nullperms and allperms are supposed to be constants that don't change. As
we can't update nullperms and the pointer arg to be const due to
prompt-mode profile updates in aa_audit_file, this is the next best way
to prevent nullperms from being written to.
Signed-off-by: Ryan Lee <ryan....@canonical.com>
---
security/apparmor/file.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index a59ba26e54d6..a4cdd6cb9af3 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -227,7 +227,12 @@ int aa_audit_file(const struct cred *subj_cred,
}
implicit_deny = (ad.request & ~perms->allow) & ~perms->deny;
if (USER_MODE(profile))
- perms->prompt = ALL_PERMS_MASK;
+ /* Hacky workaround to avoid changing statics until the
+ * write to perms can be moved out of aa_audit_file
+ * and perms can be passed in as a const pointer
+ */
+ if (perms != &nullperms && perms != &allperms)
+ perms->prompt = ALL_PERMS_MASK;
if (ad.request & MAY_EXEC)
AA_DEBUG(DEBUG_UPCALL,
--
2.43.0
base-kernel: Ubuntu-hwe-6.11-6.11.0-17.17_24.04.2
target: Ubuntu-kernel
