git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	John Johansen <john.johansen@canonical.com>
	Sat, 24 May 2025 04:04:51 +0000 (21:04 -0700)
committer	John Johansen <john.johansen@canonical.com>
	Wed, 16 Jul 2025 05:39:07 +0000 (22:39 -0700)
commit	aff426f35966e6e77ecfe065984344a7d834eaa9
tree	612b60bd88d3772a2a78f03d61c518dd946db98a	tree
parent	b1f87be7280ff48794f0fe55c9ca6df9d87d62c5	commit \| diff

apparmor: mitigate parser generating large xtables

Some versions of the parser are generating an xtable transition per
state in the state machine, even when the state machine isn't using
the transition table.

The parser bug is triggered by
commit 2e12c5f06017 ("apparmor: add additional flags to extended permission.")

In addition to fixing this in userspace, mitigate this in the kernel
as part of the policy verification checks by detecting this situation
and adjusting to what is actually used, or if not used at all freeing
it, so we are not wasting unneeded memory on policy.

Fixes: 2e12c5f06017 ("apparmor: add additional flags to extended permission.")
Signed-off-by: John Johansen <john.johansen@canonical.com>

security/apparmor/include/lib.h		diff \| blob \| blame \| history
security/apparmor/lib.c		diff \| blob \| blame \| history
security/apparmor/policy_unpack.c		diff \| blob \| blame \| history