UBUNTU: SAUCE: apparmor: fix cross ns perm of unix domain sockets

When using nested namespaces policy within the nested namespace is trying
to cross validate with policy outside of the namespace that is not
visible to it. This results the access being denied and with no way to
add a rule to policy that would allow it.

The check should only be done again policy that is visible.

BugLink: http://bugs.launchpad.net/bugs/1660832
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c
index 8178498f0a2fb1bb91589cb7a8ca950a5616a68d..757df1ade9a099a6f81945c1004c70eff87a3e3e 100644 (file)
--- a/security/apparmor/af_unix.c
+++ b/security/apparmor/af_unix.c
@@ -515,7 +515,7 @@ static int profile_peer_perm(struct aa_profile *profile, const char *op, u32 req
                                      addr, len, &aad(sa)->info);
                if (!peer_label)
                        peer_label = peer_ctx->label;
-               return fn_for_each(peer_label, peerp,
+               return fn_for_each_in_ns(peer_label, peerp,
                                   match_label(profile, peerp, state, request,
                                               sa));
        }