From: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Date: Tue, 20 Jan 2026 14:24:05 +0000 (+0100)
Subject: apparmor: return error on namespace mismatch in verify_header
X-Git-Tag: v7.1-rc1~32^2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8813837aa7f5f5a262a5ebc1a1a2a3a5ec818c70;p=thirdparty%2Fkernel%2Flinux.git

apparmor: return error on namespace mismatch in verify_header

When profiles in a multi-profile load specify different namesapaces,
the audit record is generated but execution continues, causing the
function to return success. This violates the load requirement that
all profiles must target the same namespace.

Add the missing return statement after auditing the error.

Reported-by: Qualys Security Advisory <qsa@qualys.com>
Fixes: dd51c8485763 ("apparmor: provide base for multiple profiles to be replaced at once")
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 1769417a9962..ff517bc7e275 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -1440,6 +1440,7 @@ static int verify_header(struct aa_ext *e, int required, const char **ns)
 		if (*ns && strcmp(*ns, name)) {
 			audit_iface(NULL, NULL, NULL, "invalid ns change", e,
 				    error);
+			return error;
 		} else if (!*ns) {
 			*ns = kstrdup(name, GFP_KERNEL);
 			if (!*ns)