From patchwork Tue Aug 23 09:05:43 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 661787 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3sJPhS0KMmz9sBc; Tue, 23 Aug 2016 19:07:04 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1bc7fh-0006gx-6G; Tue, 23 Aug 2016 09:07:01 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1bc7f2-0006Gp-5r for kernel-team@lists.ubuntu.com; Tue, 23 Aug 2016 09:06:20 +0000 Received: from static-50-53-49-26.bvtn.or.frontiernet.net ([50.53.49.26] helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1bc7f1-0006Tr-Iz for kernel-team@lists.ubuntu.com; Tue, 23 Aug 2016 09:06:19 +0000 From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH 03/14] UBUNTU: SAUCE: apparmor: Fix new to old label comparison for domain transitions Date: Tue, 23 Aug 2016 02:05:43 -0700 Message-Id: <1471943154-14507-4-git-send-email-john.johansen@canonical.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1471943154-14507-1-git-send-email-john.johansen@canonical.com> References: <1471943154-14507-1-git-send-email-john.johansen@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com For the purposes of inherit we should be treating a profile/label transition to its replacement as if the replacement is the profile/label. So make the comparison based off of the label proxy, not the label itself. BugLink: http://bugs.launchpad.net/bugs/1615880 Signed-off-by: John Johansen --- security/apparmor/domain.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 0b1d361..536655c 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -517,7 +517,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile, if (perms.allow & MAY_EXEC) { /* exec permission determine how to transition */ new = x_to_label(profile, name, perms.xindex, &target, &info); - if (new == &profile->label && info) { + if (new && new->proxy == profile->label.proxy && info) { /* hack ix fallback - improve how this is detected */ goto audit; } else if (!new) { @@ -759,7 +759,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) bprm->unsafe |= AA_SECURE_X_NEEDED; } - if (label != new) { + if (label->proxy != new->proxy) { /* when transitioning clear unsafe personality bits */ if (DEBUG_ON) { dbg_printk("apparmor: clearing unsafe personality "