Received: by 2002:a05:6358:5282:b0:b5:90e7:25cb with SMTP id g2csp3513771rwa; Tue, 23 Aug 2022 06:05:53 -0700 (PDT) X-Google-Smtp-Source: AA6agR5Dft05qhAGH0k7FP8bLXBkkefjR90OEXkgU+yEoYJfDXe1ABAgqpj0GHZs01LEBQQlfZeb X-Received: by 2002:a17:902:7796:b0:172:c716:d3ac with SMTP id o22-20020a170902779600b00172c716d3acmr18043434pll.137.1661259953064; Tue, 23 Aug 2022 06:05:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661259953; cv=none; d=google.com; s=arc-20160816; b=F5Fe379ZhqU8v3KV03eJYwsfmyOxCMOn+AFozEDRpphIG+HVK9vIibASAV8lDqwr1C dCu2bKJ6mtPCQH/hGRTwQJUwC4mdHys5DVcnh9+vMijXssLO3kvYz8a/2xsde+TLdB65 ILcejUZhuVcFA22mjR1ZfzMiwBARRELTbstJnwV3PckU20gmvz7HWaMlMtCWwcz+3ghj l0L58jyb1V2RCMUfvQfBBaUO2WofRKirB07AOt/XNTHR8qggz3ExAgD/fIPW9k2GmnoG E86RSYWJ7KrbF6KBt9rLVH+tgUgqm+hfIzBE26w6/biYZBh73maFnztuhOTnnGEcB++m FS+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rBkjvFKwWyjyEjL8oK5Z7l0huOWGfPujFbsGXtjiMjE=; b=x9ssmhDptFjcRegYbQKqrAk6tUZGZkMyZWzo1bJImgBrqicgh5KarSe9z/RfjBzVZo hPToCPr5ZCflzxyJqhpAHtpuIhKcWlo5k6Kcl50q7gzayqdXqTzji3q7ylHbeuZP4sp/ ppE9bOgc5tWPOxQ4bOkGwTODQRr09cEUGmA40/gQ2lYImE6iAwgZWZe+JKA+53B3XVHx E57txLqQc3z1wIvP/6BTDx1Php5HjjddiAPNfkgkqlUZk/qrmqGYxfJ8nE/X2QqzebOj fi39t3AwRQuTGlYj+p94G5QUzUSGjbxq42RhSQlzPeBUMJp+3SE7tXaArJByvnz3Fs1Z 7tsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=BYmBJBZW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f6-20020a635106000000b0041bc8882540si12780173pgb.370.2022.08.23.06.05.41; Tue, 23 Aug 2022 06:05:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=BYmBJBZW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1358830AbiHWLyq (ORCPT + 99 others); Tue, 23 Aug 2022 07:54:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52296 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1359035AbiHWLvg (ORCPT ); Tue, 23 Aug 2022 07:51:36 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 40FF8D3E68; Tue, 23 Aug 2022 02:32:17 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 243C1B81C96; Tue, 23 Aug 2022 09:32:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6AAEBC433C1; Tue, 23 Aug 2022 09:32:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1661247133; bh=xtzz9eBK+owALhajEDHehpsCM+hAxbsgv57CdLLHDE8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BYmBJBZWxjc3SwtinpjUbUmQmrEvFkV4uHM+MMhEQjapQZHtwITT5m9LU4TDGtcye uBPuTeDz/rBpwcM/9Vh98+JJVuPJ0DSVcAroCEJs0LBUIzYrhTHyrgIavsOAwU45qY 8EeOoKTGZAJhhfMGj7v7TWrZuOtNDDimtTdkQmXg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, John Johansen Subject: [PATCH 5.4 298/389] apparmor: fix overlapping attachment computation Date: Tue, 23 Aug 2022 10:26:16 +0200 Message-Id: <20220823080127.996462689@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220823080115.331990024@linuxfoundation.org> References: <20220823080115.331990024@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: John Johansen commit 2504db207146543736e877241f3b3de005cbe056 upstream. When finding the profile via patterned attachments, the longest left match is being set to the static compile time value and not using the runtime computed value. Fix this by setting the candidate value to the greater of the precomputed value or runtime computed value. Fixes: 21f606610502 ("apparmor: improve overlapping domain attachment resolution") Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman --- security/apparmor/domain.c | 2 +- security/apparmor/include/policy.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -460,7 +460,7 @@ restart: * xattrs, or a longer match */ candidate = profile; - candidate_len = profile->xmatch_len; + candidate_len = max(count, profile->xmatch_len); candidate_xattrs = ret; conflict = false; } --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -135,7 +135,7 @@ struct aa_profile { const char *attach; struct aa_dfa *xmatch; - int xmatch_len; + unsigned int xmatch_len; enum audit_mode audit; long mode; u32 path_flags;