From patchwork Fri Mar 31 12:57:43 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 745634 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3vvhQf4qZxz9s03; Fri, 31 Mar 2017 23:59:06 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1ctw8t-00010Q-CK; Fri, 31 Mar 2017 12:59:03 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1ctw8M-0000qE-Gf for kernel-team@lists.ubuntu.com; Fri, 31 Mar 2017 12:58:30 +0000 Received: from static-50-53-32-2.bvtn.or.frontiernet.net ([50.53.32.2] helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1ctw8L-0006Av-UG for kernel-team@lists.ubuntu.com; Fri, 31 Mar 2017 12:58:30 +0000 From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH 10/11] UBUNTU: SAUCE: fix regression with domain change in complain mode Date: Fri, 31 Mar 2017 05:57:43 -0700 Message-Id: <20170331125744.16986-11-john.johansen@canonical.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170331125744.16986-1-john.johansen@canonical.com> References: <20170331125744.16986-1-john.johansen@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com The patch Fix no_new_privs blocking change_onexec when using stacked namespaces changed when the no_new_privs checks is processed so the test could be correctly applied in a stacked profile situation. However it changed the behavior of the error returned in complain mode, which will have both @error and @new set. Fix this by introducing a new var to indicate the no_new_privs condition instead of relying on error. While doing this allow the new label under no new privs to be audited, by having its reference put in the error path, instead of in the no_new_privs condition check. BugLink: http://bugs.launchpad.net/bugs/1661030 BugLink: http://bugs.launchpad.net/bugs/1648903 Signed-off-by: John Johansen Acked-by: Colin King Acked-by: Stefan Bader Signed-off-by: Thadeu Lima de Souza Cascardo --- security/apparmor/domain.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index cfb0c28..576d511 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -496,6 +496,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile, const char *info = NULL, *name = NULL, *target = NULL; unsigned int state = profile->file.start; struct aa_perms perms = {}; + bool nonewprivs = false; int error = 0; AA_BUG(!profile); @@ -571,8 +572,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile, !aa_label_is_subset(new, &profile->label)) { error = -EPERM; info = "no new privs"; - aa_put_label(new); - new = NULL; + nonewprivs = true; goto audit; } @@ -589,9 +589,8 @@ static struct aa_label *profile_transition(struct aa_profile *profile, audit: aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name, target, new, cond->uid, info, error); - if (error) { - if (new) - aa_put_label(new); + if (!new || nonewprivs) { + aa_put_label(new); return ERR_PTR(error); }