tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

apparmor: return error on namespace mismatch in verify_header

When profiles in a multi-profile load specify different namesapaces,
the audit record is generated but execution continues, causing the
function to return success. This violates the load requirement that
all profiles must target the same namespace.

Add the missing return statement after auditing the error.

Reported-by: Qualys Security Advisory <qsa@qualys.com>
Fixes: dd51c8485763 ("apparmor: provide base for multiple profiles to be replaced at once")
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

authored by

Massimiliano Pellizzer and committed by
John Johansen 8813837a 4afc6170

+1
+1
security/apparmor/policy_unpack.c
··· 1440 1440 if (*ns && strcmp(*ns, name)) { 1441 1441 audit_iface(NULL, NULL, NULL, "invalid ns change", e, 1442 1442 error); 1443 + return error; 1443 1444 } else if (!*ns) { 1444 1445 *ns = kstrdup(name, GFP_KERNEL); 1445 1446 if (!*ns)