diff options
author | John Johansen <john.johansen@canonical.com> | 2023-02-15 05:21:17 +0100 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2023-02-15 20:24:38 +0100 |
commit | cbb13e12a5d3ecef400716ea7d12a9268b0f37ca (patch) | |
tree | 8c366e29f297868d52f4da45d688a1758499b975 /security/apparmor | |
parent | Merge tag 'pm-6.2-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/rafae... (diff) | |
download | linux-cbb13e12a5d3ecef400716ea7d12a9268b0f37ca.tar.xz linux-cbb13e12a5d3ecef400716ea7d12a9268b0f37ca.zip |
apparmor: Fix regression in compat permissions for getattr
This fixes a regression in mediation of getattr when old policy built
under an older ABI is loaded and mapped to internal permissions.
The regression does not occur for all getattr permission requests,
only appearing if state zero is the final state in the permission
lookup. This is because despite the first state (index 0) being
guaranteed to not have permissions in both newer and older permission
formats, it may have to carry permissions that were not mediated as
part of an older policy. These backward compat permissions are
mapped here to avoid special casing the mediation code paths.
Since the mapping code already takes into account backwards compat
permission from older formats it can be applied to state 0 to fix
the regression.
Fixes: 408d53e923bd ("apparmor: compute file permissions on profile load")
Reported-by: Philip Meulengracht <the_meulengracht@hotmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor')
-rw-r--r-- | security/apparmor/policy_compat.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/security/apparmor/policy_compat.c b/security/apparmor/policy_compat.c index 9e52e218bf30..cc89d1e88fb7 100644 --- a/security/apparmor/policy_compat.c +++ b/security/apparmor/policy_compat.c @@ -160,8 +160,7 @@ static struct aa_perms *compute_fperms(struct aa_dfa *dfa) if (!table) return NULL; - /* zero init so skip the trap state (state == 0) */ - for (state = 1; state < state_count; state++) { + for (state = 0; state < state_count; state++) { table[state * 2] = compute_fperms_user(dfa, state); table[state * 2 + 1] = compute_fperms_other(dfa, state); } |