[apparmor] [PATCH] reset match flags state
Steve Beattie
steve at nxnw.org
Mon Dec 10 17:09:05 UTC 2012
On Sun, Dec 09, 2012 at 02:01:56AM -0800, John Johansen wrote:
> So this fixes a nasty little bug that can surface in apparmor 2.8 when
> Hats/children profiles are used.
>
> the matchflags in the dfa backend are not getting properly reset, which
> results in a previously processed profiles match flags being used. This is
> not a problem for most permissions but can result in x conflict errors.
>
> Note: this should not result in profiles with the wrong x transitions loaded
> as it causes compilation to file with an x conflict.
>
> This is a minimal patch targeted at the 2.8 release. As such I have just
> updated the delete_ruleset routine to clear the flags as it is already
> being properly called for every rule set.
>
> Apparmor 2.9/3.0 will have a different approach where it is not possible
> to reuse the flags.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Steve Beattie <sbeattie at ubuntu.com>
Thanks.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20121210/920195fa/attachment.pgp>
More information about the AppArmor
mailing list