Commit 90587986 authored by John Johansen's avatar John Johansen
Browse files

apparmor: fix aa_label to return state from compount and component match 



aa-label_match is not correctly returning the state in all cases.
The only reason this didn't cause a error is that all callers currently
ignore the return value.

Reported-by: default avatarkernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202602020631.wXgZosyU-lkp@intel.com/


Fixes: a4c9efa4 ("apparmor: make label_match return a consistent value")
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 102ada7c

security/apparmor/label.c

+6 −6
Original line number Diff line number Diff line
@@ -1334,7 +1334,7 @@ static int label_compound_match(struct aa_profile *profile, 
 * @request: permissions to request

 * @perms: an initialized perms struct to add accumulation to

 *

 * Returns: 0 on success else ERROR

 * Returns: the state the match finished in, may be the none matching state

 *

 * For the label A//&B//&C this does the perm match for each of A and B and C

 * @perms should be preinitialized with allperms OR a previous permission
@@ -1362,7 +1362,7 @@ static int label_components_match(struct aa_profile *profile, 
	}



	/* no subcomponents visible - no change in perms */

	return 0;

	return state;



next:

	tmp = *aa_lookup_perms(rules->policy, state);
@@ -1378,13 +1378,13 @@ static int label_components_match(struct aa_profile *profile, 
	}



	if ((perms->allow & request) != request)

		return -EACCES;

		return DFA_NOMATCH;



	return 0;

	return state;



fail:

	*perms = nullperms;

	return -EACCES;

	return DFA_NOMATCH;

}



/**
@@ -1406,7 +1406,7 @@ int aa_label_match(struct aa_profile *profile, struct aa_ruleset *rules, 
	aa_state_t tmp = label_compound_match(profile, rules, label, state,

					      inview, request, perms);

	if ((perms->allow & request) == request)

		return 0;

		return tmp;



	/* failed compound_match try component matches */

	*perms = allperms;