aboutsummaryrefslogtreecommitdiffstats
path: root/security/apparmor
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2010-08-27 21:33:29 -0400
committerJames Morris <jmorris@namei.org>2010-09-07 19:19:34 -0400
commit999b4f0aa2314b76857775334cb94bafa053db64 (patch)
tree0b2b9e6d54415d0d6f6ff59526c68108c09d1fd7 /security/apparmor
parent04ccd53f09741c4bc54ab36db000bc1383e4812e (diff)
AppArmor: Fix locking from removal of profile namespace
The locking for profile namespace removal is wrong, when removing a profile namespace, it needs to be removed from its parent's list. Lock the parent of namespace list instead of the namespace being removed. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/apparmor')
-rw-r--r--security/apparmor/policy.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 3cdc1ad0787e..52cc865f1464 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1151,12 +1151,14 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
1151 /* released below */ 1151 /* released below */
1152 ns = aa_get_namespace(root); 1152 ns = aa_get_namespace(root);
1153 1153
1154 write_lock(&ns->lock);
1155 if (!name) { 1154 if (!name) {
1156 /* remove namespace - can only happen if fqname[0] == ':' */ 1155 /* remove namespace - can only happen if fqname[0] == ':' */
1156 write_lock(&ns->parent->lock);
1157 __remove_namespace(ns); 1157 __remove_namespace(ns);
1158 write_unlock(&ns->parent->lock);
1158 } else { 1159 } else {
1159 /* remove profile */ 1160 /* remove profile */
1161 write_lock(&ns->lock);
1160 profile = aa_get_profile(__lookup_profile(&ns->base, name)); 1162 profile = aa_get_profile(__lookup_profile(&ns->base, name));
1161 if (!profile) { 1163 if (!profile) {
1162 error = -ENOENT; 1164 error = -ENOENT;
@@ -1165,8 +1167,8 @@ ssize_t aa_remove_profiles(char *fqname, size_t size)
1165 } 1167 }
1166 name = profile->base.hname; 1168 name = profile->base.hname;
1167 __remove_profile(profile); 1169 __remove_profile(profile);
1170 write_unlock(&ns->lock);
1168 } 1171 }
1169 write_unlock(&ns->lock);
1170 1172
1171 /* don't fail removal if audit fails */ 1173 /* don't fail removal if audit fails */
1172 (void) audit_policy(OP_PROF_RM, GFP_KERNEL, name, info, error); 1174 (void) audit_policy(OP_PROF_RM, GFP_KERNEL, name, info, error);