From: Ryan Lee <ryan.lee@xxxxxxxxxxxxx> commit 17d0d04f3c999e7784648bad70ce1766c3b49d69 upstream. attach->xmatch was not set when allocating a null profile, which is used in complain mode to allocate a learning profile. This was causing downstream failures in find_attach, which expected a valid xmatch but did not find one under a certain sequence of profile transitions in complain mode. This patch ensures the xmatch is set up properly for null profiles. Signed-off-by: Ryan Lee <ryan.lee@xxxxxxxxxxxxx> Signed-off-by: John Johansen <john.johansen@xxxxxxxxxxxxx> Cc: Paul Kramme <kramme@xxxxxxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- security/apparmor/policy.c | 1 + 1 file changed, 1 insertion(+) --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -626,6 +626,7 @@ struct aa_profile *aa_alloc_null(struct /* TODO: ideally we should inherit abi from parent */ profile->label.flags |= FLAG_NULL; + profile->attach.xmatch = aa_get_pdb(nullpdb); rules = list_first_entry(&profile->rules, typeof(*rules), list); rules->file = aa_get_pdb(nullpdb); rules->policy = aa_get_pdb(nullpdb); Patches currently in stable-queue which might be from ryan.lee@xxxxxxxxxxxxx are queue-6.12/apparmor-allocate-xmatch-for-nullpdb-inside-aa_alloc_null.patch
