From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 21 Jan 2025 11:35:33 +0000 (+0100)
Subject: 6.12-stable patches
X-Git-Tag: v5.15.177~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=007bb7b7b175d2e97cea64ea548146941a1bdefb;p=thirdparty%2Fkernel%2Fstable-queue.git

6.12-stable patches

added patches:
	apparmor-allocate-xmatch-for-nullpdb-inside-aa_alloc_null.patch
---

diff --git a/queue-6.12/apparmor-allocate-xmatch-for-nullpdb-inside-aa_alloc_null.patch b/queue-6.12/apparmor-allocate-xmatch-for-nullpdb-inside-aa_alloc_null.patch
new file mode 100644
index 0000000000..562e2ebe25
--- /dev/null
+++ b/queue-6.12/apparmor-allocate-xmatch-for-nullpdb-inside-aa_alloc_null.patch
@@ -0,0 +1,34 @@
+From 17d0d04f3c999e7784648bad70ce1766c3b49d69 Mon Sep 17 00:00:00 2001
+From: Ryan Lee <ryan.lee@canonical.com>
+Date: Wed, 21 Aug 2024 11:01:56 -0700
+Subject: apparmor: allocate xmatch for nullpdb inside aa_alloc_null
+
+From: Ryan Lee <ryan.lee@canonical.com>
+
+commit 17d0d04f3c999e7784648bad70ce1766c3b49d69 upstream.
+
+attach->xmatch was not set when allocating a null profile, which is used in
+complain mode to allocate a learning profile. This was causing downstream
+failures in find_attach, which expected a valid xmatch but did not find
+one under a certain sequence of profile transitions in complain mode.
+
+This patch ensures the xmatch is set up properly for null profiles.
+
+Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Cc: Paul Kramme <kramme@digitalmanufaktur.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/apparmor/policy.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -626,6 +626,7 @@ struct aa_profile *aa_alloc_null(struct
+ 
+ 	/* TODO: ideally we should inherit abi from parent */
+ 	profile->label.flags |= FLAG_NULL;
++	profile->attach.xmatch = aa_get_pdb(nullpdb);
+ 	rules = list_first_entry(&profile->rules, typeof(*rules), list);
+ 	rules->file = aa_get_pdb(nullpdb);
+ 	rules->policy = aa_get_pdb(nullpdb);
diff --git a/queue-6.12/series b/queue-6.12/series
index 7fd7341558..7215bc5b61 100644
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -119,3 +119,4 @@ drm-amd-display-disable-replay-and-psr-while-vrr-is-enabled.patch
 drm-amd-display-do-not-wait-for-psr-disable-on-vbl-enable.patch
 revert-drm-amd-display-enable-urgent-latency-adjustments-for-dcn35.patch
 drm-amd-display-validate-mdoe-under-mst-lct-1-case-as-well.patch
+apparmor-allocate-xmatch-for-nullpdb-inside-aa_alloc_null.patch