UBUNTU: SAUCE: apparmor: fix policy_compat permission remap with exte…

…nded permissions BugLink: https://bugs.launchpad.net/bugs/2012136 If the extended permission table is present we should not be attempting to do a compat_permission remap as the compat_permissions are not stored in the dfa accept states. Fixes: fd1b2b9 ("apparmor: add the ability for policy to specify a permission table") Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
mariux64 · Mar 23, 2023 · b67242b · b67242b
1 parent 2f86f6a
commit b67242b
Showing 1 changed file with 14 additions and 9 deletions.
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
@@ -864,10 +864,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 		}
 		profile->attach.xmatch_len = tmp;
 		profile->attach.xmatch.start[AA_CLASS_XMATCH] = DFA_START;
-		error = aa_compat_map_xmatch(&profile->attach.xmatch);
-		if (error) {
-			info = "failed to convert xmatch permission table";
-			goto fail;
+		if (!profile->attach.xmatch.perms) {
+			error = aa_compat_map_xmatch(&profile->attach.xmatch);
+			if (error) {
+				info = "failed to convert xmatch permission table";
+				goto fail;
+			}
 		}
 	}
 
@@ -1026,10 +1028,13 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 				      AA_CLASS_FILE);
 		if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
 			goto fail;
-		error = aa_compat_map_policy(&rules->policy, e->version);
-		if (error) {
-			info = "failed to remap policydb permission table";
-			goto fail;
+		if (!rules->policy.perms) {
+			error = aa_compat_map_policy(&rules->policy,
+						     e->version);
+			if (error) {
+				info = "failed to remap policydb permission table";
+				goto fail;
+			}
 		}
 	} else
 		rules->policy.dfa = aa_get_dfa(nulldfa);
@@ -1038,7 +1043,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 	error = unpack_pdb(e, &rules->file, false, true, &info);
 	if (error) {
 		goto fail;
-	} else if (rules->file.dfa) {
+	} else if (rules->file.dfa && !rules->file.perms) {
 		error = aa_compat_map_file(&rules->file);
 		if (error) {
 			info = "failed to remap file permission table";