projects / packages / kernel.git / blame
| Commit | Line | Data |
|---|---|---|
| daaa955e AM |
1 | From 7f2cdd6453518ff76c3855255c91306a2b928c9a Mon Sep 17 00:00:00 2001 |
| 2 | From: John Johansen <john.johansen@canonical.com> | |
| 3 | Date: Wed, 16 Aug 2017 05:48:06 -0700 | |
| 4 | Subject: [PATCH 15/17] apparmor: ensure unconfined profiles have dfas | |
| 5 | initialized | |
| 6 | ||
| 7 | Generally unconfined has early bailout tests and does not need the | |
| 8 | dfas initialized, however if an early bailout test is ever missed | |
| 9 | it will result in an oops. | |
| 10 | ||
| 11 | Be defensive and initialize the unconfined profile to have null dfas | |
| 12 | (no permission) so if an early bailout test is missed we fail | |
| 13 | closed (no perms granted) instead of oopsing. | |
| 14 | ||
| 15 | Signed-off-by: John Johansen <john.johansen@canonical.com> | |
| 16 | (cherry picked from commit 034ad2d248927722bdcd1aedb62634cdc2049113) | |
| 17 | --- | |
| 18 | security/apparmor/policy_ns.c | 2 ++ | |
| 19 | 1 file changed, 2 insertions(+) | |
| 20 | ||
| 21 | diff --git a/security/apparmor/policy_ns.c b/security/apparmor/policy_ns.c | |
| 22 | index 351d3bab3a3d..62a3589c62ab 100644 | |
| 23 | --- a/security/apparmor/policy_ns.c | |
| 24 | +++ b/security/apparmor/policy_ns.c | |
| 25 | @@ -112,6 +112,8 @@ static struct aa_ns *alloc_ns(const char *prefix, const char *name) | |
| 26 | ns->unconfined->label.flags |= FLAG_IX_ON_NAME_ERROR | | |
| 27 | FLAG_IMMUTIBLE | FLAG_NS_COUNT | FLAG_UNCONFINED; | |
| 28 | ns->unconfined->mode = APPARMOR_UNCONFINED; | |
| 29 | + ns->unconfined->file.dfa = aa_get_dfa(nulldfa); | |
| 30 | + ns->unconfined->policy.dfa = aa_get_dfa(nulldfa); | |
| 31 | ||
| 32 | /* ns and ns->unconfined share ns->unconfined refcount */ | |
| 33 | ns->unconfined->ns = ns; | |
| 34 | -- | |
| 35 | 2.11.0 | |
| 36 |