Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 475bdda1 authored by John Johansen's avatar John Johansen
Browse files

apparmor: root view labels should not be under user control 



The root view of the label parse should not be exposed to user
control.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
parent 71fa373b

security/apparmor/label.c

+2 −3
Original line number Diff line number Diff line
@@ -1871,8 +1871,9 @@ struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str, 
	AA_BUG(!str);



	str = skipn_spaces(str, n);

	if (str == NULL)

	if (str == NULL || (*str == '=' && base != &root_ns->unconfined->label))

		return ERR_PTR(-EINVAL);



	len = label_count_strn_entries(str, end - str);

	if (*str == '&' || force_stack) {

		/* stack on top of base */
@@ -1881,8 +1882,6 @@ struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str, 
		if (*str == '&')

			str++;

	}

	if (*str == '=')

		base = &root_ns->unconfined->label;



	error = vec_setup(profile, vec, len, gfp);

	if (error)