diff options
| author | John Johansen <john.johansen@canonical.com> | 2025-11-13 23:59:38 -0800 |
|---|---|---|
| committer | Sasha Levin <sashal@kernel.org> | 2026-03-04 07:20:41 -0500 |
| commit | 6c7e329629a4ea081fbfc227ac4bdc933b634cf6 (patch) | |
| tree | d86a2c62a0e1c2db24e707f309ef39dee33a695a /security/apparmor | |
| parent | d5eb32cf3e141c42f079d70bad31bd71e5db7b57 (diff) | |
apparmor: make label_match return a consistent value
[ Upstream commit a4c9efa4dbad6dacad6e8b274e30e814c8353097 ]
compound match is inconsistent in returning a state or an integer error
this is problemati if the error is ever used as a state in the state
machine
Fixes: f1bd904175e81 ("apparmor: add the base fns() for domain labels")
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'security/apparmor')
| -rw-r--r-- | security/apparmor/label.c | 20 |
1 files changed, 9 insertions, 11 deletions
diff --git a/security/apparmor/label.c b/security/apparmor/label.c index 81548248440a..0a96ac6137b0 100644 --- a/security/apparmor/label.c +++ b/security/apparmor/label.c @@ -1290,7 +1290,7 @@ static inline aa_state_t match_component(struct aa_profile *profile, * @request: permissions to request * @perms: perms struct to set * - * Returns: 0 on success else ERROR + * Returns: state match stopped at or DFA_NOMATCH if aborted early * * For the label A//&B//&C this does the perm match for A//&B//&C * @perms should be preinitialized with allperms OR a previous permission @@ -1317,7 +1317,7 @@ static int label_compound_match(struct aa_profile *profile, /* no component visible */ *perms = allperms; - return 0; + return state; next: label_for_each_cont(i, label, tp) { @@ -1329,14 +1329,11 @@ next: goto fail; } *perms = *aa_lookup_perms(rules->policy, state); - if ((perms->allow & request) != request) - return -EACCES; - - return 0; + return state; fail: *perms = nullperms; - return state; + return DFA_NOMATCH; } /** @@ -1418,11 +1415,12 @@ int aa_label_match(struct aa_profile *profile, struct aa_ruleset *rules, struct aa_label *label, aa_state_t state, bool subns, u32 request, struct aa_perms *perms) { - int error = label_compound_match(profile, rules, label, state, subns, - request, perms); - if (!error) - return error; + aa_state_t tmp = label_compound_match(profile, rules, label, state, subns, + request, perms); + if ((perms->allow & request) == request) + return 0; + /* failed compound_match try component matches */ *perms = allperms; return label_components_match(profile, rules, label, state, subns, request, perms); |