Commit 0421ea91 authored by John Johansen's avatar John Johansen Committed by James Morris

apparmor: Fix change_onexec when called from a confined task

Fix failure in aa_change_onexec api when the request is made from a confined
task.  This failure was caused by two problems

 The AA_MAY_ONEXEC perm was not being mapped correctly for this case.

 The executable name was being checked as second time instead of using the
 requested onexec profile name, which may not be the same as the exec
 profile name. This mistake can not be exploited to grant extra permission
 because of the above flaw where the ONEXEC permission was not being mapped
 so it will not be granted.

BugLink: http://bugs.launchpad.net/bugs/963756Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
parent e22057c8
...@@ -410,7 +410,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) ...@@ -410,7 +410,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
* exec\0change_profile * exec\0change_profile
*/ */
state = aa_dfa_null_transition(profile->file.dfa, state); state = aa_dfa_null_transition(profile->file.dfa, state);
cp = change_profile_perms(profile, cxt->onexec->ns, name, cp = change_profile_perms(profile, cxt->onexec->ns,
cxt->onexec->base.name,
AA_MAY_ONEXEC, state); AA_MAY_ONEXEC, state);
if (!(cp.allow & AA_MAY_ONEXEC)) if (!(cp.allow & AA_MAY_ONEXEC))
......
...@@ -215,6 +215,8 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state, ...@@ -215,6 +215,8 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
/* change_profile wasn't determined by ownership in old mapping */ /* change_profile wasn't determined by ownership in old mapping */
if (ACCEPT_TABLE(dfa)[state] & 0x80000000) if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
perms.allow |= AA_MAY_CHANGE_PROFILE; perms.allow |= AA_MAY_CHANGE_PROFILE;
if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
perms.allow |= AA_MAY_ONEXEC;
return perms; return perms;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment