Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7a2871b5 authored by John Johansen's avatar John Johansen
Browse files

apparmor: use common fn to clear task_context for domain transitions 



Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Acked-by: default avatarSteve Beattie <sbeattie@ubuntu.com>
parent 0ca554b9

security/apparmor/context.c

+6 −11
Original line number Original line Diff line number Diff line
@@ -105,16 +105,12 @@ int aa_replace_current_profile(struct aa_profile *profile) 
		return -ENOMEM;

		return -ENOMEM;





	cxt = new->security;

	cxt = new->security;

	if (unconfined(profile) || (cxt->profile->ns != profile->ns)) {

	if (unconfined(profile) || (cxt->profile->ns != profile->ns))

		/* if switching to unconfined or a different profile namespace

		/* if switching to unconfined or a different profile namespace

		 * clear out context state

		 * clear out context state

		 */

		 */

		aa_put_profile(cxt->previous);

		aa_clear_task_cxt_trans(cxt);

		aa_put_profile(cxt->onexec);



		cxt->previous = NULL;

		cxt->onexec = NULL;

		cxt->token = 0;

	}

	/* be careful switching cxt->profile, when racing replacement it

	/* be careful switching cxt->profile, when racing replacement it

	 * is possible that cxt->profile->replacedby is the reference keeping

	 * is possible that cxt->profile->replacedby is the reference keeping

	 * @profile valid, so make sure to get its reference before dropping

	 * @profile valid, so make sure to get its reference before dropping
@@ -222,11 +218,10 @@ int aa_restore_previous_profile(u64 token) 
		aa_get_profile(cxt->profile);

		aa_get_profile(cxt->profile);

		aa_put_profile(cxt->previous);

		aa_put_profile(cxt->previous);

	}

	}

	/* clear exec && prev information when restoring to previous context */

	/* ref has been transfered so avoid putting ref in clear_task_cxt */

	cxt->previous = NULL;

	cxt->previous = NULL;

	cxt->token = 0;

	/* clear exec && prev information when restoring to previous context */

	aa_put_profile(cxt->onexec);

	aa_clear_task_cxt_trans(cxt);

	cxt->onexec = NULL;





	commit_creds(new);

	commit_creds(new);

	return 0;

	return 0;

security/apparmor/domain.c

+1 −5
Original line number Original line Diff line number Diff line
@@ -512,11 +512,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) 
	cxt->profile = new_profile;

	cxt->profile = new_profile;





	/* clear out all temporary/transitional state from the context */

	/* clear out all temporary/transitional state from the context */

	aa_put_profile(cxt->previous);

	aa_clear_task_cxt_trans(cxt);

	aa_put_profile(cxt->onexec);

	cxt->previous = NULL;

	cxt->onexec = NULL;

	cxt->token = 0;





audit:

audit:

	error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,

	error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,

security/apparmor/include/context.h

+13 −0
Original line number Original line Diff line number Diff line
@@ -160,4 +160,17 @@ static inline struct aa_profile *aa_current_profile(void) 
	return profile;

	return profile;

}

}





/**

 * aa_clear_task_cxt_trans - clear transition tracking info from the cxt

 * @cxt: task context to clear (NOT NULL)

 */

static inline void aa_clear_task_cxt_trans(struct aa_task_cxt *cxt)

{

	aa_put_profile(cxt->previous);

	aa_put_profile(cxt->onexec);

	cxt->previous = NULL;

	cxt->onexec = NULL;

	cxt->token = 0;

}



#endif /* __AA_CONTEXT_H */
 
#endif /* __AA_CONTEXT_H */