From patchwork Mon Oct 6 18:16:42 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 396894 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 86BE3140111; Tue, 7 Oct 2014 05:17:02 +1100 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1XbCq7-0006dY-2y; Mon, 06 Oct 2014 18:16:55 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1XbCq1-0006dI-NW for kernel-team@lists.ubuntu.com; Mon, 06 Oct 2014 18:16:49 +0000 Received: from static-50-53-60-87.bvtn.or.frontiernet.net ([50.53.60.87] helo=[192.168.192.160]) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1XbCq1-0007E7-HC for kernel-team@lists.ubuntu.com; Mon, 06 Oct 2014 18:16:49 +0000 Message-ID: <5432DC8A.9020504@canonical.com> Date: Mon, 06 Oct 2014 11:16:42 -0700 From: John Johansen Organization: Canonical User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Kernel team list Subject: [Patch][utopic] UBUNTU: SAUCE: Revert: fix: only allow a single threaded process to ... X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From 30df55014aeb91a7ea76d8866f044037c87a888d Mon Sep 17 00:00:00 2001 From: John Johansen Date: Mon, 6 Oct 2014 10:49:58 -0700 Subject: [PATCH] UBUNTU: SAUCE: Revert: fix: only allow a single threaded process to ... Revert the enforcement of only a single thread tasks using change_onexec. While this change prevents applications from using change_onexec in a potentially broken way (it can be done right but the application code using it needs to be carefully audited), it does restrict historically allowed behavior. Specifically this change is causes docker to fail, and needs to be reverted until it can be selectively applied with policy changes. BugLink: http://bugs.launchpad.net/bugs/1371310 Signed-off-by: John Johansen --- security/apparmor/domain.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 3953b31..1d07506 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -822,13 +822,6 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, if (error) goto audit; - if (onexec && !current_is_single_threaded()) { - info = "not a single threaded task"; - error = -EACCES; - goto audit; - } - - if (permtest) goto audit;