apparmor: fix aa_label to return state from compount and component match

aa-label_match is not correctly returning the state in all cases.
The only reason this didn't cause a error is that all callers currently
ignore the return value.

Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202602020631.wXgZosyU-lkp@intel.com/
Fixes: a4c9efa4dbad6 ("apparmor: make label_match return a consistent value")
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/label.c b/security/apparmor/label.c
index 0852fa95081e6f27a6ae1014e362ef735a1d8e44..03a92a52acf9dc34278deb7b986c3df5b1de097b 100644 (file)
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -1334,7 +1334,7 @@ fail:
  * @request: permissions to request
  * @perms: an initialized perms struct to add accumulation to
  *
- * Returns: 0 on success else ERROR
+ * Returns: the state the match finished in, may be the none matching state
  *
  * For the label A//&B//&C this does the perm match for each of A and B and C
  * @perms should be preinitialized with allperms OR a previous permission
@@ -1362,7 +1362,7 @@ static int label_components_match(struct aa_profile *profile,
        }
 
        /* no subcomponents visible - no change in perms */
-       return 0;
+       return state;
 
 next:
        tmp = *aa_lookup_perms(rules->policy, state);
@@ -1378,13 +1378,13 @@ next:
        }
 
        if ((perms->allow & request) != request)
-               return -EACCES;
+               return DFA_NOMATCH;
 
-       return 0;
+       return state;
 
 fail:
        *perms = nullperms;
-       return -EACCES;
+       return DFA_NOMATCH;
 }
 
 /**
@@ -1406,7 +1406,7 @@ int aa_label_match(struct aa_profile *profile, struct aa_ruleset *rules,
        aa_state_t tmp = label_compound_match(profile, rules, label, state,
                                              inview, request, perms);
        if ((perms->allow & request) == request)
-               return 0;
+               return tmp;
 
        /* failed compound_match try component matches */
        *perms = allperms;