Commit 01df52d7 authored by John Johansen's avatar John Johansen
Browse files

apparmor: remove duplicate check of xattrs on profile attachment. 



The second check to ensure the xattrs are present and checked is
unneeded as this is already done in the profile attachment xmatch.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 0df34a64

security/apparmor/domain.c

+0 −17
Original line number Diff line number Diff line
@@ -625,8 +625,6 @@ static struct aa_label *profile_transition(struct aa_profile *profile, 
					   bool *secure_exec)

{

	struct aa_label *new = NULL;

	struct aa_profile *component;

	struct label_it i;

	const char *info = NULL, *name = NULL, *target = NULL;

	unsigned int state = profile->file.start;

	struct aa_perms perms = {};
@@ -675,21 +673,6 @@ static struct aa_label *profile_transition(struct aa_profile *profile, 
			info = "profile transition not found";

			/* remove MAY_EXEC to audit as failure */

			perms.allow &= ~MAY_EXEC;

		} else {

			/* verify that each component's xattr requirements are

			 * met, and fail execution otherwise

			 */

			label_for_each(i, new, component) {

				if (aa_xattrs_match(bprm, component, state) <

				    0) {

					error = -EACCES;

					info = "required xattrs not present";

					perms.allow &= ~MAY_EXEC;

					aa_put_label(new);

					new = NULL;

					goto audit;

				}

			}

		}

	} else if (COMPLAIN_MODE(profile)) {

		/* no exec permission - learning mode */

CRA Git | Maintained and supported by SUSTech CRA and CCSE