diff options
author | John Johansen | 2017-06-09 11:08:28 +0200 |
---|---|---|
committer | John Johansen | 2017-06-11 02:11:34 +0200 |
commit | cf797c0e5e312520b0b9f0367039fc0279a07a76 (patch) | |
tree | 68dc51534745fb230ec35e1d56bb158fb99b225b /security/apparmor/domain.c | |
parent | apparmor: move bprm_committing_creds/committed_creds to lsm.c (diff) | |
download | kernel-qcow2-linux-cf797c0e5e312520b0b9f0367039fc0279a07a76.tar.gz kernel-qcow2-linux-cf797c0e5e312520b0b9f0367039fc0279a07a76.tar.xz kernel-qcow2-linux-cf797c0e5e312520b0b9f0367039fc0279a07a76.zip |
apparmor: convert to profile block critical sections
There are still a few places where profile replacement fails to update
and a stale profile is used for mediation. Fix this by moving to
accessing the current label through a critical section that will
always ensure mediation is using the current label regardless of
whether the tasks cred has been updated or not.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/domain.c')
-rw-r--r-- | security/apparmor/domain.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 2b1524c79fb8..0c02eac33a45 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -594,7 +594,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) /* released below */ cred = get_current_cred(); ctx = cred_ctx(cred); - profile = aa_get_newest_profile(aa_cred_profile(cred)); + profile = aa_get_newest_cred_profile(cred); previous_profile = aa_get_newest_profile(ctx->previous); if (unconfined(profile)) { @@ -737,7 +737,7 @@ int aa_change_profile(const char *fqname, bool onexec, } cred = get_current_cred(); - profile = aa_cred_profile(cred); + profile = aa_get_newest_cred_profile(cred); /* * Fail explicitly requested domain transitions if no_new_privs @@ -795,6 +795,7 @@ audit: fqname, GLOBAL_ROOT_UID, info, error); aa_put_profile(target); + aa_put_profile(profile); put_cred(cred); return error; |