apparmor: ensure unconfined profiles have dfas initialized

Generally unconfined has early bailout tests and does not need the
dfas initialized, however if an early bailout test is ever missed
it will result in an oops.

Be defensive and initialize the unconfined profile to have null dfas
(no permission) so if an early bailout test is missed we fail
closed (no perms granted) instead of oopsing.

Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 034ad2d248927722bdcd1aedb62634cdc2049113 linux-next)
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/security/apparmor/policy_ns.c b/security/apparmor/policy_ns.c
index 351d3bab3a3d2565aa970fe7011453c8fb721ea4..62a3589c62ab624156c0c01eaa8cadd72276866a 100644 (file)
--- a/security/apparmor/policy_ns.c
+++ b/security/apparmor/policy_ns.c
@@ -112,6 +112,8 @@ static struct aa_ns *alloc_ns(const char *prefix, const char *name)
        ns->unconfined->label.flags |= FLAG_IX_ON_NAME_ERROR |
                FLAG_IMMUTIBLE | FLAG_NS_COUNT | FLAG_UNCONFINED;
        ns->unconfined->mode = APPARMOR_UNCONFINED;
+       ns->unconfined->file.dfa = aa_get_dfa(nulldfa);
+       ns->unconfined->policy.dfa = aa_get_dfa(nulldfa);
 
        /* ns and ns->unconfined share ns->unconfined refcount */
        ns->unconfined->ns = ns;