apparmor: Fix change_onexec when called from a confined task
authorJohn Johansen <john.johansen@canonical.com>
Tue, 27 Mar 2012 11:14:33 +0000 (04:14 -0700)
committerJames Morris <james.l.morris@oracle.com>
Tue, 27 Mar 2012 14:00:05 +0000 (01:00 +1100)
Fix failure in aa_change_onexec api when the request is made from a confined
task.  This failure was caused by two problems

 The AA_MAY_ONEXEC perm was not being mapped correctly for this case.

 The executable name was being checked as second time instead of using the
 requested onexec profile name, which may not be the same as the exec
 profile name. This mistake can not be exploited to grant extra permission
 because of the above flaw where the ONEXEC permission was not being mapped
 so it will not be granted.

BugLink: http://bugs.launchpad.net/bugs/963756
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
security/apparmor/domain.c
security/apparmor/file.c

index 7c69599a69e1c21560ff3cf7e1ea04690b3e039b..6327685c101e49cc720553c9db9f02da3fed1d24 100644 (file)
@@ -410,7 +410,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
                 * exec\0change_profile
                 */
                state = aa_dfa_null_transition(profile->file.dfa, state);
-               cp = change_profile_perms(profile, cxt->onexec->ns, name,
+               cp = change_profile_perms(profile, cxt->onexec->ns,
+                                         cxt->onexec->base.name,
                                          AA_MAY_ONEXEC, state);
 
                if (!(cp.allow & AA_MAY_ONEXEC))
index 3022c0f4f0dbc2878fdf09c3e318333bc3d685de..5d176f2530c9820873d57c082ff787c5eca38de5 100644 (file)
@@ -215,6 +215,8 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
        /* change_profile wasn't determined by ownership in old mapping */
        if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
                perms.allow |= AA_MAY_CHANGE_PROFILE;
+       if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
+               perms.allow |= AA_MAY_ONEXEC;
 
        return perms;
 }