--- /dev/null
+From 17d0d04f3c999e7784648bad70ce1766c3b49d69 Mon Sep 17 00:00:00 2001
+From: Ryan Lee <ryan.lee@canonical.com>
+Date: Wed, 21 Aug 2024 11:01:56 -0700
+Subject: apparmor: allocate xmatch for nullpdb inside aa_alloc_null
+
+From: Ryan Lee <ryan.lee@canonical.com>
+
+commit 17d0d04f3c999e7784648bad70ce1766c3b49d69 upstream.
+
+attach->xmatch was not set when allocating a null profile, which is used in
+complain mode to allocate a learning profile. This was causing downstream
+failures in find_attach, which expected a valid xmatch but did not find
+one under a certain sequence of profile transitions in complain mode.
+
+This patch ensures the xmatch is set up properly for null profiles.
+
+Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Cc: Paul Kramme <kramme@digitalmanufaktur.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/policy.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -626,6 +626,7 @@ struct aa_profile *aa_alloc_null(struct
+
+ /* TODO: ideally we should inherit abi from parent */
+ profile->label.flags |= FLAG_NULL;
++ profile->attach.xmatch = aa_get_pdb(nullpdb);
+ rules = list_first_entry(&profile->rules, typeof(*rules), list);
+ rules->file = aa_get_pdb(nullpdb);
+ rules->policy = aa_get_pdb(nullpdb);
projects / thirdparty / kernel / stable-queue.git / commitdiff
