summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-08-16 05:48:06 -0700
committerJohn Johansen <john.johansen@canonical.com>2017-09-22 13:00:58 -0700
commit15372b97aa7593c6f5bc1afe69f42fd403c40685 (patch)
tree31992972666da995cce4785f88a7c87f0d6a6b8e /security
parent290638a52a808d658bd04b746b3ca46886c157e0 (diff)
downloadop-kernel-dev-15372b97aa7593c6f5bc1afe69f42fd403c40685.zip
op-kernel-dev-15372b97aa7593c6f5bc1afe69f42fd403c40685.tar.gz
apparmor: ensure unconfined profiles have dfas initialized
Generally unconfined has early bailout tests and does not need the dfas initialized, however if an early bailout test is ever missed it will result in an oops. Be defensive and initialize the unconfined profile to have null dfas (no permission) so if an early bailout test is missed we fail closed (no perms granted) instead of oopsing. Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/policy_ns.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/security/apparmor/policy_ns.c b/security/apparmor/policy_ns.c
index 351d3ba..62a3589 100644
--- a/security/apparmor/policy_ns.c
+++ b/security/apparmor/policy_ns.c
@@ -112,6 +112,8 @@ static struct aa_ns *alloc_ns(const char *prefix, const char *name)
ns->unconfined->label.flags |= FLAG_IX_ON_NAME_ERROR |
FLAG_IMMUTIBLE | FLAG_NS_COUNT | FLAG_UNCONFINED;
ns->unconfined->mode = APPARMOR_UNCONFINED;
+ ns->unconfined->file.dfa = aa_get_dfa(nulldfa);
+ ns->unconfined->policy.dfa = aa_get_dfa(nulldfa);
/* ns and ns->unconfined share ns->unconfined refcount */
ns->unconfined->ns = ns;
OpenPOWER on IntegriCloud