Commit fd0cbfdb authored by John Johansen's avatar John Johansen Committed by Thadeu Lima de Souza Cascardo

UBUNTU: SAUCE: fix regression with domain change in complain mode

The patch
Fix no_new_privs blocking change_onexec when using stacked namespaces

changed when the no_new_privs checks is processed so the test could
be correctly applied in a stacked profile situation.

However it changed the behavior of the error returned in complain mode,
which will have both @error and @new set.

Fix this by introducing a new var to indicate the no_new_privs condition
instead of relying on error. While doing this allow the new label under
no new privs to be audited, by having its reference put in the error path,
instead of in the no_new_privs condition check.

BugLink: http://bugs.launchpad.net/bugs/1661030
BugLink: http://bugs.launchpad.net/bugs/1648903Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Acked-by: default avatarColin King <colin.king@canonical.com>
Acked-by: default avatarStefan Bader <stefan.bader@canonical.com>
Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: default avatarTim Gardner <tim.gardner@canonical.com>
parent 53edfe80
...@@ -496,6 +496,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile, ...@@ -496,6 +496,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
const char *info = NULL, *name = NULL, *target = NULL; const char *info = NULL, *name = NULL, *target = NULL;
unsigned int state = profile->file.start; unsigned int state = profile->file.start;
struct aa_perms perms = {}; struct aa_perms perms = {};
bool nonewprivs = false;
int error = 0; int error = 0;
AA_BUG(!profile); AA_BUG(!profile);
...@@ -571,8 +572,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile, ...@@ -571,8 +572,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
!aa_label_is_subset(new, &profile->label)) { !aa_label_is_subset(new, &profile->label)) {
error = -EPERM; error = -EPERM;
info = "no new privs"; info = "no new privs";
aa_put_label(new); nonewprivs = true;
new = NULL;
goto audit; goto audit;
} }
...@@ -589,9 +589,8 @@ static struct aa_label *profile_transition(struct aa_profile *profile, ...@@ -589,9 +589,8 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
audit: audit:
aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name, target, new, aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name, target, new,
cond->uid, info, error); cond->uid, info, error);
if (error) { if (!new || nonewprivs) {
if (new) aa_put_label(new);
aa_put_label(new);
return ERR_PTR(error); return ERR_PTR(error);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment