p71924506
/
linux_old1
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

apparmor: Fix regression in profile conflict logic 

The intended behaviour in apparmor profile matching is to flag a
conflict if two profiles match equally well. However, right now a
conflict is generated if another profile has the same match length even
if that profile doesn't actually match. Fix the logic so we only
generate a conflict if the profiles match.

Fixes: 844b8292b6 ("apparmor: ensure that undecidable profile attachments fail")
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
Matthew Garrett 2018-01-11 13:07:54 -08:00 committed by John Johansen
parent 0dda0b3fb2
commit 1a3881d305
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
security/apparmor/domain.c
View File

@ -330,10 +330,7 @@ static struct aa_profile *__attach_match(const char *name,
continue; continue;
if (profile->xmatch) { if (profile->xmatch) {
if (profile->xmatch_len == len) { if (profile->xmatch_len >= len) {
conflict = true;
continue;
} else if (profile->xmatch_len > len) {
unsigned int state; unsigned int state;
u32 perm; u32 perm;
@ -342,6 +339,10 @@ static struct aa_profile *__attach_match(const char *name,
perm = dfa_user_allow(profile->xmatch, state); perm = dfa_user_allow(profile->xmatch, state);
/* any accepting state means a valid match. */ /* any accepting state means a valid match. */
if (perm & MAY_EXEC) { if (perm & MAY_EXEC) {
if (profile->xmatch_len == len) {
conflict = true;
continue;
}
candidate = profile; candidate = profile;
len = profile->xmatch_len; len = profile->xmatch_len;
conflict = false; conflict = false;