diff options
| author | John Johansen <john.johansen@canonical.com> | 2017-10-08 18:26:19 -0700 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2018-02-09 11:30:01 -0800 |
| commit | 9fcf78cca198600b27c44b4e50f00f8af3927f17 (patch) | |
| tree | 7399172a2190db01668808fe8d6782c29145428b /security/apparmor/task.c | |
| parent | d8889d49e414b371eb235c08c3a759ab3e0cfa51 (diff) | |
| download | blackbird-op-linux-9fcf78cca198600b27c44b4e50f00f8af3927f17.tar.gz blackbird-op-linux-9fcf78cca198600b27c44b4e50f00f8af3927f17.zip | |
apparmor: update domain transitions that are subsets of confinement at nnp
Domain transition so far have been largely blocked by no new privs,
unless the transition has been provably a subset of the previous
confinement. There was a couple problems with the previous
implementations,
- transitions that weren't explicitly a stack but resulted in a subset
of confinement were disallowed
- confinement subsets were only calculated from the previous
confinement instead of the confinement being enforced at the time of
no new privs, so transitions would have to get progressively
tighter.
Fix this by detecting and storing a reference to the task's
confinement at the "time" no new privs is set. This reference is then
used to determine whether a transition is a subsystem of the
confinement at the time no new privs was set.
Unfortunately the implementation is less than ideal in that we have to
detect no new privs after the fact when a task attempts a domain
transition. This is adequate for the currently but will not work in a
stacking situation where no new privs could be conceivably be set in
both the "host" and in the container.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security/apparmor/task.c')
| -rw-r--r-- | security/apparmor/task.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/security/apparmor/task.c b/security/apparmor/task.c index 44b9b938e06d..c6b78a14da91 100644 --- a/security/apparmor/task.c +++ b/security/apparmor/task.c @@ -45,6 +45,7 @@ struct aa_label *aa_get_task_label(struct task_struct *task) int aa_replace_current_label(struct aa_label *label) { struct aa_label *old = aa_current_raw_label(); + struct aa_task_ctx *ctx = task_ctx(current); struct cred *new; AA_BUG(!label); @@ -59,6 +60,12 @@ int aa_replace_current_label(struct aa_label *label) if (!new) return -ENOMEM; + if (ctx->nnp && label_is_stale(ctx->nnp)) { + struct aa_label *tmp = ctx->nnp; + + ctx->nnp = aa_get_newest_label(tmp); + aa_put_label(tmp); + } if (unconfined(label) || (labels_ns(old) != labels_ns(label))) /* * if switching to unconfined or a different label namespace |
