diff options
author | John Johansen <john.johansen@canonical.com> | 2017-08-16 05:48:06 -0700 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2017-09-22 13:00:58 -0700 |
commit | 15372b97aa7593c6f5bc1afe69f42fd403c40685 (patch) | |
tree | 31992972666da995cce4785f88a7c87f0d6a6b8e /security | |
parent | 290638a52a808d658bd04b746b3ca46886c157e0 (diff) | |
download | op-kernel-dev-15372b97aa7593c6f5bc1afe69f42fd403c40685.zip op-kernel-dev-15372b97aa7593c6f5bc1afe69f42fd403c40685.tar.gz |
apparmor: ensure unconfined profiles have dfas initialized
Generally unconfined has early bailout tests and does not need the
dfas initialized, however if an early bailout test is ever missed
it will result in an oops.
Be defensive and initialize the unconfined profile to have null dfas
(no permission) so if an early bailout test is missed we fail
closed (no perms granted) instead of oopsing.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/apparmor/policy_ns.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/security/apparmor/policy_ns.c b/security/apparmor/policy_ns.c index 351d3ba..62a3589 100644 --- a/security/apparmor/policy_ns.c +++ b/security/apparmor/policy_ns.c @@ -112,6 +112,8 @@ static struct aa_ns *alloc_ns(const char *prefix, const char *name) ns->unconfined->label.flags |= FLAG_IX_ON_NAME_ERROR | FLAG_IMMUTIBLE | FLAG_NS_COUNT | FLAG_UNCONFINED; ns->unconfined->mode = APPARMOR_UNCONFINED; + ns->unconfined->file.dfa = aa_get_dfa(nulldfa); + ns->unconfined->policy.dfa = aa_get_dfa(nulldfa); /* ns and ns->unconfined share ns->unconfined refcount */ ns->unconfined->ns = ns; |