summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorRyan Lee <ryan.lee@canonical.com>2024-08-21 11:01:56 -0700
committerJohn Johansen <john.johansen@canonical.com>2024-11-26 19:21:04 -0800
commit17d0d04f3c999e7784648bad70ce1766c3b49d69 (patch)
tree8e7e8861bc7d634ea425dcfd186c44c4a4a7f747 /security
parentaaf20f870da056752f6386693cc0d8e25421ef35 (diff)
apparmor: allocate xmatch for nullpdb inside aa_alloc_null
attach->xmatch was not set when allocating a null profile, which is used in complain mode to allocate a learning profile. This was causing downstream failures in find_attach, which expected a valid xmatch but did not find one under a certain sequence of profile transitions in complain mode. This patch ensures the xmatch is set up properly for null profiles. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/policy.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 14df15e35695..105706abf281 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -626,6 +626,7 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
/* TODO: ideally we should inherit abi from parent */
profile->label.flags |= FLAG_NULL;
+ profile->attach.xmatch = aa_get_pdb(nullpdb);
rules = list_first_entry(&profile->rules, typeof(*rules), list);
rules->file = aa_get_pdb(nullpdb);
rules->policy = aa_get_pdb(nullpdb);