From 5b2be1da84d2daaffe126417764c4306e891f6fb Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 3 Apr 2025 19:39:23 +0000 Subject: [PATCH] Merge libapparmor: fix feature matching for aa_feature_supports The feature matching done in aa_feature_supports calls walk_one to traverse the features string. This function is supposed to match on the feature and return, but it matches the feature based on the length of the feature to check. If the feature to check shorter, then it would return as if the feature was not present - which was the case for the following example: feature_file contains (shortened for example purposes): ``` network_v9 {af_unix {yes } } network_v8 {af_inet {yes } } network {af_unix {yes } } ``` if the feature to be checked was simply "network", then walk_one would return that the feature was not present. Fix this by restarting the matching if there was not a full match at the end of the feaure to check. Fixes: https://bugs.launchpad.net/apparmor/+bug/2105986 Signed-off-by: Georgia Garcia MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1608 Approved-by: Ryan Lee Merged-by: John Johansen (cherry picked from commit 69355d41f784e227a37c25abd024472c72f320f9) Signed-off-by: Georgia Garcia --- libraries/libapparmor/src/features.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libraries/libapparmor/src/features.c b/libraries/libapparmor/src/features.c index 7926750fa..71444e207 100644 --- a/libraries/libapparmor/src/features.c +++ b/libraries/libapparmor/src/features.c @@ -375,6 +375,10 @@ static bool walk_one(const char **str, const struct component *component, i = 0; cur++; + + /* Partial match, continue to search */ + if (i == component->len && !isbrace_space_or_nul(*cur)) + i = 0; } /* Return false if a full match was not found */