[apparmor] [PATCH] reset match flags state
John Johansen
john.johansen at canonical.com
Sun Dec 9 10:01:56 UTC 2012
So this fixes a nasty little bug that can surface in apparmor 2.8 when
Hats/children profiles are used.
the matchflags in the dfa backend are not getting properly reset, which
results in a previously processed profiles match flags being used. This is
not a problem for most permissions but can result in x conflict errors.
Note: this should not result in profiles with the wrong x transitions loaded
as it causes compilation to file with an x conflict.
This is a minimal patch targeted at the 2.8 release. As such I have just
updated the delete_ruleset routine to clear the flags as it is already
being properly called for every rule set.
Apparmor 2.9/3.0 will have a different approach where it is not possible
to reuse the flags.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
=== modified file 'parser/libapparmor_re/aare_rules.cc'
--- parser/libapparmor_re/aare_rules.cc 2012-03-09 12:17:47 +0000
+++ parser/libapparmor_re/aare_rules.cc 2012-12-09 09:54:32 +0000
@@ -57,6 +57,8 @@
if (rules->root)
rules->root->release();
free(rules);
+
+ aare_reset_matchflags();
}
}
More information about the AppArmor
mailing list