #define dfa_other_xindex(dfa, state) \
70 	dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
100 static void compute_fperms_allow(struct aa_perms *perms, struct aa_dfa *dfa,
106 	if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
108 	if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
112 static struct aa_perms compute_fperms_user(struct aa_dfa *dfa,
117 	perms.allow = map_old_perms(dfa_user_allow(dfa, state));
118 	perms.audit = map_old_perms(dfa_user_audit(dfa, state));
119 	perms.quiet = map_old_perms(dfa_user_quiet(dfa, state));
120 	perms.xindex = dfa_user_xindex(dfa, state);
122 	compute_fperms_allow(&perms, dfa, state);
127 static struct aa_perms compute_fperms_other(struct aa_dfa *dfa,
132 	perms.allow = map_old_perms(dfa_other_allow(dfa, state));
133 	perms.audit = map_old_perms(dfa_other_audit(dfa, state));
134 	perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
135 	perms.xindex = dfa_other_xindex(dfa, state);
137 	compute_fperms_allow(&perms, dfa, state);
143  * compute_fperms - convert dfa compressed perms to internal perms and store
145  * @dfa: a dfa using fperms to remap to internal permissions
149 static struct aa_perms *compute_fperms(struct aa_dfa *dfa,
156 	AA_BUG(!dfa);
158 	state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
166 		table[state * 2] = compute_fperms_user(dfa, state);
167 		table[state * 2 + 1] = compute_fperms_other(dfa, state);
209 static struct aa_perms compute_perms_entry(struct aa_dfa *dfa,
215 	perms.allow = dfa_user_allow(dfa, state);
216 	perms.audit = dfa_user_audit(dfa, state);
217 	perms.quiet = dfa_user_quiet(dfa, state);
230 	perms.allow |= map_other(dfa_other_allow(dfa, state));
234 		perms.allow |= map_xbits(dfa_user_xbits(dfa, state));
240 	perms.audit |= map_other(dfa_other_audit(dfa, state));
241 	perms.quiet |= map_other(dfa_other_quiet(dfa, state));
243 		perms.quiet |= map_xbits(dfa_other_xbits(dfa, state));
248 static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version,
255 	AA_BUG(!dfa);
257 	state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
266 		table[state] = compute_perms_entry(dfa, state, version);
272  * remap_dfa_accept - remap old dfa accept table to be an index
273  * @dfa: dfa to do the remapping on
277  * that are encoded in the dfa accept tables to the new style where
281 static void remap_dfa_accept(struct aa_dfa *dfa, unsigned int factor)
284 	unsigned int state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
286 	AA_BUG(!dfa);
289 		ACCEPT_TABLE(dfa)[state] = state * factor;
290 	kvfree(dfa->tables[YYTD_ID_ACCEPT2]);
291 	dfa->tables[YYTD_ID_ACCEPT2] = NULL;
294 /* TODO: merge different dfa mappings into single map_policy fn */
297 	policy->perms = compute_xmatch_perms(policy->dfa, &policy->size);
301 	remap_dfa_accept(policy->dfa, 1);
308 	policy->perms = compute_perms(policy->dfa, version, &policy->size);
312 	remap_dfa_accept(policy->dfa, 1);
319 	policy->perms = compute_fperms(policy->dfa, &policy->size);
323 	remap_dfa_accept(policy->dfa, 2);

Indexes created Thu Nov 07 10:32:03 CST 2024