[apparmor] [PATCH 16/16] apparmor: clear the full task context when setting onexec.

Thu Apr 21 06:52:58 UTC 2016

This prevents a bug where a hat could be used to set onexec and then
return to parent with it set.

If in a hat when onexec is set then return to parent will be prevented.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 security/apparmor/context.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/context.c b/security/apparmor/context.c
index 3064c6c..a3d836e 100644
--- a/security/apparmor/context.c
+++ b/security/apparmor/context.c
@@ -138,7 +138,7 @@ int aa_set_current_onexec(struct aa_profile *profile)
 
 	cxt = cred_cxt(new);
 	aa_get_profile(profile);
-	aa_put_profile(cxt->onexec);
+	aa_clear_task_cxt_trans(cxt);
 	cxt->onexec = profile;
 
 	commit_creds(new);
-- 
2.7.4


