apparmor: fix: accept2 being specifie even when permission table is presnt

The transition to the perms32 permission table dropped the need for the accept2 table as permissions. However accept2 can be used for flags and may be present even when the perms32 table is present. So instead of checking on version, check whether the table is present. Fixes: 2e12c5f06017 ("apparmor: add additional flags to extended permission.") Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2025-05-22 13:54:05 -0700
committer: John Johansen <john.johansen@canonical.com> 2025-07-20 02:31:13 -0700
commit: 4d9d1a08b796efd54f1e29b42bd95879109fe448 (patch)
tree: c5932a04c5d4dd9d3730378e891cf31331b2ed25
parent: 9afdc6abb007d5a86f54e9f10870ac1468155ca5 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 553e52df3aa9..7523971e37d9 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -775,7 +775,8 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy,
 		}
 	}
 
-	if (pdb->perms && version <= 2) {
+	/* accept2 is in some cases being allocated, even with perms */
+	if (pdb->perms && !pdb->dfa->tables[YYTD_ID_ACCEPT2]) {
 		/* add dfa flags table missing in v2 */
 		u32 noents = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_lolen;
 		u16 tdflags = pdb->dfa->tables[YYTD_ID_ACCEPT]->td_flags;
author	John Johansen <john.johansen@canonical.com>	2025-05-22 13:54:05 -0700
committer	John Johansen <john.johansen@canonical.com>	2025-07-20 02:31:13 -0700
commit	4d9d1a08b796efd54f1e29b42bd95879109fe448 (patch)
tree	c5932a04c5d4dd9d3730378e891cf31331b2ed25
parent	9afdc6abb007d5a86f54e9f10870ac1468155ca5 (diff)