• John Johansen's avatar
    apparmor: ensure that undecidable profile attachments fail · 844b8292
    John Johansen authored
    Profiles that have an undecidable overlap in their attachments are
    being incorrectly handled. Instead of failing to attach the first one
    encountered is being used.
      profile A /** { .. }
      profile B /*foo { .. }
    have an unresolvable longest left attachment, they both have an exact
    match on / and then have an overlapping expression that has no clear
    Currently the winner will be the profile that is loaded first which
    can result in non-deterministic behavior. Instead in this situation
    the exec should fail.
    Fixes: 898127c3 ("AppArmor: functions for domain transitions")
    Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
domain.c 34.3 KB