apparmor: use common fn to clear task_context for domain transitions

Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>
author: John Johansen <john.johansen@canonical.com> 2013-02-18 19:05:34 -0500
committer: John Johansen <john.johansen@canonical.com> 2013-04-28 03:36:20 -0400
commit: 7a2871b566f34d980556072943295efd107eb53c (patch)
tree: 7f991bd472872e62780ba9119d8e3a3784008dfc /security/apparmor
parent: 0ca554b9fca425eb58325a36290deef698cef34b (diff)
3 files changed, 20 insertions, 16 deletions
diff --git a/security/apparmor/context.c b/security/apparmor/context.c
index 611e6ce70b03..3f911afa2bb9 100644
--- a/security/apparmor/context.c
+++ b/security/apparmor/context.c
@@ -105,16 +105,12 @@ int aa_replace_current_profile(struct aa_profile *profile)
                return -ENOMEM;
        cxt = new->security;
-        if (unconfined(profile) || (cxt->profile->ns != profile->ns)) {
+        if (unconfined(profile) || (cxt->profile->ns != profile->ns))
                /* if switching to unconfined or a different profile namespace
                 * clear out context state
                 */
-                aa_put_profile(cxt->previous);
+                aa_clear_task_cxt_trans(cxt);
-                aa_put_profile(cxt->onexec);
-                cxt->previous = NULL;
-                cxt->onexec = NULL;
-                cxt->token = 0;
-        }
        /* be careful switching cxt->profile, when racing replacement it
         * is possible that cxt->profile->replacedby is the reference keeping
         * @profile valid, so make sure to get its reference before dropping
@@ -222,11 +218,10 @@ int aa_restore_previous_profile(u64 token)
                aa_get_profile(cxt->profile);
                aa_put_profile(cxt->previous);
        }
-        /* clear exec && prev information when restoring to previous context */
+        /* ref has been transfered so avoid putting ref in clear_task_cxt */
        cxt->previous = NULL;
-        cxt->token = 0;
+        /* clear exec && prev information when restoring to previous context */
-        aa_put_profile(cxt->onexec);
+        aa_clear_task_cxt_trans(cxt);
-        cxt->onexec = NULL;
        commit_creds(new);
        return 0;
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index fb47d5b71ea6..07fcb09b990f 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -512,11 +512,7 @@ x_clear:
        cxt->profile = new_profile;
        /* clear out all temporary/transitional state from the context */
-        aa_put_profile(cxt->previous);
+        aa_clear_task_cxt_trans(cxt);
-        aa_put_profile(cxt->onexec);
-        cxt->previous = NULL;
-        cxt->onexec = NULL;
-        cxt->token = 0;
 audit:
        error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index 1e9443a58877..4cecad313227 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -160,4 +160,17 @@ static inline struct aa_profile *aa_current_profile(void)
        return profile;
 }
+/**
+ * aa_clear_task_cxt_trans - clear transition tracking info from the cxt
+ * @cxt: task context to clear (NOT NULL)
+ */
+static inline void aa_clear_task_cxt_trans(struct aa_task_cxt *cxt)
+{
+        aa_put_profile(cxt->previous);
+        aa_put_profile(cxt->onexec);
+        cxt->previous = NULL;
+        cxt->onexec = NULL;
+        cxt->token = 0;
+}
 #endif /* __AA_CONTEXT_H */
author	John Johansen <john.johansen@canonical.com>	2013-02-18 19:05:34 -0500
committer	John Johansen <john.johansen@canonical.com>	2013-04-28 03:36:20 -0400
commit	7a2871b566f34d980556072943295efd107eb53c (patch)
tree	7f991bd472872e62780ba9119d8e3a3784008dfc /security/apparmor
parent	0ca554b9fca425eb58325a36290deef698cef34b (diff)

diff --git a/security/apparmor/context.c b/security/apparmor/context.c index 611e6ce70b03..3f911afa2bb9 100644 --- a/security/apparmor/context.c +++ b/security/apparmor/context.c
@@ -105,16 +105,12 @@ int aa_replace_current_profile(struct aa_profile *profile)
105	return -ENOMEM;	105	return -ENOMEM;
106		106
107	cxt = new->security;	107	cxt = new->security;
108	if (unconfined(profile) \|\| (cxt->profile->ns != profile->ns)) {	108	if (unconfined(profile) \|\| (cxt->profile->ns != profile->ns))
109	/* if switching to unconfined or a different profile namespace	109	/* if switching to unconfined or a different profile namespace
110	* clear out context state	110	* clear out context state
111	*/	111	*/
112	aa_put_profile(cxt->previous);	112	aa_clear_task_cxt_trans(cxt);
113	aa_put_profile(cxt->onexec);	113
114	cxt->previous = NULL;
115	cxt->onexec = NULL;
116	cxt->token = 0;
117	}
118	/* be careful switching cxt->profile, when racing replacement it	114	/* be careful switching cxt->profile, when racing replacement it
119	* is possible that cxt->profile->replacedby is the reference keeping	115	* is possible that cxt->profile->replacedby is the reference keeping
120	* @profile valid, so make sure to get its reference before dropping	116	* @profile valid, so make sure to get its reference before dropping
@@ -222,11 +218,10 @@ int aa_restore_previous_profile(u64 token)
222	aa_get_profile(cxt->profile);	218	aa_get_profile(cxt->profile);
223	aa_put_profile(cxt->previous);	219	aa_put_profile(cxt->previous);
224	}	220	}
225	/* clear exec && prev information when restoring to previous context */	221	/* ref has been transfered so avoid putting ref in clear_task_cxt */
226	cxt->previous = NULL;	222	cxt->previous = NULL;
227	cxt->token = 0;	223	/* clear exec && prev information when restoring to previous context */
228	aa_put_profile(cxt->onexec);	224	aa_clear_task_cxt_trans(cxt);
229	cxt->onexec = NULL;
230		225
231	commit_creds(new);	226	commit_creds(new);
232	return 0;	227	return 0;


diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index fb47d5b71ea6..07fcb09b990f 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c
@@ -512,11 +512,7 @@ x_clear:
512	cxt->profile = new_profile;	512	cxt->profile = new_profile;
513		513
514	/* clear out all temporary/transitional state from the context */	514	/* clear out all temporary/transitional state from the context */
515	aa_put_profile(cxt->previous);	515	aa_clear_task_cxt_trans(cxt);
516	aa_put_profile(cxt->onexec);
517	cxt->previous = NULL;
518	cxt->onexec = NULL;
519	cxt->token = 0;
520		516
521	audit:	517	audit:
522	error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,	518	error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,


diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h index 1e9443a58877..4cecad313227 100644 --- a/security/apparmor/include/context.h +++ b/security/apparmor/include/context.h
@@ -160,4 +160,17 @@ static inline struct aa_profile *aa_current_profile(void)
160	return profile;	160	return profile;
161	}	161	}
162		162
		163	/**
		164	* aa_clear_task_cxt_trans - clear transition tracking info from the cxt
		165	* @cxt: task context to clear (NOT NULL)
		166	*/
		167	static inline void aa_clear_task_cxt_trans(struct aa_task_cxt *cxt)
		168	{
		169	aa_put_profile(cxt->previous);
		170	aa_put_profile(cxt->onexec);
		171	cxt->previous = NULL;
		172	cxt->onexec = NULL;
		173	cxt->token = 0;
		174	}
		175
163	#endif /* __AA_CONTEXT_H */	176	#endif /* __AA_CONTEXT_H */