mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-06 09:21:00 +01:00
95 lines
3.1 KiB
Diff
95 lines
3.1 KiB
Diff
This patch removes magic cookies from the aa_change_profile interface, making
|
|
it a true one-way transition.
|
|
|
|
It also fixes a refcounting bug with previous_profile by virtue of removing
|
|
the broken code entirely.
|
|
|
|
Signed-off-by: Kenny Graunke <kgraunke@novell.com>
|
|
Signed-off-by: Seth Arnold <seth.arnold@suse.de>
|
|
|
|
---
|
|
security/apparmor/apparmor.h | 2 +-
|
|
security/apparmor/main.c | 21 +++++++--------------
|
|
security/apparmor/procattr.c | 9 +--------
|
|
3 files changed, 9 insertions(+), 23 deletions(-)
|
|
--- a/security/apparmor/apparmor.h
|
|
+++ b/security/apparmor/apparmor.h
|
|
@@ -211,7 +211,7 @@ extern int aa_clone(struct task_struct *
|
|
extern int aa_register(struct linux_binprm *bprm);
|
|
extern void aa_release(struct task_struct *task);
|
|
extern int aa_change_hat(const char *id, u64 hat_magic);
|
|
-extern int aa_change_profile(const char *name, u64 cookie);
|
|
+extern int aa_change_profile(const char *name);
|
|
extern struct aa_profile *__aa_find_profile(const char *name,
|
|
struct list_head *list);
|
|
extern struct aa_profile *__aa_replace_profile(struct task_struct *task,
|
|
--- a/security/apparmor/main.c
|
|
+++ b/security/apparmor/main.c
|
|
@@ -1110,20 +1110,18 @@ out:
|
|
}
|
|
|
|
/**
|
|
- * aa_change_profile - change profile to/from previous stored profile
|
|
+ * aa_change_profile - perform a one-way profile transition
|
|
* @name: name of profile to change to
|
|
- * @cookie: magic value to validate the profile change
|
|
*
|
|
- * Change to new profile @name, and store the @cookie in the current task
|
|
- * context. If the new @name is %NULL and the @cookie matches that
|
|
- * stored in the current task context, return to the previous profile.
|
|
+ * Change to new profile @name. Unlike with hats, there is no way
|
|
+ * to change back.
|
|
*
|
|
* Returns %0 on success, error otherwise.
|
|
*/
|
|
-int aa_change_profile(const char *name, u64 cookie)
|
|
+int aa_change_profile(const char *name)
|
|
{
|
|
struct aa_task_context *cxt;
|
|
- struct aa_profile *profile, *previous_profile;
|
|
+ struct aa_profile *profile;
|
|
struct aa_audit sa;
|
|
int error = 0;
|
|
|
|
@@ -1139,7 +1137,6 @@ repeat:
|
|
return -EPERM;
|
|
}
|
|
profile = aa_dup_profile(cxt->profile);
|
|
- previous_profile = aa_dup_profile(cxt->previous_profile);
|
|
task_unlock(current);
|
|
|
|
if (name) {
|
|
@@ -1150,13 +1147,9 @@ repeat:
|
|
aa_put_profile(profile);
|
|
return -EACCES;
|
|
}
|
|
- error = do_change_profile(profile, name, cookie, 0, &sa);
|
|
- } else if (previous_profile)
|
|
- error = do_change_profile(profile, previous_profile->name,
|
|
- cookie, 1, &sa);
|
|
- /* else ignore restores when there is no saved profile */
|
|
+ error = do_change_profile(profile, name, 0, 0, &sa);
|
|
+ }
|
|
|
|
- aa_put_profile(previous_profile);
|
|
aa_put_profile(profile);
|
|
if (error == -ESTALE)
|
|
goto repeat;
|
|
--- a/security/apparmor/procattr.c
|
|
+++ b/security/apparmor/procattr.c
|
|
@@ -87,14 +87,7 @@ int aa_setprocattr_changehat(char *args)
|
|
|
|
int aa_setprocattr_changeprofile(char *args)
|
|
{
|
|
- char *name;
|
|
- u64 cookie;
|
|
-
|
|
- name = split_token_from_name("change_profile", args, &cookie);
|
|
- if (IS_ERR(name))
|
|
- return PTR_ERR(name);
|
|
-
|
|
- return aa_change_profile(name, cookie);
|
|
+ return aa_change_profile(args);
|
|
}
|
|
|
|
int aa_setprocattr_setprofile(struct task_struct *task, char *args)
|