apparmor: fix overlapping attachment computation

jrjohansen · jrjohansen · commit 2504db207146 · 2022-07-19T02:52:36.000-07:00
When finding the profile via patterned attachments, the longest left match is being set to the static compile time value and not using the runtime computed value. Fix this by setting the candidate value to the greater of the precomputed value or runtime computed value. Fixes: 21f6066 ("apparmor: improve overlapping domain attachment resolution") Signed-off-by: John Johansen <john.johansen@canonical.com>
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
@@ -466,7 +466,7 @@ static struct aa_label *find_attach(const struct linux_binprm *bprm,
 				 * xattrs, or a longer match
 				 */
 				candidate = profile;
-				candidate_len = profile->xmatch_len;
+				candidate_len = max(count, profile->xmatch_len);
 				candidate_xattrs = ret;
 				conflict = false;
 			}
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
@@ -135,7 +135,7 @@ struct aa_profile {
 
 	const char *attach;
 	struct aa_dfa *xmatch;
-	int xmatch_len;
+	unsigned int xmatch_len;
 	enum audit_mode audit;
 	long mode;
 	u32 path_flags;

Original file line number	Diff line number	Diff line change
`@@ -466,7 +466,7 @@ static struct aa_label find_attach(const struct linux_binprm bprm,`
`466`	`466`	`* xattrs, or a longer match`
`467`	`467`	`*/`
`468`	`468`	`candidate = profile;`
`469`		`- candidate_len = profile->xmatch_len;`
	`469`	`+ candidate_len = max(count, profile->xmatch_len);`
`470`	`470`	`candidate_xattrs = ret;`
`471`	`471`	`conflict = false;`
`472`	`472`	`}`