apparmor: fix aa_label to return state from compount and component match

aa-label_match is not correctly returning the state in all cases. The only reason this didn't cause a error is that all callers currently ignore the return value. Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202602020631.wXgZosyU-lkp@intel.com/ Fixes: a4c9efa4db ("apparmor: make label_match return a consistent value") Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-03-08 01:04:41 +01:00 · 2026-02-02 04:12:02 -08:00 · 2026-02-02 04:12:02 -08:00 · 9058798652
commit 9058798652
parent 102ada7ca3
1 changed files with 6 additions and 6 deletions
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@ -1334,7 +1334,7 @@ fail:
 * @request: permissions to request
 * @perms: an initialized perms struct to add accumulation to
 *
- * Returns: 0 on success else ERROR
+ * Returns: the state the match finished in, may be the none matching state
 *
 * For the label A//&B//&C this does the perm match for each of A and B and C
 * @perms should be preinitialized with allperms OR a previous permission
@ -1362,7 +1362,7 @@ static int label_components_match(struct aa_profile *profile,
 	}

 	/* no subcomponents visible - no change in perms */
-	return 0;
+	return state;

 next:
 	tmp = *aa_lookup_perms(rules->policy, state);
@ -1378,13 +1378,13 @@ next:
 	}

 	if ((perms->allow & request) != request)
-		return -EACCES;
+		return DFA_NOMATCH;

-	return 0;
+	return state;

 fail:
 	*perms = nullperms;
-	return -EACCES;
+	return DFA_NOMATCH;
 }

 /**
@ -1406,7 +1406,7 @@ int aa_label_match(struct aa_profile *profile, struct aa_ruleset *rules,
 	aa_state_t tmp = label_compound_match(profile, rules, label, state,
 					      inview, request, perms);
 	if ((perms->allow & request) == request)
-		return 0;
+		return tmp;

 	/* failed compound_match try component matches */
 	*perms = allperms;