Skip to content

Commit 145a0ef

Browse files
committed
apparmor: fix blob compression when ns is forced on a policy load
When blob compression is turned on, if the policy namespace is forced onto a policy load, the policy load will fail as the namespace name being referenced is inside the compressed policy blob, resulting in invalid or names that are too long. So duplicate the name before the blob is compressed. Fixes: 876dd86 ("apparmor: Initial implementation of raw policy blob compression") Signed-off-by: John Johansen <[email protected]>
1 parent fe166a9 commit 145a0ef

File tree

2 files changed

+8
-4
lines changed

2 files changed

+8
-4
lines changed

security/apparmor/policy.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -861,7 +861,7 @@ static struct aa_profile *update_to_newest_parent(struct aa_profile *new)
861861
ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
862862
u32 mask, struct aa_loaddata *udata)
863863
{
864-
const char *ns_name, *info = NULL;
864+
const char *ns_name = NULL, *info = NULL;
865865
struct aa_ns *ns = NULL;
866866
struct aa_load_ent *ent, *tmp;
867867
struct aa_loaddata *rawdata_ent;
@@ -1048,6 +1048,7 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
10481048
out:
10491049
aa_put_ns(ns);
10501050
aa_put_loaddata(udata);
1051+
kfree(ns_name);
10511052

10521053
if (error)
10531054
return error;

security/apparmor/policy_unpack.c

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -944,11 +944,14 @@ static int verify_header(struct aa_ext *e, int required, const char **ns)
944944
e, error);
945945
return error;
946946
}
947-
if (*ns && strcmp(*ns, name))
947+
if (*ns && strcmp(*ns, name)) {
948948
audit_iface(NULL, NULL, NULL, "invalid ns change", e,
949949
error);
950-
else if (!*ns)
951-
*ns = name;
950+
} else if (!*ns) {
951+
*ns = kstrdup(name, GFP_KERNEL);
952+
if (!*ns)
953+
return -ENOMEM;
954+
}
952955
}
953956

954957
return 0;

0 commit comments

Comments
 (0)