git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commit

author	John Johansen <john.johansen@canonical.com>
	Sun, 11 Oct 2015 00:43:23 +0000 (17:43 -0700)
committer	Tim Gardner <tim.gardner@canonical.com>
	Wed, 6 Apr 2016 09:21:36 +0000 (10:21 +0100)
commit	7e329b652634680e2e05770959acbb39e90c34ab
tree	f402cf23f352ec45e358745a13b6084309a797a1	tree
parent	b9ccf02fa04509bd8a7c2d8ff93797a3812d3052	commit \| diff

UBUNTU: SAUCE: apparmor Fix: refcount bug in pivotroot mediation

pivotroot medition may change the tasks current cred if the a transition
rule is defined. However aa_begin_current_label(), and
aa_end_current_label() define a critical section block where the tasks
cred label are not allowed to be updated. Specifically they do not take
a refcount on the tasks cred, but will return a refcounted label IF
there is an updated version of the label that can not be immediately
updated. The aa_end_current_label() fn detects whether the label used
has a refcount to put by comparing the label to the task's cred label,
and if its different putting label.

When the task cred's label is changed within this critical section,
the cred update will put the creds label reference, and then the
aa_begin_current_label() fn will detect the difference in the cred
and working label and subsequentially do an extra put on the label.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

security/apparmor/include/context.h		diff \| blob \| blame \| history
security/apparmor/lsm.c		diff \| blob \| blame \| history