apparmor: fix unpack_tags to properly return error in failure cases

error is initialized to -EPROTO but set by some of the internal
functions, unfortunately the last two checks assume error is set to
-EPROTO already for the failure case. Ensure it is by setting it
before these checks.

Fixes: 3d28e2397af7a ("apparmor: add support loading per permission tagging")
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index ff517bc7e2754f6ca22a409b85d36dc10e9fa6b0..dd445c25f8e9029fe11dd6b6847b1d63f6ac2344 100644 (file)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -863,6 +863,7 @@ static int unpack_tags(struct aa_ext *e, struct aa_tags_struct *tags,
                        *info = "failed to unpack profile tag.sets";
                        goto fail;
                }
+               error = -EPROTO;
                if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
                        goto fail;