diff options
Diffstat (limited to 'security/apparmor/domain.c')
| -rw-r--r-- | security/apparmor/domain.c | 26 |
1 files changed, 9 insertions, 17 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 859abdaac1ea..01b7bd669a88 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c | |||
| @@ -62,17 +62,14 @@ static int may_change_ptraced_domain(struct task_struct *task, | |||
| 62 | struct aa_profile *to_profile) | 62 | struct aa_profile *to_profile) |
| 63 | { | 63 | { |
| 64 | struct task_struct *tracer; | 64 | struct task_struct *tracer; |
| 65 | const struct cred *cred = NULL; | ||
| 66 | struct aa_profile *tracerp = NULL; | 65 | struct aa_profile *tracerp = NULL; |
| 67 | int error = 0; | 66 | int error = 0; |
| 68 | 67 | ||
| 69 | rcu_read_lock(); | 68 | rcu_read_lock(); |
| 70 | tracer = ptrace_parent(task); | 69 | tracer = ptrace_parent(task); |
| 71 | if (tracer) { | 70 | if (tracer) |
| 72 | /* released below */ | 71 | /* released below */ |
| 73 | cred = get_task_cred(tracer); | 72 | tracerp = aa_get_task_profile(tracer); |
| 74 | tracerp = aa_cred_profile(cred); | ||
| 75 | } | ||
| 76 | 73 | ||
| 77 | /* not ptraced */ | 74 | /* not ptraced */ |
| 78 | if (!tracer || unconfined(tracerp)) | 75 | if (!tracer || unconfined(tracerp)) |
| @@ -82,8 +79,7 @@ static int may_change_ptraced_domain(struct task_struct *task, | |||
| 82 | 79 | ||
| 83 | out: | 80 | out: |
| 84 | rcu_read_unlock(); | 81 | rcu_read_unlock(); |
| 85 | if (cred) | 82 | aa_put_profile(tracerp); |
| 86 | put_cred(cred); | ||
| 87 | 83 | ||
| 88 | return error; | 84 | return error; |
| 89 | } | 85 | } |
| @@ -360,7 +356,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) | |||
| 360 | if (bprm->cred_prepared) | 356 | if (bprm->cred_prepared) |
| 361 | return 0; | 357 | return 0; |
| 362 | 358 | ||
| 363 | cxt = bprm->cred->security; | 359 | cxt = cred_cxt(bprm->cred); |
| 364 | BUG_ON(!cxt); | 360 | BUG_ON(!cxt); |
| 365 | 361 | ||
| 366 | profile = aa_get_profile(aa_newest_version(cxt->profile)); | 362 | profile = aa_get_profile(aa_newest_version(cxt->profile)); |
| @@ -443,6 +439,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) | |||
| 443 | } else { | 439 | } else { |
| 444 | error = -ENOENT; | 440 | error = -ENOENT; |
| 445 | info = "profile not found"; | 441 | info = "profile not found"; |
| 442 | /* remove MAY_EXEC to audit as failure */ | ||
| 443 | perms.allow &= ~MAY_EXEC; | ||
| 446 | } | 444 | } |
| 447 | } | 445 | } |
| 448 | } else if (COMPLAIN_MODE(profile)) { | 446 | } else if (COMPLAIN_MODE(profile)) { |
| @@ -514,11 +512,7 @@ x_clear: | |||
| 514 | cxt->profile = new_profile; | 512 | cxt->profile = new_profile; |
| 515 | 513 | ||
| 516 | /* clear out all temporary/transitional state from the context */ | 514 | /* clear out all temporary/transitional state from the context */ |
| 517 | aa_put_profile(cxt->previous); | 515 | aa_clear_task_cxt_trans(cxt); |
| 518 | aa_put_profile(cxt->onexec); | ||
| 519 | cxt->previous = NULL; | ||
| 520 | cxt->onexec = NULL; | ||
| 521 | cxt->token = 0; | ||
| 522 | 516 | ||
| 523 | audit: | 517 | audit: |
| 524 | error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC, | 518 | error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC, |
| @@ -557,7 +551,7 @@ int apparmor_bprm_secureexec(struct linux_binprm *bprm) | |||
| 557 | void apparmor_bprm_committing_creds(struct linux_binprm *bprm) | 551 | void apparmor_bprm_committing_creds(struct linux_binprm *bprm) |
| 558 | { | 552 | { |
| 559 | struct aa_profile *profile = __aa_current_profile(); | 553 | struct aa_profile *profile = __aa_current_profile(); |
| 560 | struct aa_task_cxt *new_cxt = bprm->cred->security; | 554 | struct aa_task_cxt *new_cxt = cred_cxt(bprm->cred); |
| 561 | 555 | ||
| 562 | /* bail out if unconfined or not changing profile */ | 556 | /* bail out if unconfined or not changing profile */ |
| 563 | if ((new_cxt->profile == profile) || | 557 | if ((new_cxt->profile == profile) || |
| @@ -634,7 +628,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) | |||
| 634 | 628 | ||
| 635 | /* released below */ | 629 | /* released below */ |
| 636 | cred = get_current_cred(); | 630 | cred = get_current_cred(); |
| 637 | cxt = cred->security; | 631 | cxt = cred_cxt(cred); |
| 638 | profile = aa_cred_profile(cred); | 632 | profile = aa_cred_profile(cred); |
| 639 | previous_profile = cxt->previous; | 633 | previous_profile = cxt->previous; |
| 640 | 634 | ||
| @@ -750,7 +744,6 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, | |||
| 750 | bool permtest) | 744 | bool permtest) |
| 751 | { | 745 | { |
| 752 | const struct cred *cred; | 746 | const struct cred *cred; |
| 753 | struct aa_task_cxt *cxt; | ||
| 754 | struct aa_profile *profile, *target = NULL; | 747 | struct aa_profile *profile, *target = NULL; |
| 755 | struct aa_namespace *ns = NULL; | 748 | struct aa_namespace *ns = NULL; |
| 756 | struct file_perms perms = {}; | 749 | struct file_perms perms = {}; |
| @@ -770,7 +763,6 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, | |||
| 770 | } | 763 | } |
| 771 | 764 | ||
| 772 | cred = get_current_cred(); | 765 | cred = get_current_cred(); |
| 773 | cxt = cred->security; | ||
| 774 | profile = aa_cred_profile(cred); | 766 | profile = aa_cred_profile(cred); |
| 775 | 767 | ||
| 776 | /* | 768 | /* |