diff options
| author | John Johansen <john.johansen@canonical.com> | 2022-09-05 23:53:29 -0700 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2022-10-03 14:49:04 -0700 |
| commit | 0bece4fa97a2bd397da66d4fced78f76eb214a3e (patch) | |
| tree | 7a5e0d42965a373f3e7e5e058e94d99d079e00f0 /security/apparmor/lib.c | |
| parent | 670f31774ab6bf8e2d756f27444b035b9be8a0c9 (diff) | |
apparmor: make sure perm indexes are accumulated
accumulate permission indexes on a first encountered basis. This
favors original rulesets so that new ones can not override without
profile replacement.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/lib.c')
| -rw-r--r-- | security/apparmor/lib.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c index b0fcec893274..d6a8c361025b 100644 --- a/security/apparmor/lib.c +++ b/security/apparmor/lib.c @@ -348,6 +348,13 @@ void aa_perms_accum_raw(struct aa_perms *accum, struct aa_perms *addend) accum->hide &= addend->hide & ~addend->allow; accum->prompt |= addend->prompt & ~addend->allow & ~addend->deny; accum->subtree |= addend->subtree & ~addend->deny; + + if (!accum->xindex) + accum->xindex = addend->xindex; + if (!accum->tag) + accum->tag = addend->tag; + if (!accum->label) + accum->label = addend->label; } /** @@ -367,6 +374,13 @@ void aa_perms_accum(struct aa_perms *accum, struct aa_perms *addend) accum->hide &= addend->hide & ~accum->allow; accum->prompt |= addend->prompt & ~accum->allow & ~accum->deny; accum->subtree &= addend->subtree & ~accum->deny; + + if (!accum->xindex) + accum->xindex = addend->xindex; + if (!accum->tag) + accum->tag = addend->tag; + if (!accum->label) + accum->label = addend->label; } void aa_profile_match_label(struct aa_profile *profile, struct aa_label *label, |