After further analysis, the root cause turned out to be the xmatch not being set up properly when allocating a null profile for learning in complain mode. Thus, I am withdrawing the above patch and instead attaching a new patch that does this setup in aa_alloc_null.
Ryan On Mon, Aug 19, 2024 at 1:05 PM Ryan Lee <ryan....@canonical.com> wrote: > > find_attach loops over profile entries and first checks for a DFA, falling > back onto a strcmp otherwise. However, the check if (attach->xmatch->dfa) > did not account for the possibility that (attach->xmatch) could be null. > This occured with a sequence of profile replacements that resulted in a > kernel BUG print due to the null pointer dereference. > > To avoid this issue, first check that (attach->xmatch) is not null. > > The one-line patch is attached to the email. > > Ryan
From 479da36bc5ff17138c989f86621ac92fe2d4021a Mon Sep 17 00:00:00 2001 From: Ryan Lee <ryan....@canonical.com> Date: Wed, 21 Aug 2024 11:01:56 -0700 Subject: [PATCH] apparmor: allocate xmatch for nullpdf inside aa_alloc_null attach->xmatch was not set when allocating a null profile, which is used in complain mode to allocate a learning profile. This was causing downstream failures in find_attach, which expected a valid xmatch but did not find one under a certain sequence of profile transitions in complain mode. This patch ensures the xmatch is set up properly for null profiles. --- security/apparmor/policy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index f503dcd3ac74..638b0d6753ef 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -659,6 +659,7 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name, /* TODO: ideally we should inherit abi from parent */ profile->label.flags |= FLAG_NULL; + profile->attach.xmatch = aa_get_pdb(nullpdb); rules = list_first_entry(&profile->rules, typeof(*rules), list); rules->file = aa_get_pdb(nullpdb); rules->policy = aa_get_pdb(nullpdb); -- 2.43.0
