[PATCH 04/14] UBUNTU: SAUCE: apparmor: Fix label build for onexec stacking.
John Johansen
john.johansen at canonical.com
Tue Aug 23 09:05:44 UTC 2016
The label build for onexec when crossing a namespace boundry is not
quite correct. The label needs to be built per profile and not based
on the whole label because the onexec transition only applies to
profiles within the ns. Where merging against the label could include
profile that are transitioned via the profile_transition callback
and should not be in the final label.
BugLink: http://bugs.launchpad.net/bugs/1615881
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
security/apparmor/domain.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 536655c..b71bfde 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -644,7 +644,8 @@ static struct aa_label *handle_onexec(struct aa_label *label,
if (error)
return ERR_PTR(error);
new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,
- aa_label_merge(label, onexec,
+ aa_label_merge(&profile->label,
+ onexec,
GFP_ATOMIC),
profile_transition(profile, xname,
cond, unsafe));
--
2.7.4
More information about the kernel-team
mailing list