From: Ryan Lee <ryan.lee@canonical.com>
Date: Wed, 21 Aug 2024 18:01:56 +0000 (-0700)
Subject: apparmor: allocate xmatch for nullpdb inside aa_alloc_null
X-Git-Tag: microblaze-v6.16~497^2~17
X-Git-Url: http://git.monstr.eu/?a=commitdiff_plain;h=17d0d04f3c999e7784648bad70ce1766c3b49d69;p=linux-2.6-microblaze.git

apparmor: allocate xmatch for nullpdb inside aa_alloc_null

attach->xmatch was not set when allocating a null profile, which is used in
complain mode to allocate a learning profile. This was causing downstream
failures in find_attach, which expected a valid xmatch but did not find
one under a certain sequence of profile transitions in complain mode.

This patch ensures the xmatch is set up properly for null profiles.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 14df15e35695..105706abf281 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -626,6 +626,7 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
 
 	/* TODO: ideally we should inherit abi from parent */
 	profile->label.flags |= FLAG_NULL;
+	profile->attach.xmatch = aa_get_pdb(nullpdb);
 	rules = list_first_entry(&profile->rules, typeof(*rules), list);
 	rules->file = aa_get_pdb(nullpdb);
 	rules->policy = aa_get_pdb(nullpdb);