6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Lee ryan.lee@canonical.com
commit 17d0d04f3c999e7784648bad70ce1766c3b49d69 upstream.
attach->xmatch was not set when allocating a null profile, which is used in complain mode to allocate a learning profile. This was causing downstream failures in find_attach, which expected a valid xmatch but did not find one under a certain sequence of profile transitions in complain mode.
This patch ensures the xmatch is set up properly for null profiles.
Signed-off-by: Ryan Lee ryan.lee@canonical.com Signed-off-by: John Johansen john.johansen@canonical.com Cc: Paul Kramme kramme@digitalmanufaktur.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- security/apparmor/policy.c | 1 + 1 file changed, 1 insertion(+)
--- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -626,6 +626,7 @@ struct aa_profile *aa_alloc_null(struct
/* TODO: ideally we should inherit abi from parent */ profile->label.flags |= FLAG_NULL; + profile->attach.xmatch = aa_get_pdb(nullpdb); rules = list_first_entry(&profile->rules, typeof(*rules), list); rules->file = aa_get_pdb(nullpdb); rules->policy = aa_get_pdb(nullpdb);