UBUNTU: SAUCE: apparmor: Fix label build for onexec stacking.

The label build for onexec when crossing a namespace boundry is not quite correct. The label needs to be built per profile and not based on the whole label because the onexec transition only applies to profiles within the ns. Where merging against the label could include profile that are transitioned via the profile_transition callback and should not be in the final label. BugLink: http://bugs.launchpad.net/bugs/1615881Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>

UBUNTU: SAUCE: apparmor: Fix label build for onexec stacking.
The label build for onexec when crossing a namespace boundry is not quite correct. The label needs to be built per profile and not based on the whole label because the onexec transition only applies to profiles within the ns. Where merging against the label could include profile that are transitioned via the profile_transition callback and should not be in the final label. BugLink: http://bugs.launchpad.net/bugs/1615881Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
1bb0cbd1 · John Johansen · Kamal Mostafa · 52626f9c · 1bb0cbd1
Commit 1bb0cbd1 authored Aug 23, 2016 by John Johansen Committed by Kamal Mostafa Aug 23, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

security/apparmor/domain.c security/apparmor/domain.c +2 -1

No files found.
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -644,7 +644,8 @@ static struct aa_label *handle_onexec(struct aa_label *label,
 		if (error)
 			return ERR_PTR(error);
 		new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,
-					   aa_label_merge(label, onexec,
+					   aa_label_merge(&profile->label,
+							  onexec,
 							  GFP_ATOMIC),
 					   profile_transition(profile, xname,
 							      cond, unsafe));