Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 683c5e85 authored Mar 28, 2012 by Linus Torvalds

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull an Apparmor bugfix from James Morris.

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  apparmor: Fix change_onexec when called from a confined task

parents f0f3680e 0421ea91

security/apparmor/domain.c

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -410,7 +410,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
	* exec\0change_profile		* exec\0change_profile
	*/		*/
	state = aa_dfa_null_transition(profile->file.dfa, state);		state = aa_dfa_null_transition(profile->file.dfa, state);
	cp = change_profile_perms(profile, cxt->onexec->ns, name,		cp = change_profile_perms(profile, cxt->onexec->ns,
			cxt->onexec->base.name,
	AA_MAY_ONEXEC, state);		AA_MAY_ONEXEC, state);

	if (!(cp.allow & AA_MAY_ONEXEC))		if (!(cp.allow & AA_MAY_ONEXEC))

security/apparmor/file.c

+2 −0

Original line number	Original line	Diff line number	Diff line
	@@ -215,6 +215,8 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
	/* change_profile wasn't determined by ownership in old mapping */		/* change_profile wasn't determined by ownership in old mapping */
	if (ACCEPT_TABLE(dfa)[state] & 0x80000000)		if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
	perms.allow \|= AA_MAY_CHANGE_PROFILE;		perms.allow \|= AA_MAY_CHANGE_PROFILE;
			if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
			perms.allow \|= AA_MAY_ONEXEC;

	return perms;		return perms;
	}		}