[PATCH] apparmor: Constify 'nulldfa_src' and 'stacksplitdfa_src' arrays
From: Len Bao <hidden>
Date: 2026-05-24 11:34:46
Also in:
lkml
Subsystem:
apparmor security module, security subsystem, the rest · Maintainers:
John Johansen, Paul Moore, James Morris, "Serge E. Hallyn", Linus Torvalds
The 'nulldfa_src' and 'stacksplitdfa_src' arrays are initialized in their declarations and never changed. So, constify them to reduce the attack surface. To make this possible, it is also necessary to change the 'unpack_table' and 'aa_dfa_unpack' function prototypes to pass, as a first argument, a pointer to a 'const' blob. At the same type, define the blob exact pointer type (pointer to const char) since all the calls to the mentioned functions use this same type. Before the patch (size lsm.o): text data bss dec hex 128768 28028 704 157500 2673c After the patch (size lsm.o): text data bss dec hex 131264 25532 704 157500 2673c Signed-off-by: Len Bao <redacted> --- security/apparmor/include/match.h | 2 +- security/apparmor/lsm.c | 4 ++-- security/apparmor/match.c | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index 7accb1c39..4a92cd044 100644
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h@@ -125,7 +125,7 @@ static inline size_t table_size(size_t len, size_t el_size) #define aa_state_t unsigned int -struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags); +struct aa_dfa *aa_dfa_unpack(const char *blob, size_t size, int flags); aa_state_t aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start, const char *str, int len); aa_state_t aa_dfa_match(struct aa_dfa *dfa, aa_state_t start,
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 3491e9f60..3f995b6a7 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c@@ -2432,12 +2432,12 @@ static int __init apparmor_nf_ip_init(void) } #endif -static char nulldfa_src[] __aligned(8) = { +static const char nulldfa_src[] __aligned(8) = { #include "nulldfa.in" }; static struct aa_dfa *nulldfa; -static char stacksplitdfa_src[] __aligned(8) = { +static const char stacksplitdfa_src[] __aligned(8) = { #include "stacksplitdfa.in" }; struct aa_dfa *stacksplitdfa;
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 3a2c6cf02..c6f7bea1e 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c@@ -31,7 +31,7 @@ * * NOTE: must be freed by kvfree (not kfree) */ -static struct table_header *unpack_table(char *blob, size_t bsize) +static struct table_header *unpack_table(const char *blob, size_t bsize) { struct table_header *table = NULL; struct table_header th;
@@ -311,11 +311,11 @@ static struct table_header *remap_data16_to_data32(struct table_header *old) * * Returns: an unpacked dfa ready for matching or ERR_PTR on failure */ -struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags) +struct aa_dfa *aa_dfa_unpack(const char *blob, size_t size, int flags) { int hsize; int error = -ENOMEM; - char *data = blob; + const char *data = blob; struct table_header *table = NULL; struct aa_dfa *dfa = kzalloc_obj(struct aa_dfa); if (!dfa)
--
2.43.0