From: John Johansen john.johansen@canonical.com
stable inclusion from stable-v5.10.138 commit 2672f3eb7a7f8bc076a146c6f062233f56b1d3c1 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I60QFD
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 2504db207146543736e877241f3b3de005cbe056 upstream.
When finding the profile via patterned attachments, the longest left match is being set to the static compile time value and not using the runtime computed value.
Fix this by setting the candidate value to the greater of the precomputed value or runtime computed value.
Fixes: 21f606610502 ("apparmor: improve overlapping domain attachment resolution") Signed-off-by: John Johansen john.johansen@canonical.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com Reviewed-by: Wei Li liwei391@huawei.com --- security/apparmor/domain.c | 2 +- security/apparmor/include/policy.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index f919ebd042fd..87a9e6fd7908 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -465,7 +465,7 @@ static struct aa_label *find_attach(const struct linux_binprm *bprm, * xattrs, or a longer match */ candidate = profile; - candidate_len = profile->xmatch_len; + candidate_len = max(count, profile->xmatch_len); candidate_xattrs = ret; conflict = false; } diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h index b5b4b8190e65..b5aa4231af68 100644 --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -135,7 +135,7 @@ struct aa_profile {
const char *attach; struct aa_dfa *xmatch; - int xmatch_len; + unsigned int xmatch_len; enum audit_mode audit; long mode; u32 path_flags;