apparmor: fix profile attachment for special unconfined profiles

It used to be that unconfined would never attach. However that is not the case anymore as some special profiles can be marked as unconfined, that are not the namespaces unconfined profile, and may have an attachment. Fixes: f1bd904 ("apparmor: add the base fns() for domain labels") Signed-off-by: John Johansen <[email protected]>
boxfire · Nov 21, 2017 · 06d426d · 06d426d
1 parent 844b829
commit 06d426d
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
@@ -325,8 +325,10 @@ static struct aa_profile *__attach_match(const char *name,
 	struct aa_profile *profile, *candidate = NULL;
 
 	list_for_each_entry_rcu(profile, head, base.list) {
-		if (profile->label.flags & FLAG_NULL)
+		if (profile->label.flags & FLAG_NULL &&
+		    &profile->label == ns_unconfined(profile->ns))
 			continue;
+
 		if (profile->xmatch) {
 			if (profile->xmatch_len == len) {
 				conflict = true;