On 01/11/2018 01:07 PM, Matthew Garrett wrote:
> The intended behaviour in apparmor profile matching is to flag a
> conflict if two profiles match equally well. However, right now a
> conflict is generated if another profile has the same match length even
> if that profile doesn't actually match. Fix the logic so we only
> generate a conflict if the profiles match.
> 
> Signed-off-by: Matthew Garrett <[email protected]>

Acked-by: John Johansne <[email protected]>

I'll get a pull request together asap

> ---
>  security/apparmor/domain.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> index 04ba9d0718ea..6a54d2ffa840 100644
> --- a/security/apparmor/domain.c
> +++ b/security/apparmor/domain.c
> @@ -330,10 +330,7 @@ static struct aa_profile *__attach_match(const char 
> *name,
>                       continue;
>  
>               if (profile->xmatch) {
> -                     if (profile->xmatch_len == len) {
> -                             conflict = true;
> -                             continue;
> -                     } else if (profile->xmatch_len > len) {
> +                     if (profile->xmatch_len >= len) {
>                               unsigned int state;
>                               u32 perm;
>  
> @@ -342,6 +339,10 @@ static struct aa_profile *__attach_match(const char 
> *name,
>                               perm = dfa_user_allow(profile->xmatch, state);
>                               /* any accepting state means a valid match. */
>                               if (perm & MAY_EXEC) {
> +                                     if (profile->xmatch_len == len) {
> +                                             conflict = true;
> +                                             continue;
> +                                     }
>                                       candidate = profile;
>                                       len = profile->xmatch_len;
>                                       conflict = false;
> 


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to