aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2013-02-27 03:44:40 -0800
committerJohn Johansen <john.johansen@canonical.com>2013-04-28 00:39:36 -0700
commit3eea57c26e49a5add4c053a031cc2a1977b7c48e (patch)
treee55284fa1568c745daf04295dc0285373fe42a7b
parent214beacaa7b669473bc963af719fa359a8312ea4 (diff)
apparmor: fix setprocattr arg processing for onexec
the exec file isn't processing its command arg. It should only set be responding to a command of exec. Also cleanup setprocattr some more while we are at it. Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r--security/apparmor/lsm.c37
1 files changed, 21 insertions, 16 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 2027fdf2060..2e2a0dd4a73 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -529,6 +529,8 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
static int apparmor_setprocattr(struct task_struct *task, char *name,
void *value, size_t size)
{
+ struct common_audit_data sa;
+ struct apparmor_audit_data aad = {0,};
char *command, *args = value;
size_t arg_size;
int error;
@@ -572,28 +574,31 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
} else if (strcmp(command, "permprofile") == 0) {
error = aa_setprocattr_changeprofile(args, !AA_ONEXEC,
AA_DO_TEST);
- } else {
- struct common_audit_data sa;
- struct apparmor_audit_data aad = {0,};
- sa.type = LSM_AUDIT_DATA_NONE;
- sa.aad = &aad;
- aad.op = OP_SETPROCATTR;
- aad.info = name;
- aad.error = -EINVAL;
- return aa_audit(AUDIT_APPARMOR_DENIED,
- __aa_current_profile(), GFP_KERNEL,
- &sa, NULL);
- }
+ } else
+ goto fail;
} else if (strcmp(name, "exec") == 0) {
- error = aa_setprocattr_changeprofile(args, AA_ONEXEC,
- !AA_DO_TEST);
- } else {
+ if (strcmp(command, "exec") == 0)
+ error = aa_setprocattr_changeprofile(args, AA_ONEXEC,
+ !AA_DO_TEST);
+ else
+ goto fail;
+ } else
/* only support the "current" and "exec" process attributes */
return -EINVAL;
- }
+
if (!error)
error = size;
return error;
+
+fail:
+ sa.type = LSM_AUDIT_DATA_NONE;
+ sa.aad = &aad;
+ aad.profile = aa_current_profile();
+ aad.op = OP_SETPROCATTR;
+ aad.info = name;
+ aad.error = -EINVAL;
+ aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
+ return -EINVAL;
}
static int apparmor_task_setrlimit(struct task_struct *task,