[PATCH 03/14] UBUNTU: SAUCE: apparmor: Fix new to old label comparison for domain transitions
John Johansen
john.johansen at canonical.com
Tue Aug 23 09:05:43 UTC 2016
For the purposes of inherit we should be treating a profile/label transition
to its replacement as if the replacement is the profile/label.
So make the comparison based off of the label proxy, not the label itself.
BugLink: http://bugs.launchpad.net/bugs/1615880
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
security/apparmor/domain.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 0b1d361..536655c 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -517,7 +517,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
if (perms.allow & MAY_EXEC) {
/* exec permission determine how to transition */
new = x_to_label(profile, name, perms.xindex, &target, &info);
- if (new == &profile->label && info) {
+ if (new && new->proxy == profile->label.proxy && info) {
/* hack ix fallback - improve how this is detected */
goto audit;
} else if (!new) {
@@ -759,7 +759,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
bprm->unsafe |= AA_SECURE_X_NEEDED;
}
- if (label != new) {
+ if (label->proxy != new->proxy) {
/* when transitioning clear unsafe personality bits */
if (DEBUG_ON) {
dbg_printk("apparmor: clearing unsafe personality "
--
2.7.4
More information about the kernel-team
mailing list