Commit b2e27be2 authored by John Johansen's avatar John Johansen
Browse files

apparmor: remove apply_modes_to_perms from label_match 



The modes shouldn't be applied at the point of label match, it just
results in them being applied multiple times. Instead they should be
applied after which is already being done by all callers so it can
just be dropped from label_match.

Reviewed-by: default avatarGeorgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 9f79b1ce

security/apparmor/label.c

+0 −3
Original line number Diff line number Diff line
@@ -1317,7 +1317,6 @@ static int label_compound_match(struct aa_profile *profile, 
			goto fail;

	}

	*perms = *aa_lookup_perms(rules->policy, state);

	aa_apply_modes_to_perms(profile, perms);

	if ((perms->allow & request) != request)

		return -EACCES;
@@ -1370,7 +1369,6 @@ static int label_components_match(struct aa_profile *profile, 


next:

	tmp = *aa_lookup_perms(rules->policy, state);

	aa_apply_modes_to_perms(profile, &tmp);

	aa_perms_accum(perms, &tmp);

	label_for_each_cont(i, label, tp) {

		if (!aa_ns_visible(profile->ns, tp->ns, subns))
@@ -1379,7 +1377,6 @@ static int label_components_match(struct aa_profile *profile, 
		if (!state)

			goto fail;

		tmp = *aa_lookup_perms(rules->policy, state);

		aa_apply_modes_to_perms(profile, &tmp);

		aa_perms_accum(perms, &tmp);

	}