diff mbox

[utopic] UBUNTU: SAUCE: Revert: fix: only allow a single threaded process to ...

Message ID 5432DC8A.9020504@canonical.com
State New
Headers show

Commit Message

John Johansen Oct. 6, 2014, 6:16 p.m. UTC 
From 30df55014aeb91a7ea76d8866f044037c87a888d Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Mon, 6 Oct 2014 10:49:58 -0700
Subject: [PATCH] UBUNTU: SAUCE: Revert: fix: only allow a single threaded
 process to ...

Revert the enforcement of only a single thread tasks using change_onexec.
While this change prevents applications from using change_onexec in
a potentially broken way (it can be done right but the application code
using it needs to be carefully audited), it does restrict historically
allowed behavior. Specifically this change is causes docker to fail, and
needs to be reverted until it can be selectively applied with policy
changes.

BugLink: http://bugs.launchpad.net/bugs/1371310

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/domain.c | 7 -------
 1 file changed, 7 deletions(-)

Comments

Stefan Bader Oct. 7, 2014, 8:32 a.m. UTC | #1
Tim Gardner Oct. 7, 2014, 11:22 a.m. UTC | #2
diff mbox

Patch

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 3953b31..1d07506 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -822,13 +822,6 @@  int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
 	if (error)
 		goto audit;
 
-	if (onexec && !current_is_single_threaded()) {
-		info = "not a single threaded task";
-		error = -EACCES;
-		goto audit;
-	}
-
-
 	if (permtest)
 		goto audit;