UBUNTU: SAUCE: apparmor: Fix new to old label comparison for domain transitions

For the purposes of inherit we should be treating a profile/label transition
to its replacement as if the replacement is the profile/label.

So make the comparison based off of the label proxy, not the label itself.

BugLink: http://bugs.launchpad.net/bugs/1615880
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 0b1d361c47a59e7707ebf72b5f8c7425fac41468..536655ce5846e987db5ba9776d88ca51cc02b77d 100644 (file)
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -517,7 +517,7 @@ static struct aa_label *profile_transition(struct aa_profile *profile,
        if (perms.allow & MAY_EXEC) {
                /* exec permission determine how to transition */
                new = x_to_label(profile, name, perms.xindex, &target, &info);
-               if (new == &profile->label && info) {
+               if (new && new->proxy == profile->label.proxy && info) {
                        /* hack ix fallback - improve how this is detected */
                        goto audit;
                } else if (!new) {
@@ -759,7 +759,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
                bprm->unsafe |= AA_SECURE_X_NEEDED;
        }
 
-       if (label != new) {
+       if (label->proxy != new->proxy) {
                /* when transitioning clear unsafe personality bits */
                if (DEBUG_ON) {
                        dbg_printk("apparmor: clearing unsafe personality "