[Xenial,Yakkety,Zesty] fix regression with domain change in complain mode

The patch
Fix no_new_privs blocking change_onexec when using stacked namespaces

changed when the no_new_privs checks is processed so the test could
be correctly applied in a stacked profile situation.

However it changed the behavior of the error returned in complain mode,
which will have both @error and @new set.

Fix this by introducing a new var to indicate the no_new_privs condition
instead of relying on error. While doing this allow the new label under
no new privs to be audited, by having its reference put in the error path,
instead of in the no_new_privs condition check.

BugLink: http://bugs.launchpad.net/bugs/1661030
BugLink: http://bugs.launchpad.net/bugs/1648903
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/domain.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

On 02/02/17 09:09, John Johansen wrote:
> The patch
> Fix no_new_privs blocking change_onexec when using stacked namespaces
> 
> changed when the no_new_privs checks is processed so the test could
> be correctly applied in a stacked profile situation.
> 
> However it changed the behavior of the error returned in complain mode,
> which will have both @error and @new set.
> 
> Fix this by introducing a new var to indicate the no_new_privs condition
> instead of relying on error. While doing this allow the new label under
> no new privs to be audited, by having its reference put in the error path,
> instead of in the no_new_privs condition check.
> 
> BugLink: http://bugs.launchpad.net/bugs/1661030
> BugLink: http://bugs.launchpad.net/bugs/1648903
> Signed-off-by: John Johansen <john.johansen@canonical.com>
> ---
>  security/apparmor/domain.c | 9 ++++-----
>  1 file changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> index cfb0c28..576d511 100644
> --- a/security/apparmor/domain.c
> +++ b/security/apparmor/domain.c
> @@ -496,6 +496,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
>  	const char *info = NULL, *name = NULL, *target = NULL;
>  	unsigned int state = profile->file.start;
>  	struct ahttps://en.wikipedia.org/wiki/Sturgeon's_lawa_perms perms = {};
> +	bool nonewprivs = false;
>  	int error = 0;
>  
>  	AA_BUG(!profile);
> @@ -571,8 +572,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
>  	    !aa_label_is_subset(new, &profile->label)) {
>  		error = -EPERM;
>  		info = "no new privs";
> -		aa_put_label(new);
> -		new = NULL;
> +		nonewprivs = true;
>  		goto audit;
>  	}
>  
> @@ -589,9 +589,8 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
>  audit:
>  	aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name, target, new,
>  		      cond->uid, info, error);
> -	if (error) {
> -		if (new)
> -			aa_put_label(new);
> +	if (!new || nonewprivs) {
> +		aa_put_label(new);
>  		return ERR_PTR(error);
>  	}
>  
> 
Tested on i386 and passes. Thanks JJ.

Acked-by: Colin Ian King <colin.king@canonical.com>

Ok, since that is verified to work.

John - Zesty will transition to a v4.10 kernel soon. Will it require a
separate set of patches, or is the recent batch submitted for X/Y/Z
applicable as well ?

rtg

Applied to xenial and yakkety master-next branches.

Thanks.
Cascardo.