[apparmor] [PATCH] apparmor: Fix profile conflict logic
John Johansen
john.johansen at canonical.com
Thu Jan 11 21:58:46 UTC 2018
On 01/11/2018 01:07 PM, Matthew Garrett wrote:
> The intended behaviour in apparmor profile matching is to flag a
> conflict if two profiles match equally well. However, right now a
> conflict is generated if another profile has the same match length even
> if that profile doesn't actually match. Fix the logic so we only
> generate a conflict if the profiles match.
>
> Signed-off-by: Matthew Garrett <mjg59 at google.com>
Acked-by: John Johansne <john.johansen at caonical.com>
I'll get a pull request together asap
> ---
> security/apparmor/domain.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> index 04ba9d0718ea..6a54d2ffa840 100644
> --- a/security/apparmor/domain.c
> +++ b/security/apparmor/domain.c
> @@ -330,10 +330,7 @@ static struct aa_profile *__attach_match(const char *name,
> continue;
>
> if (profile->xmatch) {
> - if (profile->xmatch_len == len) {
> - conflict = true;
> - continue;
> - } else if (profile->xmatch_len > len) {
> + if (profile->xmatch_len >= len) {
> unsigned int state;
> u32 perm;
>
> @@ -342,6 +339,10 @@ static struct aa_profile *__attach_match(const char *name,
> perm = dfa_user_allow(profile->xmatch, state);
> /* any accepting state means a valid match. */
> if (perm & MAY_EXEC) {
> + if (profile->xmatch_len == len) {
> + conflict = true;
> + continue;
> + }
> candidate = profile;
> len = profile->xmatch_len;
> conflict = false;
>
More information about the AppArmor
mailing list