From 66717a2aec14535cb6cd6ac58ff68d3cc1faa860 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Mon, 10 Dec 2012 17:08:19 -0800
Subject: [PATCH] temp fix using the 2.8 patch until the 3.0 patch is ready to
 land

fix a nasty little bug that can surface in apparmor 2.8 when
Hats/children profiles are used.

the matchflags in the dfa backend are not getting properly reset, which
results in a previously processed profiles match flags being used. This is
not a problem for most permissions but can result in x conflict errors.

Note: this should not result in profiles with the wrong x transitions loaded
as it causes compilation to file with an x conflict.

This is a minimal patch targeted at the 2.8 release. As such I have just
updated the delete_ruleset routine to clear the flags as it is already
being properly called for every rule set.

Apparmor 2.9/3.0 will have a different approach where it is not possible
to reuse the flags.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
---
 parser/libapparmor_re/aare_rules.cc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
index 52aee8fc4..d40591da6 100644
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@@ -58,6 +58,8 @@ extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
 			rules->root->release();
 		free(rules);
 	}
+
+	aare_reset_matchflags();
 }
 
 extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,