Commit e0ff0cff authored by Georgia Garcia's avatar Georgia Garcia Committed by John Johansen
Browse files

apparmor: unpack transition table if dfa is not present 



Due to a bug in earlier userspaces, a transition table may be present
even when the dfa is not. Commit 7572fea3
("apparmor: convert fperm lookup to use accept as an index") made the
verification check more rigourous regressing old userspaces with
the bug. For compatibility reasons allow the orphaned transition table
during unpack and discard.

Fixes: 7572fea3 ("apparmor: convert fperm lookup to use accept as an index")
Signed-off-by: default avatarGeorgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent f4fee216

security/apparmor/policy_unpack.c

+25 −17
Original line number Diff line number Diff line
@@ -747,9 +747,7 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy, 
			*info = "missing required dfa";

			goto fail;

		}

		goto out;

	}



	} else {

		/*

		 * only unpack the following if a dfa is present

		 *
@@ -767,14 +765,24 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy, 
			pdb->start[i] = aa_dfa_next(pdb->dfa, pdb->start[0],

						    i);

		}

	}



	/*

	 * Unfortunately due to a bug in earlier userspaces, a

	 * transition table may be present even when the dfa is

	 * not. For compatibility reasons unpack and discard.

	 */

	if (!unpack_trans_table(e, &pdb->trans) && required_trans) {

		*info = "failed to unpack profile transition table";

		goto fail;

	}



	if (!pdb->dfa && pdb->trans.table)

		aa_free_str_table(&pdb->trans);



	/* TODO: move compat mapping here, requires dfa merging first */

	/* TODO: move verify here, it has to be done after compat mappings */

out:



	*policy = pdb;

	return 0;