diff options
| author | Zygmunt Krynicki <me@zygoon.pl> | 2026-05-04 08:32:37 +0200 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2026-06-13 20:14:08 -0700 |
| commit | 45cf568241048e560a81aa2053f06a62069f5640 (patch) | |
| tree | eab90bf291c62f6d74cdae78b2a2d60facf7f98c /security | |
| parent | b7a2b49bba4e5994a476c49d662b796818079e5e (diff) | |
| download | linux-next-45cf568241048e560a81aa2053f06a62069f5640.tar.gz linux-next-45cf568241048e560a81aa2053f06a62069f5640.zip | |
apparmor: fail policy unpack on accept2 allocation failure
unpack_pdb() may need to allocate a missing ACCEPT2 table for older policy
data. If that allocation failed, it set an error message but jumped to the
success path, returning a policydb with the required table missing.
Return -ENOMEM through the normal failure path when the ACCEPT2 allocation
fails. Remove the now-unused out label.
Fixes: 2e12c5f06017 ("apparmor: add additional flags to extended permission.")
Reviewed-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/apparmor/policy_unpack.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c index 3643c058d6f8..d9dcff167c48 100644 --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -1054,7 +1054,8 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy, pdb->dfa->tables[YYTD_ID_ACCEPT2] = kvzalloc(tsize, GFP_KERNEL); if (!pdb->dfa->tables[YYTD_ID_ACCEPT2]) { *info = "failed to alloc dfa flags table"; - goto out; + error = -ENOMEM; + goto fail; } pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_lolen = noents; pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_flags = tdflags; @@ -1079,7 +1080,6 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy, * - move free of unneeded trans table here, has to be done * after perm mapping. */ -out: *policy = pdb; return 0; |
