xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

apparmor: move task domain change info to task security

Browse Source 
The task domain change info is task specific and its and abuse of
the cred to store the information in there. Now that a task->security
field exists store it in the proper place.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2017-01-20 01:59:25 -08:00
parent 4d2f8ba3e3
commit 3b529a7600
4 changed files with 133 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
security/apparmor/domain.c
View File

@@ -780,6 +780,7 @@ static struct aa_label *handle_onexec(struct aa_label *label,
int apparmor_bprm_set_creds(struct linux_binprm *bprm)
{
struct aa_cred_ctx *ctx;
struct aa_task_ctx *tctx;
struct aa_label *label, *new = NULL;
struct aa_profile *profile;
char *buffer = NULL;
@@ -795,15 +796,17 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
return 0;
ctx = cred_ctx(bprm->cred);
tctx = current_task_ctx();
AA_BUG(!ctx);
AA_BUG(!tctx);
label = aa_get_newest_label(ctx->label);
/* buffer freed below, name is pointer into buffer */
get_buffers(buffer);
/* Test for onexec first as onexec override other x transitions. */
if (ctx->onexec)
new = handle_onexec(label, ctx->onexec, ctx->token,
if (tctx->onexec)
new = handle_onexec(label, tctx->onexec, tctx->token,
bprm, buffer, &cond, &unsafe);
else
new = fn_label_build(label, profile, GFP_ATOMIC,
@@ -858,9 +861,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
ctx->label = new;
done:
/* clear out temporary/transitional state from the context */
aa_clear_cred_ctx_trans(ctx);
aa_put_label(label);
put_buffers(buffer);
@@ -1050,6 +1050,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
{
const struct cred *cred;
struct aa_cred_ctx *ctx;
struct aa_task_ctx *tctx;
struct aa_label *label, *previous, *new = NULL, *target = NULL;
struct aa_profile *profile;
struct aa_perms perms = {};
@@ -1070,8 +1071,9 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
/* released below */
cred = get_current_cred();
ctx = cred_ctx(cred);
tctx = current_task_ctx();
label = aa_get_newest_cred_label(cred);
previous = aa_get_newest_label(ctx->previous);
previous = aa_get_newest_label(tctx->previous);
if (unconfined(label)) {
info = "unconfined can not change_hat";