Commit 4d9d1a08 authored May 22, 2025 by John Johansen

apparmor: fix: accept2 being specifie even when permission table is presnt

The transition to the perms32 permission table dropped the need for
the accept2 table as permissions. However accept2 can be used for
flags and may be present even when the perms32 table is present. So
instead of checking on version, check whether the table is present.

Fixes: 2e12c5f0 ("apparmor: add additional flags to extended permission.")
Signed-off-by: John Johansen <john.johansen@canonical.com>

parent 9afdc6ab

security/apparmor/policy_unpack.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -775,7 +775,8 @@ static int unpack_pdb(struct aa_ext e, struct aa_policydb *policy,
		}
		}

		if (pdb->perms && version <= 2) {
		/* accept2 is in some cases being allocated, even with perms */
		if (pdb->perms && !pdb->dfa->tables[YYTD_ID_ACCEPT2]) {
		/* add dfa flags table missing in v2 */
		u32 noents = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_lolen;
		u16 tdflags = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_flags;