libapparmor: Fix fd leak when write to aafs/.access fails

In aa_query_label(), errors encountered during a write() to the AppArmor filesystem's .access file results in an unintentional file descriptor leak outside of aa_query_label(). Callers don't expect aa_query_label() to return with a newly opened file descriptor so they can't be expected to close the fd. This flaw was introduced in r2147, which has not yet been included in an official release. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>
2025-09-06 01:05:11 +00:00 · 2013-08-26 16:54:26 -07:00
parent a5213b572c
commit 2420c573d0
1 changed files with 1 additions and 0 deletions
--- a/libraries/libapparmor/src/kernel_interface.c
+++ b/libraries/libapparmor/src/kernel_interface.c
@@ -726,6 +726,7 @@ int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
 		 * errno set to ENOENT. It indicates that the subject label
 		 * could not be found by the kernel.
 		 */
+		(void)close(fd);
 		return -1;
 	}