[PATCH 05/11] AppArmor: fix regression by setting default to mediate deleted files

john.johansen at canonical.com john.johansen at canonical.com
Tue Apr 13 07:09:34 UTC 2010


From: John Johansen <john.johansen at canonical.com>

OriginalAuthor: John Johansen <john.johansen at canonical.com>
OriginalLocation: git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparm$
commit: 8d3ffc7c845dc1277b39572016fbf3265702f4d4
BugLink: http://bugs.launchpad.net/bugs/562056

The default behavior for AppArmor used to be to mediate deleted files.
This can now be controlled on a per profile basis but the field is
not defaulting to the correct value when path_flags is not specified.

This is causing regressions in profiles expecting deleted files to
be mediated by path instead of delegated.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 security/apparmor/policy_unpack.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index a475d7c..0a15f41 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -507,8 +507,11 @@ static struct aa_profile *unpack_profile(struct aa_ext *e,
 		goto fail;
 
 	/* path_flags is optional */
-	unpack_u32(e, &profile->path_flags, "path_flags");
-	profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED;
+	if (unpack_u32(e, &profile->path_flags, "path_flags"))
+		profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED;
+	else
+		/* default to */
+		profile->path_flags = PFLAG_MEDIATE_DELETED;
 
 	/* mmap_min_addr is optional */
 	if (unpack_u64(e, &tmp64, "mmap_min_addr")) {
-- 
1.7.0





More information about the kernel-team mailing list