summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-08-16 14:48:06 +0200
committerJohn Johansen <john.johansen@canonical.com>2017-09-22 22:00:58 +0200
commit15372b97aa7593c6f5bc1afe69f42fd403c40685 (patch)
tree31992972666da995cce4785f88a7c87f0d6a6b8e
parentapparmor: fix race condition in null profile creation (diff)
downloadlinux-15372b97aa7593c6f5bc1afe69f42fd403c40685.tar.xz
linux-15372b97aa7593c6f5bc1afe69f42fd403c40685.zip
apparmor: ensure unconfined profiles have dfas initialized
Generally unconfined has early bailout tests and does not need the dfas initialized, however if an early bailout test is ever missed it will result in an oops. Be defensive and initialize the unconfined profile to have null dfas (no permission) so if an early bailout test is missed we fail closed (no perms granted) instead of oopsing. Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r--security/apparmor/policy_ns.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/security/apparmor/policy_ns.c b/security/apparmor/policy_ns.c
index 351d3bab3a3d..62a3589c62ab 100644
--- a/security/apparmor/policy_ns.c
+++ b/security/apparmor/policy_ns.c
@@ -112,6 +112,8 @@ static struct aa_ns *alloc_ns(const char *prefix, const char *name)
ns->unconfined->label.flags |= FLAG_IX_ON_NAME_ERROR |
FLAG_IMMUTIBLE | FLAG_NS_COUNT | FLAG_UNCONFINED;
ns->unconfined->mode = APPARMOR_UNCONFINED;
+ ns->unconfined->file.dfa = aa_get_dfa(nulldfa);
+ ns->unconfined->policy.dfa = aa_get_dfa(nulldfa);
/* ns and ns->unconfined share ns->unconfined refcount */
ns->unconfined->ns = ns;