summaryrefslogtreecommitdiffstats
path: root/security/apparmor
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2023-02-15 05:21:17 +0100
committerJohn Johansen <john.johansen@canonical.com>2023-02-15 20:24:38 +0100
commitcbb13e12a5d3ecef400716ea7d12a9268b0f37ca (patch)
tree8c366e29f297868d52f4da45d688a1758499b975 /security/apparmor
parentMerge tag 'pm-6.2-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/rafae... (diff)
downloadlinux-cbb13e12a5d3ecef400716ea7d12a9268b0f37ca.tar.xz
linux-cbb13e12a5d3ecef400716ea7d12a9268b0f37ca.zip
apparmor: Fix regression in compat permissions for getattr
This fixes a regression in mediation of getattr when old policy built under an older ABI is loaded and mapped to internal permissions. The regression does not occur for all getattr permission requests, only appearing if state zero is the final state in the permission lookup. This is because despite the first state (index 0) being guaranteed to not have permissions in both newer and older permission formats, it may have to carry permissions that were not mediated as part of an older policy. These backward compat permissions are mapped here to avoid special casing the mediation code paths. Since the mapping code already takes into account backwards compat permission from older formats it can be applied to state 0 to fix the regression. Fixes: 408d53e923bd ("apparmor: compute file permissions on profile load") Reported-by: Philip Meulengracht <the_meulengracht@hotmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor')
-rw-r--r--security/apparmor/policy_compat.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/security/apparmor/policy_compat.c b/security/apparmor/policy_compat.c
index 9e52e218bf30..cc89d1e88fb7 100644
--- a/security/apparmor/policy_compat.c
+++ b/security/apparmor/policy_compat.c
@@ -160,8 +160,7 @@ static struct aa_perms *compute_fperms(struct aa_dfa *dfa)
if (!table)
return NULL;
- /* zero init so skip the trap state (state == 0) */
- for (state = 1; state < state_count; state++) {
+ for (state = 0; state < state_count; state++) {
table[state * 2] = compute_fperms_user(dfa, state);
table[state * 2 + 1] = compute_fperms_other(dfa, state);
}