From 4eaafeb72be65caaee2a742f5bb2e9bfa279405f Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Fri, 17 Nov 2017 18:04:37 -0800
Subject: [PATCH] apparmor: fix profile attachment for special unconfined profiles
References: bsc#1071035
Git-commit: 06d426d113fe0b3107939e81db920ca7b097e97c
Patch-mainline: v4.15-rc1

It used to be that unconfined would never attach. However that is not
the case anymore as some special profiles can be marked as unconfined,
that are not the namespaces unconfined profile, and may have an
attachment.

Fixes: f1bd904175e8 ("apparmor: add the base fns() for domain labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Goldwyn Rodrigues <rgoldwyn@suse.com>
---
 security/apparmor/domain.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -325,8 +325,10 @@ static struct aa_profile *__attach_match
 	struct aa_profile *profile, *candidate = NULL;
 
 	list_for_each_entry_rcu(profile, head, base.list) {
-		if (profile->label.flags & FLAG_NULL)
+		if (profile->label.flags & FLAG_NULL &&
+		    &profile->label == ns_unconfined(profile->ns))
 			continue;
+
 		if (profile->xmatch) {
 			if (profile->xmatch_len == len) {
 				conflict = true;