AppArmor: fix regression by setting default to mediate deleted files

OriginalAuthor: John Johansen <john.johansen@canonical.com>
OriginalLocation: git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparm$
commit: 8d3ffc7c845dc1277b39572016fbf3265702f4d4
BugLink: http://bugs.launchpad.net/bugs/562056

The default behavior for AppArmor used to be to mediate deleted files.
This can now be controlled on a per profile basis but the field is
not defaulting to the correct value when path_flags is not specified.

This is causing regressions in profiles expecting deleted files to
be mediated by path instead of delegated.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Andy Whitcroft <andy.whitcroft@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index a475d7cc8c2..0a15f416d17 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -507,8 +507,11 @@ static struct aa_profile *unpack_profile(struct aa_ext *e,
 		goto fail;
 
 	/* path_flags is optional */
-	unpack_u32(e, &profile->path_flags, "path_flags");
-	profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED;
+	if (unpack_u32(e, &profile->path_flags, "path_flags"))
+		profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED;
+	else
+		/* default to */
+		profile->path_flags = PFLAG_MEDIATE_DELETED;
 
 	/* mmap_min_addr is optional */
 	if (unpack_u64(e, &tmp64, "mmap_min_addr")) {