summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorMatthew Garrett <mjg59@google.com>2018-01-11 13:07:54 -0800
committerJohn Johansen <john.johansen@canonical.com>2018-01-12 15:56:50 -0800
commit1a3881d305592d947ed47887306919d50112394d (patch)
tree8d7c0129e2feae1259325aa7ff33ccb821d93aa2 /security
parent0dda0b3fb255048a221f736c8a2a24c674da8bf3 (diff)
downloadlinux-rpi-1a3881d305592d947ed47887306919d50112394d.tar.gz
linux-rpi-1a3881d305592d947ed47887306919d50112394d.tar.bz2
linux-rpi-1a3881d305592d947ed47887306919d50112394d.zip
apparmor: Fix regression in profile conflict logic
The intended behaviour in apparmor profile matching is to flag a conflict if two profiles match equally well. However, right now a conflict is generated if another profile has the same match length even if that profile doesn't actually match. Fix the logic so we only generate a conflict if the profiles match. Fixes: 844b8292b631 ("apparmor: ensure that undecidable profile attachments fail") Cc: Stable <stable@vger.kernel.org> Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/domain.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 04ba9d0718ea..6a54d2ffa840 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -330,10 +330,7 @@ static struct aa_profile *__attach_match(const char *name,
continue;
if (profile->xmatch) {
- if (profile->xmatch_len == len) {
- conflict = true;
- continue;
- } else if (profile->xmatch_len > len) {
+ if (profile->xmatch_len >= len) {
unsigned int state;
u32 perm;
@@ -342,6 +339,10 @@ static struct aa_profile *__attach_match(const char *name,
perm = dfa_user_allow(profile->xmatch, state);
/* any accepting state means a valid match. */
if (perm & MAY_EXEC) {
+ if (profile->xmatch_len == len) {
+ conflict = true;
+ continue;
+ }
candidate = profile;
len = profile->xmatch_len;
conflict = false;