From 40dbd78758ea71142fef6ed88d8e80fdb3070f67 Mon Sep 17 00:00:00 2001
From: Ryan Lee <ryan.lee@canonical.com>
Date: Thu, 7 Nov 2024 17:38:25 -0800
Subject: [PATCH] UBUNTU: SAUCE: apparmor4.0.0 [94/99]: apparmor: allocate
 xmatch for nullpdf inside aa_alloc_null

BugLink: https://bugs.launchpad.net/bugs/2086210

attach->xmatch was not set when allocating a null profile, which is used in
complain mode to allocate a learning profile. This was causing downstream
failures in find_attach, which expected a valid xmatch but did not find
one under a certain sequence of profile transitions in complain mode.

This patch ensures the xmatch is set up properly for null profiles.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>
(cherry picked from commit 2de989ae726b14b6236fdb848563d607e12287b8 oracular:linux)
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Guoqing Jiang <guoqing.jiang@canonical.com>
Signed-off-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
---
 security/apparmor/policy.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index fe635cecf97f..7ec8c3e065e5 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -659,6 +659,7 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
 
 	/* TODO: ideally we should inherit abi from parent */
 	profile->label.flags |= FLAG_NULL;
+	profile->attach.xmatch = aa_get_pdb(nullpdb);
 	rules = list_first_entry(&profile->rules, typeof(*rules), list);
 	rules->file = aa_get_pdb(nullpdb);
 	rules->policy = aa_get_pdb(nullpdb);