Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 15372b97 authored by John Johansen's avatar John Johansen
Browse files

apparmor: ensure unconfined profiles have dfas initialized 



Generally unconfined has early bailout tests and does not need the
dfas initialized, however if an early bailout test is ever missed
it will result in an oops.

Be defensive and initialize the unconfined profile to have null dfas
(no permission) so if an early bailout test is missed we fail
closed (no perms granted) instead of oopsing.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 290638a5

security/apparmor/policy_ns.c

+2 −0
Original line number Diff line number Diff line
@@ -112,6 +112,8 @@ static struct aa_ns *alloc_ns(const char *prefix, const char *name) 
	ns->unconfined->label.flags |= FLAG_IX_ON_NAME_ERROR |

		FLAG_IMMUTIBLE | FLAG_NS_COUNT | FLAG_UNCONFINED;

	ns->unconfined->mode = APPARMOR_UNCONFINED;

	ns->unconfined->file.dfa = aa_get_dfa(nulldfa);

	ns->unconfined->policy.dfa = aa_get_dfa(nulldfa);



	/* ns and ns->unconfined share ns->unconfined refcount */

	ns->unconfined->ns = ns;