apparmor: allocate xmatch for nullpdb inside aa_alloc_null

commit 17d0d04 upstream.

attach->xmatch was not set when allocating a null profile, which is used in
complain mode to allocate a learning profile. This was causing downstream
failures in find_attach, which expected a valid xmatch but did not find
one under a certain sequence of profile transitions in complain mode.

This patch ensures the xmatch is set up properly for null profiles.

Signed-off-by: Ryan Lee <[email protected]>
Signed-off-by: John Johansen <[email protected]>
Cc: Paul Kramme <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

Author: canonical-rlee287

security/apparmor/policy.c

@@ -626,6 +626,7 @@ struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
 
 	/* TODO: ideally we should inherit abi from parent */
 	profile->label.flags |= FLAG_NULL;
+	profile->attach.xmatch = aa_get_pdb(nullpdb);
 	rules = list_first_entry(&profile->rules, typeof(*rules), list);
 	rules->file = aa_get_pdb(nullpdb);
 	rules->policy = aa_get_pdb(nullpdb);