diff options
author | John Johansen <john.johansen@canonical.com> | 2016-09-01 07:10:06 +0300 |
---|---|---|
committer | Jiri Slaby <jslaby@suse.cz> | 2016-12-12 15:55:53 +0300 |
commit | 6d7bc8a89e1303bde5647d6940c36a43dcf4bc68 (patch) | |
tree | b023ce35488955e7872fea500d4da521d6f76f30 /security | |
parent | e525af57bbeb5c040463cd7afa658a33df52e828 (diff) | |
download | linux-6d7bc8a89e1303bde5647d6940c36a43dcf4bc68.tar.xz |
apparmor: fix change_hat not finding hat after policy replacement
commit 3d40658c977769ce2138f286cf131537bf68bdfe upstream.
After a policy replacement, the task cred may be out of date and need
to be updated. However change_hat is using the stale profiles from
the out of date cred resulting in either: a stale profile being applied
or, incorrect failure when searching for a hat profile as it has been
migrated to the new parent profile.
Fixes: 01e2b670aa898a39259bc85c78e3d74820f4d3b6 (failure to find hat)
Fixes: 898127c34ec03291c86f4ff3856d79e9e18952bc (stale policy being applied)
Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000287
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Diffstat (limited to 'security')
-rw-r--r-- | security/apparmor/domain.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 26c607c971f5..0c23888b9816 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -629,8 +629,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) /* released below */ cred = get_current_cred(); cxt = cred_cxt(cred); - profile = aa_cred_profile(cred); - previous_profile = cxt->previous; + profile = aa_get_newest_profile(aa_cred_profile(cred)); + previous_profile = aa_get_newest_profile(cxt->previous); if (unconfined(profile)) { info = "unconfined"; @@ -726,6 +726,8 @@ audit: out: aa_put_profile(hat); kfree(name); + aa_put_profile(profile); + aa_put_profile(previous_profile); put_cred(cred); return error; |