]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blobdiff - security/apparmor/domain.c
projects / mirror_ubuntu-bionic-kernel.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
security: smack: Fix possible null-pointer dereferences in smack_socket_sock_rcv_skb()
[mirror_ubuntu-bionic-kernel.git] / security / apparmor / domain.c
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 04ba9d0718ea590b7c5033cfc4b952c701acb54d..76cebad829fadf5a4c30bd9167a950cfcd8052ad 100644 (file)
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -330,10 +330,7 @@ static struct aa_profile *__attach_match(const char *name,
                        continue;
 
                if (profile->xmatch) {
-                       if (profile->xmatch_len == len) {
-                               conflict = true;
-                               continue;
-                       } else if (profile->xmatch_len > len) {
+                       if (profile->xmatch_len >= len) {
                                unsigned int state;
                                u32 perm;
 
@@ -342,6 +339,10 @@ static struct aa_profile *__attach_match(const char *name,
                                perm = dfa_user_allow(profile->xmatch, state);
                                /* any accepting state means a valid match. */
                                if (perm & MAY_EXEC) {
+                                       if (profile->xmatch_len == len) {
+                                               conflict = true;
+                                               continue;
+                                       }
                                        candidate = profile;
                                        len = profile->xmatch_len;
                                        conflict = false;
@@ -591,22 +592,6 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
        if (!new)
                goto audit;
 
-       /* Policy has specified a domain transitions. if no_new_privs and
-        * confined and not transitioning to the current domain fail.
-        *
-        * NOTE: Domain transitions from unconfined and to stritly stacked
-        * subsets are allowed even when no_new_privs is set because this
-        * aways results in a further reduction of permissions.
-        */
-       if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) &&
-           !profile_unconfined(profile) &&
-           !aa_label_is_subset(new, &profile->label)) {
-               error = -EPERM;
-               info = "no new privs";
-               nonewprivs = true;
-               perms.allow &= ~MAY_EXEC;
-               goto audit;
-       }
 
        if (!(perms.xindex & AA_X_UNSAFE)) {
                if (DEBUG_ON) {
@@ -683,21 +668,6 @@ static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
                perms.allow &= ~AA_MAY_ONEXEC;
                goto audit;
        }
-       /* Policy has specified a domain transitions. if no_new_privs and
-        * confined and not transitioning to the current domain fail.
-        *
-        * NOTE: Domain transitions from unconfined and to stritly stacked
-        * subsets are allowed even when no_new_privs is set because this
-        * aways results in a further reduction of permissions.
-        */
-       if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) &&
-           !profile_unconfined(profile) &&
-           !aa_label_is_subset(onexec, &profile->label)) {
-               error = -EPERM;
-               info = "no new privs";
-               perms.allow &= ~AA_MAY_ONEXEC;
-               goto audit;
-       }
 
        if (!(perms.xindex & AA_X_UNSAFE)) {
                if (DEBUG_ON) {
@@ -818,7 +788,20 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
                goto done;
        }
 
-       /* TODO: Add ns level no_new_privs subset test */
+       /* Policy has specified a domain transitions. If no_new_privs and
+        * confined ensure the transition is to confinement that is subset
+        * of the confinement when the task entered no new privs.
+        *
+        * NOTE: Domain transitions from unconfined and to stacked
+        * subsets are allowed even when no_new_privs is set because this
+        * aways results in a further reduction of permissions.
+        */
+       if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) &&
+           !unconfined(label) && !aa_label_is_subset(new, label)) {
+               error = -EPERM;
+               info = "no new privs";
+               goto audit;
+       }
 
        if (bprm->unsafe & LSM_UNSAFE_SHARE) {
                /* FIXME: currently don't mediate shared state */
@@ -1292,7 +1275,10 @@ check:
                                        aa_get_label(&profile->label));
                if (IS_ERR_OR_NULL(new)) {
                        info = "failed to build target label";
-                       error = PTR_ERR(new);
+                       if (!new)
+                               error = -ENOMEM;
+                       else
+                               error = PTR_ERR(new);
                        new = NULL;
                        perms.allow = 0;
                        goto audit;
ubuntu-bionic-kernel mirror