diff options
author | Matthew Garrett <mjg59@google.com> | 2018-01-11 13:07:54 -0800 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2018-01-12 15:56:50 -0800 |
commit | 1a3881d305592d947ed47887306919d50112394d (patch) | |
tree | 8d7c0129e2feae1259325aa7ff33ccb821d93aa2 /security | |
parent | 0dda0b3fb255048a221f736c8a2a24c674da8bf3 (diff) | |
download | linux-rpi-1a3881d305592d947ed47887306919d50112394d.tar.gz linux-rpi-1a3881d305592d947ed47887306919d50112394d.tar.bz2 linux-rpi-1a3881d305592d947ed47887306919d50112394d.zip |
apparmor: Fix regression in profile conflict logic
The intended behaviour in apparmor profile matching is to flag a
conflict if two profiles match equally well. However, right now a
conflict is generated if another profile has the same match length even
if that profile doesn't actually match. Fix the logic so we only
generate a conflict if the profiles match.
Fixes: 844b8292b631 ("apparmor: ensure that undecidable profile attachments fail")
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/apparmor/domain.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 04ba9d0718ea..6a54d2ffa840 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -330,10 +330,7 @@ static struct aa_profile *__attach_match(const char *name, continue; if (profile->xmatch) { - if (profile->xmatch_len == len) { - conflict = true; - continue; - } else if (profile->xmatch_len > len) { + if (profile->xmatch_len >= len) { unsigned int state; u32 perm; @@ -342,6 +339,10 @@ static struct aa_profile *__attach_match(const char *name, perm = dfa_user_allow(profile->xmatch, state); /* any accepting state means a valid match. */ if (perm & MAY_EXEC) { + if (profile->xmatch_len == len) { + conflict = true; + continue; + } candidate = profile; len = profile->xmatch_len; conflict = false; |