Commit 475bdda1 authored by John Johansen's avatar John Johansen

apparmor: root view labels should not be under user control

The root view of the label parse should not be exposed to user
control.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
parent 71fa373b
...@@ -1871,8 +1871,9 @@ struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str, ...@@ -1871,8 +1871,9 @@ struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str,
AA_BUG(!str); AA_BUG(!str);
str = skipn_spaces(str, n); str = skipn_spaces(str, n);
if (str == NULL) if (str == NULL || (*str == '=' && base != &root_ns->unconfined->label))
return ERR_PTR(-EINVAL); return ERR_PTR(-EINVAL);
len = label_count_strn_entries(str, end - str); len = label_count_strn_entries(str, end - str);
if (*str == '&' || force_stack) { if (*str == '&' || force_stack) {
/* stack on top of base */ /* stack on top of base */
...@@ -1881,8 +1882,6 @@ struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str, ...@@ -1881,8 +1882,6 @@ struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str,
if (*str == '&') if (*str == '&')
str++; str++;
} }
if (*str == '=')
base = &root_ns->unconfined->label;
error = vec_setup(profile, vec, len, gfp); error = vec_setup(profile, vec, len, gfp);
if (error) if (error)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment