apparmor: Fix regression in profile conflict logic
authorMatthew Garrett <mjg59@google.com>
Thu, 11 Jan 2018 21:07:54 +0000 (13:07 -0800)
committerJohn Johansen <john.johansen@canonical.com>
Fri, 12 Jan 2018 23:56:50 +0000 (15:56 -0800)
commit1a3881d305592d947ed47887306919d50112394d
tree8d7c0129e2feae1259325aa7ff33ccb821d93aa2
parent0dda0b3fb255048a221f736c8a2a24c674da8bf3
apparmor: Fix regression in profile conflict logic

The intended behaviour in apparmor profile matching is to flag a
conflict if two profiles match equally well. However, right now a
conflict is generated if another profile has the same match length even
if that profile doesn't actually match. Fix the logic so we only
generate a conflict if the profiles match.

Fixes: 844b8292b631 ("apparmor: ensure that undecidable profile attachments fail")
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
security/apparmor/domain.c