| Message ID | 1471943154-14507-5-git-send-email-john.johansen@canonical.com |
|---|---|
| State | New |
| Headers | show |
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 536655c..b71bfde 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -644,7 +644,8 @@ static struct aa_label *handle_onexec(struct aa_label *label, if (error) return ERR_PTR(error); new = fn_label_build_in_ns(label, profile, GFP_ATOMIC, - aa_label_merge(label, onexec, + aa_label_merge(&profile->label, + onexec, GFP_ATOMIC), profile_transition(profile, xname, cond, unsafe));
The label build for onexec when crossing a namespace boundry is not quite correct. The label needs to be built per profile and not based on the whole label because the onexec transition only applies to profiles within the ns. Where merging against the label could include profile that are transitioned via the profile_transition callback and should not be in the final label. BugLink: http://bugs.launchpad.net/bugs/1615881 Signed-off-by: John Johansen <john.johansen@canonical.com> --- security/apparmor/domain.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)