summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorZygmunt Krynicki <me@zygoon.pl>2026-05-04 08:32:37 +0200
committerJohn Johansen <john.johansen@canonical.com>2026-06-13 20:14:08 -0700
commit45cf568241048e560a81aa2053f06a62069f5640 (patch)
treeeab90bf291c62f6d74cdae78b2a2d60facf7f98c /security
parentb7a2b49bba4e5994a476c49d662b796818079e5e (diff)
downloadlinux-next-45cf568241048e560a81aa2053f06a62069f5640.tar.gz
linux-next-45cf568241048e560a81aa2053f06a62069f5640.zip
apparmor: fail policy unpack on accept2 allocation failure
unpack_pdb() may need to allocate a missing ACCEPT2 table for older policy data. If that allocation failed, it set an error message but jumped to the success path, returning a policydb with the required table missing. Return -ENOMEM through the normal failure path when the ACCEPT2 allocation fails. Remove the now-unused out label. Fixes: 2e12c5f06017 ("apparmor: add additional flags to extended permission.") Reviewed-by: Ryan Lee <ryan.lee@canonical.com> Signed-off-by: Zygmunt Krynicki <me@zygoon.pl> Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/policy_unpack.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 3643c058d6f8..d9dcff167c48 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -1054,7 +1054,8 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy,
pdb->dfa->tables[YYTD_ID_ACCEPT2] = kvzalloc(tsize, GFP_KERNEL);
if (!pdb->dfa->tables[YYTD_ID_ACCEPT2]) {
*info = "failed to alloc dfa flags table";
- goto out;
+ error = -ENOMEM;
+ goto fail;
}
pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_lolen = noents;
pdb->dfa->tables[YYTD_ID_ACCEPT2]->td_flags = tdflags;
@@ -1079,7 +1080,6 @@ static int unpack_pdb(struct aa_ext *e, struct aa_policydb **policy,
* - move free of unneeded trans table here, has to be done
* after perm mapping.
*/
-out:
*policy = pdb;
return 0;