apparmor: fix: accept2 being specifie even when permission table is presnt

jrjohansen · jrjohansen · commit 4d9d1a08b796 · 2025-07-20T02:31:13.000-07:00
The transition to the perms32 permission table dropped the need for the accept2 table as permissions. However accept2 can be used for flags and may be present even when the perms32 table is present. So instead of checking on version, check whether the table is present. Fixes: 2e12c5f ("apparmor: add additional flags to extended permission.") Signed-off-by: John Johansen <john.johansen@canonical.com>
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
@@ -775,7 +775,8 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy,
 		}
 	}
 
-	if (pdb->perms && version <= 2) {
+	/* accept2 is in some cases being allocated, even with perms */
+	if (pdb->perms && !pdb->dfa->tables[YYTD_ID_ACCEPT2]) {
 		/* add dfa flags table missing in v2 */
 		u32 noents = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_lolen;
 		u16 tdflags = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_flags;

Original file line number	Diff line number	Diff line change
`@@ -775,7 +775,8 @@ static int unpack_pdb(struct aa_ext e, struct aa_policydb *policy,`
`775`	`775`	`}`
`776`	`776`	`}`
`777`	`777`
`778`		`- if (pdb->perms && version <= 2) {`
	`778`	`+ /* accept2 is in some cases being allocated, even with perms */`
	`779`	`+ if (pdb->perms && !pdb->dfa->tables[YYTD_ID_ACCEPT2]) {`
`779`	`780`	`/* add dfa flags table missing in v2 */`
`780`	`781`	`u32 noents = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_lolen;`
`781`	`782`	`u16 tdflags = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_flags;`