Commit 1a3881d3 authored Jan 11, 2018 by Matthew Garrett Committed by John Johansen Jan 12, 2018

apparmor: Fix regression in profile conflict logic



The intended behaviour in apparmor profile matching is to flag a
conflict if two profiles match equally well. However, right now a
conflict is generated if another profile has the same match length even
if that profile doesn't actually match. Fix the logic so we only
generate a conflict if the profiles match.

Fixes: 844b8292 ("apparmor: ensure that undecidable profile attachments fail")
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

parent 0dda0b3f

security/apparmor/domain.c

+5 −4

Original line number	Diff line number	Diff line
		@@ -330,10 +330,7 @@ static struct aa_profile __attach_match(const char name,
		continue;

		if (profile->xmatch) {
		if (profile->xmatch_len == len) {
		conflict = true;
		continue;
		} else if (profile->xmatch_len > len) {
		if (profile->xmatch_len >= len) {
		unsigned int state;
		u32 perm;

		@@ -342,6 +339,10 @@ static struct aa_profile __attach_match(const char name,
		perm = dfa_user_allow(profile->xmatch, state);
		/* any accepting state means a valid match. */
		if (perm & MAY_EXEC) {
		if (profile->xmatch_len == len) {
		conflict = true;
		continue;
		}
		candidate = profile;
		len = profile->xmatch_len;
		conflict = false;

Admin message