apparmor: fix policy_compat permission remap with extended permissions (0bac2002) · Commits · EulixOS / Software / Kernel

security/apparmor/policy_unpack.c

+19 −12

Original line number	Diff line number	Diff line
		@@ -849,12 +849,14 @@ static struct aa_profile unpack_profile(struct aa_ext e, char **ns_name)
		}
		profile->attach.xmatch_len = tmp;
		profile->attach.xmatch.start[AA_CLASS_XMATCH] = DFA_START;
		if (!profile->attach.xmatch.perms) {
		error = aa_compat_map_xmatch(&profile->attach.xmatch);
		if (error) {
		info = "failed to convert xmatch permission table";
		goto fail;
		}
		}
		}

		/* disconnected attachment string is optional */
		(void) aa_unpack_str(e, &profile->disconnected, "disconnected");
		@@ -972,11 +974,14 @@ static struct aa_profile unpack_profile(struct aa_ext e, char **ns_name)
		AA_CLASS_FILE);
		if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
		goto fail;
		error = aa_compat_map_policy(&rules->policy, e->version);
		if (!rules->policy.perms) {
		error = aa_compat_map_policy(&rules->policy,
		e->version);
		if (error) {
		info = "failed to remap policydb permission table";
		goto fail;
		}
		}
		} else
		rules->policy.dfa = aa_get_dfa(nulldfa);

		@@ -985,11 +990,13 @@ static struct aa_profile unpack_profile(struct aa_ext e, char **ns_name)
		if (error) {
		goto fail;
		} else if (rules->file.dfa) {
		if (!rules->file.perms) {
		error = aa_compat_map_file(&rules->file);
		if (error) {
		info = "failed to remap file permission table";
		goto fail;
		}
		}
		} else if (rules->policy.dfa &&
		rules->policy.start[AA_CLASS_FILE]) {
		rules->file.dfa = aa_get_dfa(rules->policy.dfa);