Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-01 10:45:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

apparmor: unpack transition table if dfa is not present

Browse Source 
Due to a bug in earlier userspaces, a transition table may be present
even when the dfa is not. Commit 7572fea31e
("apparmor: convert fperm lookup to use accept as an index") made the
verification check more rigourous regressing old userspaces with
the bug. For compatibility reasons allow the orphaned transition table
during unpack and discard.

Fixes: 7572fea31e ("apparmor: convert fperm lookup to use accept as an index")
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
Georgia Garcia 2024-06-10 09:51:48 -03:00 committed by John Johansen
parent f4fee216df
commit e0ff0cff1f
1 changed files with 25 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
security/apparmor/policy_unpack.c
View File

@ -747,34 +747,42 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy,
*info = "missing required dfa"; *info = "missing required dfa";
goto fail; goto fail;
} }
goto out; } else {
/*
* only unpack the following if a dfa is present
*
* sadly start was given different names for file and policydb
* but since it is optional we can try both
*/
if (!aa_unpack_u32(e, &pdb->start[0], "start"))
/* default start state */
pdb->start[0] = DFA_START;
if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) {
/* default start state for xmatch and file dfa */
pdb->start[AA_CLASS_FILE] = DFA_START;
} /* setup class index */
for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) {
pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0],
i);
}
} }
/* /*
* only unpack the following if a dfa is present * Unfortunately due to a bug in earlier userspaces, a
* * transition table may be present even when the dfa is
* sadly start was given different names for file and policydb * not. For compatibility reasons unpack and discard.
* but since it is optional we can try both
*/ */
if (!aa_unpack_u32(e, &pdb->start[0], "start"))
/* default start state */
pdb->start[0] = DFA_START;
if (!aa_unpack_u32(e, &pdb->start[AA_CLASS_FILE], "dfa_start")) {
/* default start state for xmatch and file dfa */
pdb->start[AA_CLASS_FILE] = DFA_START;
} /* setup class index */
for (i = AA_CLASS_FILE + 1; i <= AA_CLASS_LAST; i++) {
pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0],
i);
}
if (!unpack_trans_table(e, &pdb->trans) && required_trans) { if (!unpack_trans_table(e, &pdb->trans) && required_trans) {
*info = "failed to unpack profile transition table"; *info = "failed to unpack profile transition table";
goto fail; goto fail;
} }
if (!pdb->dfa && pdb->trans.table)
aa_free_str_table(&pdb->trans);
/* TODO: move compat mapping here, requires dfa merging first */ /* TODO: move compat mapping here, requires dfa merging first */
/* TODO: move verify here, it has to be done after compat mappings */ /* TODO: move verify here, it has to be done after compat mappings */
out:
*policy = pdb; *policy = pdb;
return 0; return 0;