aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2012-03-28 14:26:19 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2012-03-28 14:26:19 -0700
commit683c5e853ebe2d1ac72128f1828421de7fc3a23c (patch)
tree5efaa76d16915feea9241966a90ab93fa4d71397
parentf0f3680e50352c57b6cfc5b0d44d63bb0aa20f80 (diff)
parent0421ea91ddc7895a5a68d3bc670ed4b8e6448a42 (diff)
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull an Apparmor bugfix from James Morris. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: apparmor: Fix change_onexec when called from a confined task
-rw-r--r--security/apparmor/domain.c3
-rw-r--r--security/apparmor/file.c2
2 files changed, 4 insertions, 1 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 7c69599a69e..6327685c101 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -410,7 +410,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
* exec\0change_profile
*/
state = aa_dfa_null_transition(profile->file.dfa, state);
- cp = change_profile_perms(profile, cxt->onexec->ns, name,
+ cp = change_profile_perms(profile, cxt->onexec->ns,
+ cxt->onexec->base.name,
AA_MAY_ONEXEC, state);
if (!(cp.allow & AA_MAY_ONEXEC))
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index 3022c0f4f0d..5d176f2530c 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -215,6 +215,8 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
/* change_profile wasn't determined by ownership in old mapping */
if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
perms.allow |= AA_MAY_CHANGE_PROFILE;
+ if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
+ perms.allow |= AA_MAY_ONEXEC;
return perms;
}