Commit 0bac2002 authored by John Johansen's avatar John Johansen

apparmor: fix policy_compat permission remap with extended permissions

If the extended permission table is present we should not be attempting
to do a compat_permission remap as the compat_permissions are not
stored in the dfa accept states.

Fixes: fd1b2b95 ("apparmor: add the ability for policy to specify a permission table")
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Reviewed-by: default avatarJon Tourville <jontourville@me.com>
parent ba808cb5
...@@ -849,10 +849,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) ...@@ -849,10 +849,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
} }
profile->attach.xmatch_len = tmp; profile->attach.xmatch_len = tmp;
profile->attach.xmatch.start[AA_CLASS_XMATCH] = DFA_START; profile->attach.xmatch.start[AA_CLASS_XMATCH] = DFA_START;
error = aa_compat_map_xmatch(&profile->attach.xmatch); if (!profile->attach.xmatch.perms) {
if (error) { error = aa_compat_map_xmatch(&profile->attach.xmatch);
info = "failed to convert xmatch permission table"; if (error) {
goto fail; info = "failed to convert xmatch permission table";
goto fail;
}
} }
} }
...@@ -972,10 +974,13 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) ...@@ -972,10 +974,13 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
AA_CLASS_FILE); AA_CLASS_FILE);
if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL)) if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
goto fail; goto fail;
error = aa_compat_map_policy(&rules->policy, e->version); if (!rules->policy.perms) {
if (error) { error = aa_compat_map_policy(&rules->policy,
info = "failed to remap policydb permission table"; e->version);
goto fail; if (error) {
info = "failed to remap policydb permission table";
goto fail;
}
} }
} else } else
rules->policy.dfa = aa_get_dfa(nulldfa); rules->policy.dfa = aa_get_dfa(nulldfa);
...@@ -985,10 +990,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) ...@@ -985,10 +990,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
if (error) { if (error) {
goto fail; goto fail;
} else if (rules->file.dfa) { } else if (rules->file.dfa) {
error = aa_compat_map_file(&rules->file); if (!rules->file.perms) {
if (error) { error = aa_compat_map_file(&rules->file);
info = "failed to remap file permission table"; if (error) {
goto fail; info = "failed to remap file permission table";
goto fail;
}
} }
} else if (rules->policy.dfa && } else if (rules->policy.dfa &&
rules->policy.start[AA_CLASS_FILE]) { rules->policy.start[AA_CLASS_FILE]) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment