apparmor: allocate xmatch for nullpdb inside aa_alloc_null

attach->xmatch was not set when allocating a null profile, which is used in
complain mode to allocate a learning profile. This was causing downstream
failures in find_attach, which expected a valid xmatch but did not find
one under a certain sequence of profile transitions in complain mode.

This patch ensures the xmatch is set up properly for null profiles.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 14df15e..105706a 100644 (file)
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -626,6 +626,7 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
 
        /* TODO: ideally we should inherit abi from parent */
        profile->label.flags |= FLAG_NULL;
+       profile->attach.xmatch = aa_get_pdb(nullpdb);
        rules = list_first_entry(&profile->rules, typeof(*rules), list);
        rules->file = aa_get_pdb(nullpdb);
        rules->policy = aa_get_pdb(nullpdb);