]>
Commit | Line | Data |
---|---|---|
daaa955e AM |
1 | From 7f2cdd6453518ff76c3855255c91306a2b928c9a Mon Sep 17 00:00:00 2001 |
2 | From: John Johansen <john.johansen@canonical.com> | |
3 | Date: Wed, 16 Aug 2017 05:48:06 -0700 | |
4 | Subject: [PATCH 15/17] apparmor: ensure unconfined profiles have dfas | |
5 | initialized | |
6 | ||
7 | Generally unconfined has early bailout tests and does not need the | |
8 | dfas initialized, however if an early bailout test is ever missed | |
9 | it will result in an oops. | |
10 | ||
11 | Be defensive and initialize the unconfined profile to have null dfas | |
12 | (no permission) so if an early bailout test is missed we fail | |
13 | closed (no perms granted) instead of oopsing. | |
14 | ||
15 | Signed-off-by: John Johansen <john.johansen@canonical.com> | |
16 | (cherry picked from commit 034ad2d248927722bdcd1aedb62634cdc2049113) | |
17 | --- | |
18 | security/apparmor/policy_ns.c | 2 ++ | |
19 | 1 file changed, 2 insertions(+) | |
20 | ||
21 | diff --git a/security/apparmor/policy_ns.c b/security/apparmor/policy_ns.c | |
22 | index 351d3bab3a3d..62a3589c62ab 100644 | |
23 | --- a/security/apparmor/policy_ns.c | |
24 | +++ b/security/apparmor/policy_ns.c | |
25 | @@ -112,6 +112,8 @@ static struct aa_ns *alloc_ns(const char *prefix, const char *name) | |
26 | ns->unconfined->label.flags |= FLAG_IX_ON_NAME_ERROR | | |
27 | FLAG_IMMUTIBLE | FLAG_NS_COUNT | FLAG_UNCONFINED; | |
28 | ns->unconfined->mode = APPARMOR_UNCONFINED; | |
29 | + ns->unconfined->file.dfa = aa_get_dfa(nulldfa); | |
30 | + ns->unconfined->policy.dfa = aa_get_dfa(nulldfa); | |
31 | ||
32 | /* ns and ns->unconfined share ns->unconfined refcount */ | |
33 | ns->unconfined->ns = ns; | |
34 | -- | |
35 | 2.11.0 | |
36 |