Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
apparmor: ensure labels with more than one entry have correct flags
labels containing more than one entry need to accumulate flag info
from profiles that the label is constructed from. This is done
correctly for labels created by a merge but is not being done for
labels created by an update or directly created via a parse.
This technically is a bug fix, however the effect in current code is
to cause early unconfined bail out to not happen (ie. without the fix
it is slower) on labels that were created via update or a parse.
Signed-off-by: John Johansen <john.johansen@canonical.com>
+2
-1
+2
-1
security/apparmor/label.c
+2
-1
security/apparmor/label.c
···
645
645
rb_replace_node(&old->node, &new->node, &ls->root);
646
646
old->flags &= ~FLAG_IN_TREE;
647
647
new->flags |= FLAG_IN_TREE;
648
+
new->flags |= accum_vec_flags(new->vec, new->size);
648
649
return true;
649
650
}
650
651
···
706
705
rb_link_node(&label->node, parent, new);
707
706
rb_insert_color(&label->node, &ls->root);
708
707
label->flags |= FLAG_IN_TREE;
708
+
label->flags |= accum_vec_flags(label->vec, label->size);
709
709
710
710
return aa_get_label(label);
711
711
}
···
1087
1085
else if (k == b->size)
1088
1086
return aa_get_label(b);
1089
1087
}
1090
-
new->flags |= accum_vec_flags(new->vec, new->size);
1091
1088
ls = labels_set(new);
1092
1089
write_lock_irqsave(&ls->lock, flags);
1093
1090
label = __label_insert(labels_set(new), new, false);