[PATCH 3.16 156/328] apparmor: remove no-op permission check in policy_unpack

Sun, 09 Dec 2018 14:11:24 -0800 

3.16.62-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: John Johansen <john.johan...@canonical.com>

commit c037bd615885f1d9d3bdb48531bace79fae1505d upstream.

The patch 736ec752d95e: "AppArmor: policy routines for loading and
unpacking policy" from Jul 29, 2010, leads to the following static
checker warning:

    security/apparmor/policy_unpack.c:410 verify_accept()
    warn: bitwise AND condition is false here

    security/apparmor/policy_unpack.c:413 verify_accept()
    warn: bitwise AND condition is false here

security/apparmor/policy_unpack.c
   392  #define DFA_VALID_PERM_MASK             0xffffffff
   393  #define DFA_VALID_PERM2_MASK            0xffffffff
   394
   395  /**
   396   * verify_accept - verify the accept tables of a dfa
   397   * @dfa: dfa to verify accept tables of (NOT NULL)
   398   * @flags: flags governing dfa
   399   *
   400   * Returns: 1 if valid accept tables else 0 if error
   401   */
   402  static bool verify_accept(struct aa_dfa *dfa, int flags)
   403  {
   404          int i;
   405
   406          /* verify accept permissions */
   407          for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
   408                  int mode = ACCEPT_TABLE(dfa)[i];
   409
   410                  if (mode & ~DFA_VALID_PERM_MASK)
   411                          return 0;
   412
   413                  if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
   414                          return 0;

fixes: 736ec752d95e ("AppArmor: policy routines for loading and unpacking 
policy")
Reported-by: Dan Carpenter <dan.carpen...@oracle.com>
Signed-off-by: John Johansen <john.johan...@canonical.com>
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
 security/apparmor/policy_unpack.c | 32 -------------------------------
 1 file changed, 32 deletions(-)

--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -290,32 +290,6 @@ static int unpack_strdup(struct aa_ext *
        return res;
 }
 
-#define DFA_VALID_PERM_MASK            0xffffffff
-#define DFA_VALID_PERM2_MASK           0xffffffff
-
-/**
- * verify_accept - verify the accept tables of a dfa
- * @dfa: dfa to verify accept tables of (NOT NULL)
- * @flags: flags governing dfa
- *
- * Returns: 1 if valid accept tables else 0 if error
- */
-static bool verify_accept(struct aa_dfa *dfa, int flags)
-{
-       int i;
-
-       /* verify accept permissions */
-       for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
-               int mode = ACCEPT_TABLE(dfa)[i];
-
-               if (mode & ~DFA_VALID_PERM_MASK)
-                       return 0;
-
-               if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
-                       return 0;
-       }
-       return 1;
-}
 
 /**
  * unpack_dfa - unpack a file rule dfa
@@ -351,15 +325,9 @@ static struct aa_dfa *unpack_dfa(struct
                if (IS_ERR(dfa))
                        return dfa;
 
-               if (!verify_accept(dfa, flags))
-                       goto fail;
        }
 
        return dfa;
-
-fail:
-       aa_put_dfa(dfa);
-       return ERR_PTR(-EPROTO);
 }
 
 /**

Reply via email to