[apparmor] [PATCH] apparmor: don't write to nullperms and allperms statics in aa_audit_file

[Ryan Lee]

nullperms and allperms are supposed to be constants that don't change. As
we can't update nullperms and the pointer arg to be const due to
prompt-mode profile updates in aa_audit_file, this is the next best way
to prevent nullperms from being written to.

Signed-off-by: Ryan Lee <ryan.lee at canonical.com>
---
 security/apparmor/file.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index a59ba26e54d6..a4cdd6cb9af3 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -227,7 +227,12 @@ int aa_audit_file(const struct cred *subj_cred,
 		}
 		implicit_deny = (ad.request & ~perms->allow) & ~perms->deny;
 		if (USER_MODE(profile))
-			perms->prompt = ALL_PERMS_MASK;
+			/* Hacky workaround to avoid changing statics until the
+			 * write to perms can be moved out of aa_audit_file
+			 * and perms can be passed in as a const pointer
+			 */
+			if (perms != &nullperms && perms != &allperms)
+				perms->prompt = ALL_PERMS_MASK;
 
 		if (ad.request & MAY_EXEC)
 			AA_DEBUG(DEBUG_UPCALL,
-- 
2.43.0

base-kernel: Ubuntu-hwe-6.11-6.11.0-17.17_24.04.2
target: Ubuntu-kernel