summaryrefslogtreecommitdiff
path: root/security/apparmor/include/secid.h
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2017-11-18 04:42:42 +0300
committerJohn Johansen <john.johansen@canonical.com>2017-11-21 13:17:14 +0300
commit844b8292b6311ecd30ae63db1471edb26e01d895 (patch)
tree9c0993f64ff7eeaf3144a5063a4fb562c36c2f48 /security/apparmor/include/secid.h
parent4633307e5ed6128975595df43f796a10c41d11c1 (diff)
downloadlinux-844b8292b6311ecd30ae63db1471edb26e01d895.tar.xz
apparmor: ensure that undecidable profile attachments fail
Profiles that have an undecidable overlap in their attachments are being incorrectly handled. Instead of failing to attach the first one encountered is being used. eg. profile A /** { .. } profile B /*foo { .. } have an unresolvable longest left attachment, they both have an exact match on / and then have an overlapping expression that has no clear winner. Currently the winner will be the profile that is loaded first which can result in non-deterministic behavior. Instead in this situation the exec should fail. Fixes: 898127c34ec0 ("AppArmor: functions for domain transitions") Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/include/secid.h')
0 files changed, 0 insertions, 0 deletions