temp fix using the 2.8 patch until the 3.0 patch is ready to land

fix a nasty little bug that can surface in apparmor 2.8 when Hats/children profiles are used. the matchflags in the dfa backend are not getting properly reset, which results in a previously processed profiles match flags being used. This is not a problem for most permissions but can result in x conflict errors. Note: this should not result in profiles with the wrong x transitions loaded as it causes compilation to file with an x conflict. This is a minimal patch targeted at the 2.8 release. As such I have just updated the delete_ruleset routine to clear the flags as it is already being properly called for every rule set. Apparmor 2.9/3.0 will have a different approach where it is not possible to reuse the flags. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>
2025-08-30 13:58:22 +00:00 · 2012-12-10 17:08:19 -08:00
parent 40d4e22249
commit 66717a2aec
1 changed files with 2 additions and 0 deletions
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@@ -58,6 +58,8 @@ extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
 			rules->root->release();
 		free(rules);
 	}
+
+	aare_reset_matchflags();
 }

 extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,