tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

apparmor: make label_match return a consistent value

compound match is inconsistent in returning a state or an integer error
this is problemati if the error is ever used as a state in the state
machine

Fixes: f1bd904175e81 ("apparmor: add the base fns() for domain labels")
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen a4c9efa4 b2e27be2

+9 -11
+9 -11
security/apparmor/label.c
··· 1278 1278 * @request: permissions to request 1279 1279 * @perms: perms struct to set 1280 1280 * 1281 - * Returns: 0 on success else ERROR 1281 + * Returns: state match stopped at or DFA_NOMATCH if aborted early 1282 1282 * 1283 1283 * For the label A//&B//&C this does the perm match for A//&B//&C 1284 1284 * @perms should be preinitialized with allperms OR a previous permission ··· 1305 1305 1306 1306 /* no component visible */ 1307 1307 *perms = allperms; 1308 - return 0; 1308 + return state; 1309 1309 1310 1310 next: 1311 1311 label_for_each_cont(i, label, tp) { ··· 1317 1317 goto fail; 1318 1318 } 1319 1319 *perms = *aa_lookup_perms(rules->policy, state); 1320 - if ((perms->allow & request) != request) 1321 - return -EACCES; 1322 - 1323 - return 0; 1320 + return state; 1324 1321 1325 1322 fail: 1326 1323 *perms = nullperms; 1327 - return state; 1324 + return DFA_NOMATCH; 1328 1325 } 1329 1326 1330 1327 /** ··· 1403 1406 struct aa_label *label, aa_state_t state, bool subns, 1404 1407 u32 request, struct aa_perms *perms) 1405 1408 { 1406 - int error = label_compound_match(profile, rules, label, state, subns, 1407 - request, perms); 1408 - if (!error) 1409 - return error; 1409 + aa_state_t tmp = label_compound_match(profile, rules, label, state, subns, 1410 + request, perms); 1411 + if ((perms->allow & request) == request) 1412 + return 0; 1410 1413 1414 + /* failed compound_match try component matches */ 1411 1415 *perms = allperms; 1412 1416 return label_components_match(profile, rules, label, state, subns, 1413 1417 request, perms);