tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
apparmor: Fix regression in stacking due to label flags
The unconfined label flag is not being computed correctly. It
should only be set if all the profiles in the vector are set, which
is different than what is required for the debug and stale flag
that are set if any on the profile flags are set.
Fixes: c1ed5da19765 ("apparmor: allow label to carry debug flags")
Signed-off-by: John Johansen <john.johansen@canonical.com>
+7
-5
+7
-5
security/apparmor/label.c
+7
-5
security/apparmor/label.c
···
197
197
return false;
198
198
}
199
199
200
-
static long union_vec_flags(struct aa_profile **vec, int n, long mask)
200
+
static long accum_vec_flags(struct aa_profile **vec, int n)
201
201
{
202
-
long u = 0;
202
+
long u = FLAG_UNCONFINED;
203
203
int i;
204
204
205
205
AA_BUG(!vec);
206
206
207
207
for (i = 0; i < n; i++) {
208
-
u |= vec[i]->label.flags & mask;
208
+
u |= vec[i]->label.flags & (FLAG_DEBUG1 | FLAG_DEBUG2 |
209
+
FLAG_STALE);
210
+
if (!(u & vec[i]->label.flags & FLAG_UNCONFINED))
211
+
u &= ~FLAG_UNCONFINED;
209
212
}
210
213
211
214
return u;
···
1100
1097
else if (k == b->size)
1101
1098
return aa_get_label(b);
1102
1099
}
1103
-
new->flags |= union_vec_flags(new->vec, new->size, FLAG_UNCONFINED |
1104
-
FLAG_DEBUG1 | FLAG_DEBUG2);
1100
+
new->flags |= accum_vec_flags(new->vec, new->size);
1105
1101
ls = labels_set(new);
1106
1102
write_lock_irqsave(&ls->lock, flags);
1107
1103
label = __label_insert(labels_set(new), new, false);