apparmor: fix policy_compat permission remap with extended permissions
If the extended permission table is present we should not be attempting
to do a compat_permission remap as the compat_permissions are not
stored in the dfa accept states.
Fixes: fd1b2b95a2
("apparmor: add the ability for policy to specify a permission table")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Jon Tourville <jontourville@me.com>
This commit is contained in:
parent
ba808cb5ed
commit
0bac2002b3
@ -849,10 +849,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
|
||||
}
|
||||
profile->attach.xmatch_len = tmp;
|
||||
profile->attach.xmatch.start[AA_CLASS_XMATCH] = DFA_START;
|
||||
error = aa_compat_map_xmatch(&profile->attach.xmatch);
|
||||
if (error) {
|
||||
info = "failed to convert xmatch permission table";
|
||||
goto fail;
|
||||
if (!profile->attach.xmatch.perms) {
|
||||
error = aa_compat_map_xmatch(&profile->attach.xmatch);
|
||||
if (error) {
|
||||
info = "failed to convert xmatch permission table";
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -972,10 +974,13 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
|
||||
AA_CLASS_FILE);
|
||||
if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
|
||||
goto fail;
|
||||
error = aa_compat_map_policy(&rules->policy, e->version);
|
||||
if (error) {
|
||||
info = "failed to remap policydb permission table";
|
||||
goto fail;
|
||||
if (!rules->policy.perms) {
|
||||
error = aa_compat_map_policy(&rules->policy,
|
||||
e->version);
|
||||
if (error) {
|
||||
info = "failed to remap policydb permission table";
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
} else
|
||||
rules->policy.dfa = aa_get_dfa(nulldfa);
|
||||
@ -985,10 +990,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
|
||||
if (error) {
|
||||
goto fail;
|
||||
} else if (rules->file.dfa) {
|
||||
error = aa_compat_map_file(&rules->file);
|
||||
if (error) {
|
||||
info = "failed to remap file permission table";
|
||||
goto fail;
|
||||
if (!rules->file.perms) {
|
||||
error = aa_compat_map_file(&rules->file);
|
||||
if (error) {
|
||||
info = "failed to remap file permission table";
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
} else if (rules->policy.dfa &&
|
||||
rules->policy.start[AA_CLASS_FILE]) {
|
||||
|
Loading…
Reference in New Issue
Block a user