Message ID | 20170201091310.22695-2-john.johansen@canonical.com |
---|---|
State | New |
Headers | show |
diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c index 8178498..757df1a 100644 --- a/security/apparmor/af_unix.c +++ b/security/apparmor/af_unix.c @@ -515,7 +515,7 @@ static int profile_peer_perm(struct aa_profile *profile, const char *op, u32 req addr, len, &aad(sa)->info); if (!peer_label) peer_label = peer_ctx->label; - return fn_for_each(peer_label, peerp, + return fn_for_each_in_ns(peer_label, peerp, match_label(profile, peerp, state, request, sa)); }
When using nested namespaces policy within the nested namespace is trying to cross validate with policy outside of the namespace that is not visible to it. This results the access being denied and with no way to add a rule to policy that would allow it. The check should only be done again policy that is visible. BugLink: http://bugs.launchpad.net/bugs/1660832 Signed-off-by: John Johansen <john.johansen@canonical.com> --- security/apparmor/af_unix.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)