apparmor: allow policydb to be used as the file dfa

Newer policy will combine the file and policydb dfas, allowing for
better optimizations. However to support older policy we need to
keep the ability to address the "file" dfa separately. So dup
the policydb as if it is the file dfa and set the appropriate start
state.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 6ac292fec55f9d1f1b17b82cc694039848a79146..7160addb11be41f488cadf48567500d2cd951472 100644 (file)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -611,12 +611,16 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
                error = PTR_ERR(profile->file.dfa);
                profile->file.dfa = NULL;
                goto fail;
+       } else if (profile->file.dfa) {
+               if (!unpack_u32(e, &profile->file.start, "dfa_start"))
+                       /* default start state */
+                       profile->file.start = DFA_START;
+       } else if (profile->policy.dfa &&
+                  profile->policy.start[AA_CLASS_FILE]) {
+               profile->file.dfa = aa_get_dfa(profile->policy.dfa);
+               profile->file.start = profile->policy.start[AA_CLASS_FILE];
        }
 
-       if (!unpack_u32(e, &profile->file.start, "dfa_start"))
-               /* default start state */
-               profile->file.start = DFA_START;
-
        if (!unpack_trans_table(e, profile))
                goto fail;