Commit f05841a9 authored by John Johansen's avatar John Johansen
Browse files

apparmor: fail unpack if profile mode is unknown 



Profile unpack should fail if the profile mode is not a mode that the
kernel understands.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 3ed4aaa9

security/apparmor/policy_unpack.c

+4 −0
Original line number Diff line number Diff line
@@ -748,10 +748,14 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) 
		goto fail;

	if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG))

		profile->mode = APPARMOR_COMPLAIN;

	else if (tmp == PACKED_MODE_ENFORCE)

		profile->mode = APPARMOR_ENFORCE;

	else if (tmp == PACKED_MODE_KILL)

		profile->mode = APPARMOR_KILL;

	else if (tmp == PACKED_MODE_UNCONFINED)

		profile->mode = APPARMOR_UNCONFINED;

	else

		goto fail;

	if (!unpack_u32(e, &tmp, NULL))

		goto fail;

	if (tmp)

CRA Git | Maintained and supported by SUSTech CRA and CCSE