diff options
author | Kees Cook <keescook@chromium.org> | 2014-05-21 18:23:46 -0400 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2014-07-18 15:13:38 -0400 |
commit | 1d4457f99928a968767f6405b4a1f50845aa15fd (patch) | |
tree | 522641b08f4a465035910a74a3871ad38e62df01 /security/apparmor | |
parent | 8855d608c145c1ca0e26f4da00741080bb49d80d (diff) |
sched: move no_new_privs into new atomic flags
Since seccomp transitions between threads requires updates to the
no_new_privs flag to be atomic, the flag must be part of an atomic flag
set. This moves the nnp flag into a separate task field, and introduces
accessors.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Diffstat (limited to 'security/apparmor')
-rw-r--r-- | security/apparmor/domain.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 452567d3a08e..d97cba3e3849 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c | |||
@@ -621,7 +621,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) | |||
621 | * There is no exception for unconfined as change_hat is not | 621 | * There is no exception for unconfined as change_hat is not |
622 | * available. | 622 | * available. |
623 | */ | 623 | */ |
624 | if (current->no_new_privs) | 624 | if (task_no_new_privs(current)) |
625 | return -EPERM; | 625 | return -EPERM; |
626 | 626 | ||
627 | /* released below */ | 627 | /* released below */ |
@@ -776,7 +776,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, | |||
776 | * no_new_privs is set because this aways results in a reduction | 776 | * no_new_privs is set because this aways results in a reduction |
777 | * of permissions. | 777 | * of permissions. |
778 | */ | 778 | */ |
779 | if (current->no_new_privs && !unconfined(profile)) { | 779 | if (task_no_new_privs(current) && !unconfined(profile)) { |
780 | put_cred(cred); | 780 | put_cred(cred); |
781 | return -EPERM; | 781 | return -EPERM; |
782 | } | 782 | } |