On 01/11/2018 01:07 PM, Matthew Garrett wrote: > The intended behaviour in apparmor profile matching is to flag a > conflict if two profiles match equally well. However, right now a > conflict is generated if another profile has the same match length even > if that profile doesn't actually match. Fix the logic so we only > generate a conflict if the profiles match. > > Signed-off-by: Matthew Garrett <[email protected]>
Acked-by: John Johansne <[email protected]> I'll get a pull request together asap > --- > security/apparmor/domain.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c > index 04ba9d0718ea..6a54d2ffa840 100644 > --- a/security/apparmor/domain.c > +++ b/security/apparmor/domain.c > @@ -330,10 +330,7 @@ static struct aa_profile *__attach_match(const char > *name, > continue; > > if (profile->xmatch) { > - if (profile->xmatch_len == len) { > - conflict = true; > - continue; > - } else if (profile->xmatch_len > len) { > + if (profile->xmatch_len >= len) { > unsigned int state; > u32 perm; > > @@ -342,6 +339,10 @@ static struct aa_profile *__attach_match(const char > *name, > perm = dfa_user_allow(profile->xmatch, state); > /* any accepting state means a valid match. */ > if (perm & MAY_EXEC) { > + if (profile->xmatch_len == len) { > + conflict = true; > + continue; > + } > candidate = profile; > len = profile->xmatch_len; > conflict = false; > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
