diff options
| author | John Johansen <john.johansen@canonical.com> | 2022-03-26 01:58:15 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-08-25 11:18:20 +0200 |
| commit | 7f6092dc8f7a0892acf08f2956d8b7d9c267e5de (patch) | |
| tree | 4c396c2629a407a0eb4229c54c43f3423978e83c /security | |
| parent | 98ab8dfa048bb177df4cd558c790ec6b0a5ef658 (diff) | |
apparmor: fix overlapping attachment computation
commit 2504db207146543736e877241f3b3de005cbe056 upstream.
When finding the profile via patterned attachments, the longest left
match is being set to the static compile time value and not using the
runtime computed value.
Fix this by setting the candidate value to the greater of the
precomputed value or runtime computed value.
Fixes: 21f606610502 ("apparmor: improve overlapping domain attachment resolution")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/apparmor/domain.c | 2 | ||||
| -rw-r--r-- | security/apparmor/include/policy.h | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 1a33f490e667..2f61b4cc2fc0 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -460,7 +460,7 @@ restart: * xattrs, or a longer match */ candidate = profile; - candidate_len = profile->xmatch_len; + candidate_len = max(count, profile->xmatch_len); candidate_xattrs = ret; conflict = false; } diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index b5b4b8190e65..b5aa4231af68 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -135,7 +135,7 @@ struct aa_profile { const char *attach; struct aa_dfa *xmatch; - int xmatch_len; + unsigned int xmatch_len; enum audit_mode audit; long mode; u32 path_flags; |