apparmor: fix policy_compat permission remap with extended permissions

If the extended permission table is present we should not be attempting
to do a compat_permission remap as the compat_permissions are not
stored in the dfa accept states.

Fixes: fd1b2b95a211 ("apparmor: add the ability for policy to specify a permission table")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Jon Tourville <jontourville@me.com>

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 22137fe..a357c7b 100644 (file)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -849,10 +849,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
                }
                profile->attach.xmatch_len = tmp;
                profile->attach.xmatch.start[AA_CLASS_XMATCH] = DFA_START;
-               error = aa_compat_map_xmatch(&profile->attach.xmatch);
-               if (error) {
-                       info = "failed to convert xmatch permission table";
-                       goto fail;
+               if (!profile->attach.xmatch.perms) {
+                       error = aa_compat_map_xmatch(&profile->attach.xmatch);
+                       if (error) {
+                               info = "failed to convert xmatch permission table";
+                               goto fail;
+                       }
                }
        }
 
@@ -972,10 +974,13 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
                                      AA_CLASS_FILE);
                if (!aa_unpack_nameX(e, AA_STRUCTEND, NULL))
                        goto fail;
-               error = aa_compat_map_policy(&rules->policy, e->version);
-               if (error) {
-                       info = "failed to remap policydb permission table";
-                       goto fail;
+               if (!rules->policy.perms) {
+                       error = aa_compat_map_policy(&rules->policy,
+                                                    e->version);
+                       if (error) {
+                               info = "failed to remap policydb permission table";
+                               goto fail;
+                       }
                }
        } else
                rules->policy.dfa = aa_get_dfa(nulldfa);
@@ -985,10 +990,12 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
        if (error) {
                goto fail;
        } else if (rules->file.dfa) {
-               error = aa_compat_map_file(&rules->file);
-               if (error) {
-                       info = "failed to remap file permission table";
-                       goto fail;
+               if (!rules->file.perms) {
+                       error = aa_compat_map_file(&rules->file);
+                       if (error) {
+                               info = "failed to remap file permission table";
+                               goto fail;
+                       }
                }
        } else if (rules->policy.dfa &&
                   rules->policy.start[AA_CLASS_FILE]) {