apparmor: Fix regression in profile conflict logic

The intended behaviour in apparmor profile matching is to flag a conflict if two profiles match equally well. However, right now a conflict is generated if another profile has the same match length even if that profile doesn't actually match. Fix the logic so we only generate a conflict if the profiles match. Fixes: 844b829 ("apparmor: ensure that undecidable profile attachments fail") Cc: Stable <[email protected]> Signed-off-by: Matthew Garrett <[email protected]> Signed-off-by: John Johansen <[email protected]>
boxfire · Jan 12, 2018 · 1a3881d · 1a3881d
1 parent 0dda0b3
commit 1a3881d
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
@@ -330,10 +330,7 @@ static struct aa_profile *__attach_match(const char *name,
 			continue;
 
 		if (profile->xmatch) {
-			if (profile->xmatch_len == len) {
-				conflict = true;
-				continue;
-			} else if (profile->xmatch_len > len) {
+			if (profile->xmatch_len >= len) {
 				unsigned int state;
 				u32 perm;
 
@@ -342,6 +339,10 @@ static struct aa_profile *__attach_match(const char *name,
 				perm = dfa_user_allow(profile->xmatch, state);
 				/* any accepting state means a valid match. */
 				if (perm & MAY_EXEC) {
+					if (profile->xmatch_len == len) {
+						conflict = true;
+						continue;
+					}
 					candidate = profile;
 					len = profile->xmatch_len;
 					conflict = false;