UBUNTU: SAUCE: apparmor: Fix label build for onexec stacking.

The label build for onexec when crossing a namespace boundry is not
quite correct. The label needs to be built per profile and not based
on the whole label because the onexec transition only applies to
profiles within the ns. Where merging against the label could include
profile that are transitioned via the profile_transition callback
and should not be in the final label.

BugLink: http://bugs.launchpad.net/bugs/1615881
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 814f8cdd310acfd6aab59d57a062e9b2e5122047..35ed7c2d093a924a219f4fb2b826db7ce98aed71 100644 (file)
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -644,7 +644,8 @@ static struct aa_label *handle_onexec(struct aa_label *label,
                if (error)
                        return ERR_PTR(error);
                new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,
-                                          aa_label_merge(label, onexec,
+                                          aa_label_merge(&profile->label,
+                                                         onexec,
                                                          GFP_ATOMIC),
                                           profile_transition(profile, xname,
                                                              cond, unsafe));