apparmor: Replace sprintf/strcpy with scnprintf/strscpy in aa_policy_init
authorThorsten Blum <thorsten.blum@linux.dev>
Sat, 22 Nov 2025 11:55:51 +0000 (12:55 +0100)
committerJohn Johansen <john.johansen@canonical.com>
Sun, 18 Jan 2026 14:52:58 +0000 (06:52 -0800)
strcpy() is deprecated and sprintf() does not perform bounds checking
either. Although an overflow is unlikely, it's better to proactively
avoid it by using the safer strscpy() and scnprintf(), respectively.

Additionally, unify memory allocation for 'hname' to simplify and
improve aa_policy_init().

Closes: https://github.com/KSPP/linux/issues/88
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: John Johansen <john.johansen@canonical.com>
security/apparmor/lib.c

index 82dbb97..acf7f51 100644 (file)
@@ -478,19 +478,17 @@ bool aa_policy_init(struct aa_policy *policy, const char *prefix,
                    const char *name, gfp_t gfp)
 {
        char *hname;
+       size_t hname_sz;
 
+       hname_sz = (prefix ? strlen(prefix) + 2 : 0) + strlen(name) + 1;
        /* freed by policy_free */
-       if (prefix) {
-               hname = aa_str_alloc(strlen(prefix) + strlen(name) + 3, gfp);
-               if (hname)
-                       sprintf(hname, "%s//%s", prefix, name);
-       } else {
-               hname = aa_str_alloc(strlen(name) + 1, gfp);
-               if (hname)
-                       strcpy(hname, name);
-       }
+       hname = aa_str_alloc(hname_sz, gfp);
        if (!hname)
                return false;
+       if (prefix)
+               scnprintf(hname, hname_sz, "%s//%s", prefix, name);
+       else
+               strscpy(hname, name, hname_sz);
        policy->hname = hname;
        /* base.name is a substring of fqname */
        policy->name = basename(policy->hname);