Skip to content

Commit

Permalink
apparmor: allocate xmatch for nullpdb inside aa_alloc_null
Browse files Browse the repository at this point in the history 
commit 17d0d04 upstream.

attach->xmatch was not set when allocating a null profile, which is used in
complain mode to allocate a learning profile. This was causing downstream
failures in find_attach, which expected a valid xmatch but did not find
one under a certain sequence of profile transitions in complain mode.

This patch ensures the xmatch is set up properly for null profiles.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Cc: Paul Kramme <kramme@digitalmanufaktur.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
Ryan Lee authored and Greg Kroah-Hartman committed Jan 23, 2025
1 parent 35c2f2a commit 4c3f731
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions security/apparmor/policy.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -626,6 +626,7 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,

/* TODO: ideally we should inherit abi from parent */
profile->label.flags |= FLAG_NULL;
profile->attach.xmatch = aa_get_pdb(nullpdb);
rules = list_first_entry(&profile->rules, typeof(*rules), list);
rules->file = aa_get_pdb(nullpdb);
rules->policy = aa_get_pdb(nullpdb);
Expand Down

0 comments on commit 4c3f731

Please sign in to comment.