From: Len Bao <len.bao@gmx.us>
To: John Johansen <john.johansen@canonical.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>, Kees Cook <kees@kernel.org>
Cc: Len Bao <len.bao@gmx.us>,
apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] apparmor: Constify 'nulldfa_src' and 'stacksplitdfa_src' arrays
Date: Sat, 6 Jun 2026 17:18:53 +0000 [thread overview]
Message-ID: <aiRWfQhfBBHqq3mK@ubuntu> (raw)
In-Reply-To: <20260524113412.48050-1-len.bao@gmx.us>
Hi,
On Sun, May 24, 2026 at 11:34:11AM +0000, Len Bao wrote:
> The 'nulldfa_src' and 'stacksplitdfa_src' arrays are initialized in
> their declarations and never changed. So, constify them to reduce the
> attack surface.
>
> To make this possible, it is also necessary to change the 'unpack_table'
> and 'aa_dfa_unpack' function prototypes to pass, as a first argument, a
> pointer to a 'const' blob. At the same type, define the blob exact
> pointer type (pointer to const char) since all the calls to the
> mentioned functions use this same type.
>
> Before the patch (size lsm.o):
>
> text data bss dec hex
> 128768 28028 704 157500 2673c
>
> After the patch (size lsm.o):
>
> text data bss dec hex
> 131264 25532 704 157500 2673c
>
> Signed-off-by: Len Bao <len.bao@gmx.us>
> ---
Friendly ping.
Any comments are welcome.
Regards,
Len
> security/apparmor/include/match.h | 2 +-
> security/apparmor/lsm.c | 4 ++--
> security/apparmor/match.c | 6 +++---
> 3 files changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
> index 7accb1c39..4a92cd044 100644
> --- a/security/apparmor/include/match.h
> +++ b/security/apparmor/include/match.h
> @@ -125,7 +125,7 @@ static inline size_t table_size(size_t len, size_t el_size)
>
> #define aa_state_t unsigned int
>
> -struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags);
> +struct aa_dfa *aa_dfa_unpack(const char *blob, size_t size, int flags);
> aa_state_t aa_dfa_match_len(struct aa_dfa *dfa, aa_state_t start,
> const char *str, int len);
> aa_state_t aa_dfa_match(struct aa_dfa *dfa, aa_state_t start,
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index 3491e9f60..3f995b6a7 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -2432,12 +2432,12 @@ static int __init apparmor_nf_ip_init(void)
> }
> #endif
>
> -static char nulldfa_src[] __aligned(8) = {
> +static const char nulldfa_src[] __aligned(8) = {
> #include "nulldfa.in"
> };
> static struct aa_dfa *nulldfa;
>
> -static char stacksplitdfa_src[] __aligned(8) = {
> +static const char stacksplitdfa_src[] __aligned(8) = {
> #include "stacksplitdfa.in"
> };
> struct aa_dfa *stacksplitdfa;
> diff --git a/security/apparmor/match.c b/security/apparmor/match.c
> index 3a2c6cf02..c6f7bea1e 100644
> --- a/security/apparmor/match.c
> +++ b/security/apparmor/match.c
> @@ -31,7 +31,7 @@
> *
> * NOTE: must be freed by kvfree (not kfree)
> */
> -static struct table_header *unpack_table(char *blob, size_t bsize)
> +static struct table_header *unpack_table(const char *blob, size_t bsize)
> {
> struct table_header *table = NULL;
> struct table_header th;
> @@ -311,11 +311,11 @@ static struct table_header *remap_data16_to_data32(struct table_header *old)
> *
> * Returns: an unpacked dfa ready for matching or ERR_PTR on failure
> */
> -struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags)
> +struct aa_dfa *aa_dfa_unpack(const char *blob, size_t size, int flags)
> {
> int hsize;
> int error = -ENOMEM;
> - char *data = blob;
> + const char *data = blob;
> struct table_header *table = NULL;
> struct aa_dfa *dfa = kzalloc_obj(struct aa_dfa);
> if (!dfa)
> --
> 2.43.0
>
prev parent reply other threads:[~2026-06-06 17:19 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-24 11:34 [PATCH] apparmor: Constify 'nulldfa_src' and 'stacksplitdfa_src' arrays Len Bao
2026-06-06 17:18 ` Len Bao [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aiRWfQhfBBHqq3mK@ubuntu \
--to=len.bao@gmx.us \
--cc=apparmor@lists.ubuntu.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox