Skip to content

Commit 0bac200

Browse files
jrjohansenjrjohansen
committed
apparmor: fix policy_compat permission remap with extended permissions
If the extended permission table is present we should not be attempting to do a compat_permission remap as the compat_permissions are not stored in the dfa accept states. Fixes: fd1b2b9 ("apparmor: add the ability for policy to specify a permission table") Signed-off-by: John Johansen <[email protected]> Reviewed-by: Jon Tourville <[email protected]>
1 parent ba808cb commit 0bac200

File tree

1 file changed

+19
-12
lines changed

1 file changed

+19
-12
lines changed

security/apparmor/policy_unpack.c

Lines changed: 19 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -849,10 +849,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
849849
}
850850
profile->attach.xmatch_len = tmp;
851851
profile->attach.xmatch.start[AA_CLASS_XMATCH] = DFA_START;
852-
error = aa_compat_map_xmatch(&profile->attach.xmatch);
853-
if (error) {
854-
info = "failed to convert xmatch permission table";
855-
goto fail;
852+
if (!profile->attach.xmatch.perms) {
853+
error = aa_compat_map_xmatch(&profile->attach.xmatch);
854+
if (error) {
855+
info = "failed to convert xmatch permission table";
856+
goto fail;
857+
}
856858
}
857859
}
858860

@@ -972,10 +974,13 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
972974
AA_CLASS_FILE);
973975
if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
974976
goto fail;
975-
error = aa_compat_map_policy(&rules->policy, e->version);
976-
if (error) {
977-
info = "failed to remap policydb permission table";
978-
goto fail;
977+
if (!rules->policy.perms) {
978+
error = aa_compat_map_policy(&rules->policy,
979+
e->version);
980+
if (error) {
981+
info = "failed to remap policydb permission table";
982+
goto fail;
983+
}
979984
}
980985
} else
981986
rules->policy.dfa = aa_get_dfa(nulldfa);
@@ -985,10 +990,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
985990
if (error) {
986991
goto fail;
987992
} else if (rules->file.dfa) {
988-
error = aa_compat_map_file(&rules->file);
989-
if (error) {
990-
info = "failed to remap file permission table";
991-
goto fail;
993+
if (!rules->file.perms) {
994+
error = aa_compat_map_file(&rules->file);
995+
if (error) {
996+
info = "failed to remap file permission table";
997+
goto fail;
998+
}
992999
}
9931000
} else if (rules->policy.dfa &&
9941001
rules->policy.start[AA_CLASS_FILE]) {

0 commit comments

Comments
 (0)