Commit 2420c573 authored by Tyler Hicks's avatar Tyler Hicks

libapparmor: Fix fd leak when write to aafs/.access fails

In aa_query_label(), errors encountered during a write() to the AppArmor
filesystem's .access file results in an unintentional file descriptor
leak outside of aa_query_label(). Callers don't expect aa_query_label()
to return with a newly opened file descriptor so they can't be expected
to close the fd.

This flaw was introduced in r2147, which has not yet been included in an
official release.
Signed-off-by: Tyler Hicks's avatarTyler Hicks <>
Acked-by: default avatarJohn Johansen <>
Acked-by: default avatarSteve Beattie <>
parent a5213b57
......@@ -726,6 +726,7 @@ int aa_query_label(uint32_t mask, char *query, size_t size, int *allowed,
* errno set to ENOENT. It indicates that the subject label
* could not be found by the kernel.
return -1;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment