[apparmor] [PATCH] libapparmor: Fix fd leak when write to aafs/.access fails
John Johansen
john.johansen at canonical.com
Mon Aug 26 22:27:10 UTC 2013
On 08/26/2013 02:59 PM, Tyler Hicks wrote:
> In aa_query_label(), errors encountered during a write() to the AppArmor
> filesystem's .access file results in an unintentional file descriptor
> leak outside of aa_query_label(). Callers don't expect aa_query_label()
> to return with a newly opened file descriptor so they can't be expected
> to close the fd.
>
> This flaw was introduced in r2147, which has not yet been included in an
> official release.
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
>
> === modified file 'libraries/libapparmor/src/kernel_interface.c'
> --- libraries/libapparmor/src/kernel_interface.c 2013-08-10 01:55:16 +0000
> +++ libraries/libapparmor/src/kernel_interface.c 2013-08-26 21:50:31 +0000
> @@ -726,6 +726,7 @@
> * errno set to ENOENT. It indicates that the subject label
> * could not be found by the kernel.
> */
> + (void)close(fd);
> return -1;
> }
>
Ackedby: John Johansen <john.johansen at canonical.com>
More information about the AppArmor
mailing list