[apparmor] [RFC] Apparmor: Add support for attaching profiles via xattr presence and value

Fri Dec 8 22:06:30 UTC 2017

On Tue, Nov 28, 2017 at 5:45 PM, Seth Arnold <seth.arnold at canonical.com> wrote:
> Hello Matthew, thanks for this; I'll let John comment on the larger design
> of the patch, I'll just nitpick one little piece:
>
> On Tue, Nov 28, 2017 at 04:08:15PM -0800, Matthew Garrett wrote:
>> +     kzfree(profile->xattrs);
>> +     kzfree(profile->xattr_lens);
>> +     kzfree(profile->xattr_values);
>>       kzfree(profile->dirname);
>>       aa_put_dfa(profile->xmatch);
>>       aa_put_dfa(profile->policy.dfa);
>
> profile->xattr_values is a vector of strings, but only the pointers are
> cleaned up here, leaking all the xattr values themselves when the profile
> is freed.

The strings in this case are pointers to the values in the loaded
policy blob, I think? Eg, profile->attach is extracted with
unpack_str() but not explicitly freed.