apparmor: allocate xmatch for nullpdb inside aa_alloc_null

commit 17d0d04f3c999e7784648bad70ce1766c3b49d69 upstream. attach->xmatch was not set when allocating a null profile, which is used in complain mode to allocate a learning profile. This was causing downstream failures in find_attach, which expected a valid xmatch but did not find one under a certain sequence of profile transitions in complain mode. This patch ensures the xmatch is set up properly for null profiles. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Cc: Paul Kramme <kramme@digitalmanufaktur.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Ryan Lee <ryan.lee@canonical.com> 2024-08-21 11:01:56 -0700
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-01-23 17:23:05 +0100
commit: 4c3f731b253b3454a0fd3d20351c823dd1dea933 (patch)
tree: 4208e26ff14b3b7d830ebe98665641b2cc450a36
parent: 35c2f2a46ae58cca1b91fb22c924c4a693bd0f30 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 14df15e35695..105706abf281 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -626,6 +626,7 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
 
 	/* TODO: ideally we should inherit abi from parent */
 	profile->label.flags |= FLAG_NULL;
+	profile->attach.xmatch = aa_get_pdb(nullpdb);
 	rules = list_first_entry(&profile->rules, typeof(*rules), list);
 	rules->file = aa_get_pdb(nullpdb);
 	rules->policy = aa_get_pdb(nullpdb);
author	Ryan Lee <ryan.lee@canonical.com>	2024-08-21 11:01:56 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2025-01-23 17:23:05 +0100
commit	4c3f731b253b3454a0fd3d20351c823dd1dea933 (patch)
tree	4208e26ff14b3b7d830ebe98665641b2cc450a36
parent	35c2f2a46ae58cca1b91fb22c924c4a693bd0f30 (diff)