apparmor: fix setprocattr arg processing for onexec

the exec file isn't processing its command arg. It should only set be
responding to a command of exec.

Also cleanup setprocattr some more while we are at it.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 2027fdf2060b448fa41b28bf7543a55c33a0329e..2e2a0dd4a73f1234425ded75027baea3b1e0b03e 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -529,6 +529,8 @@ static int apparmor_getprocattr(struct task_struct *task, char *name,
 static int apparmor_setprocattr(struct task_struct *task, char *name,
                                void *value, size_t size)
 {
+       struct common_audit_data sa;
+       struct apparmor_audit_data aad = {0,};
        char *command, *args = value;
        size_t arg_size;
        int error;
@@ -572,28 +574,31 @@ static int apparmor_setprocattr(struct task_struct *task, char *name,
                } else if (strcmp(command, "permprofile") == 0) {
                        error = aa_setprocattr_changeprofile(args, !AA_ONEXEC,
                                                             AA_DO_TEST);
-               } else {
-                       struct common_audit_data sa;
-                       struct apparmor_audit_data aad = {0,};
-                       sa.type = LSM_AUDIT_DATA_NONE;
-                       sa.aad = &aad;
-                       aad.op = OP_SETPROCATTR;
-                       aad.info = name;
-                       aad.error = -EINVAL;
-                       return aa_audit(AUDIT_APPARMOR_DENIED,
-                                       __aa_current_profile(), GFP_KERNEL,
-                                       &sa, NULL);
-               }
+               } else
+                       goto fail;
        } else if (strcmp(name, "exec") == 0) {
-               error = aa_setprocattr_changeprofile(args, AA_ONEXEC,
-                                                    !AA_DO_TEST);
-       } else {
+               if (strcmp(command, "exec") == 0)
+                       error = aa_setprocattr_changeprofile(args, AA_ONEXEC,
+                                                            !AA_DO_TEST);
+               else
+                       goto fail;
+       } else
                /* only support the "current" and "exec" process attributes */
                return -EINVAL;
-       }
+
        if (!error)
                error = size;
        return error;
+
+fail:
+       sa.type = LSM_AUDIT_DATA_NONE;
+       sa.aad = &aad;
+       aad.profile = aa_current_profile();
+       aad.op = OP_SETPROCATTR;
+       aad.info = name;
+       aad.error = -EINVAL;
+       aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
+       return -EINVAL;
 }
 
 static int apparmor_task_setrlimit(struct task_struct *task,