2 files changed, 7 insertions, 4 deletions

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 0df17fb236c7..45a8887021f1 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -328,7 +328,7 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
 		size = vfs_getxattr_alloc(&init_user_ns, d, profile->xattrs[i],
 					  &value, value_size, GFP_KERNEL);
 		if (size >= 0) {
-			u32 perm;
+			u32 index, perm;
 
 			/*
 			 * Check the xattr presence before value. This ensure
@@ -340,7 +340,8 @@ static int aa_xattrs_match(const struct linux_binprm *bprm,
 			/* Check xattr value */
 			state = aa_dfa_match_len(profile->xmatch.dfa, state,
 						 value, size);
-			perm = profile->xmatch.perms[state].allow;
+			index = ACCEPT_TABLE(profile->xmatch.dfa)[state];
+			perm = profile->xmatch.perms[index].allow;
 			if (!(perm & MAY_EXEC)) {
 				ret = -EINVAL;
 				goto out;
@@ -416,12 +417,13 @@ restart:
 		 */
 		if (profile->xmatch.dfa) {
 			unsigned int state, count;
-			u32 perm;
+			u32 index, perm;
 
 			state = aa_dfa_leftmatch(profile->xmatch.dfa,
 					profile->xmatch.start[AA_CLASS_XMATCH],
 					name, &count);
-			perm = profile->xmatch.perms[state].allow;
+			index = ACCEPT_TABLE(profile->xmatch.dfa)[state];
+			perm = profile->xmatch.perms[index].allow;
 			/* any accepting state means a valid match. */
 			if (perm & MAY_EXEC) {
 				int ret = 0;
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 4cf62c1be388..4cdc96988783 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -930,6 +930,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 			info = "failed to convert xmatch permission table";
 			goto fail;
 		}
+		remap_dfa_accept(profile->xmatch.dfa, 1);
 	}
 
 	/* disconnected attachment string is optional */