Home Explore Help
Sign In
PUBLIC_REPOS
/
ti-processor-sdk-linux
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

apparmor: root view labels should not be under user control

The root view of the label parse should not be exposed to user
control.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
John Johansen 8 years ago
parent
71fa373b78
commit
475bdda1f0
1 changed files with 2 additions and 3 deletions
Unified View Show Diff Stats
  1. 2 3
      security/apparmor/label.c

+ 2 - 3
security/apparmor/label.c
View File 

@@ -1871,8 +1871,9 @@ struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str,
 
 	AA_BUG(!str);
 
 	AA_BUG(!str);
 
 
 
 	str = skipn_spaces(str, n);
 
 	str = skipn_spaces(str, n);
 
-	if (str == NULL)
 
+	if (str == NULL || (*str == '=' && base != &root_ns->unconfined->label))
 
 		return ERR_PTR(-EINVAL);
 
 		return ERR_PTR(-EINVAL);
 
+
 
 	len = label_count_strn_entries(str, end - str);
 
 	len = label_count_strn_entries(str, end - str);
 
 	if (*str == '&' || force_stack) {
 
 	if (*str == '&' || force_stack) {
 
 		/* stack on top of base */
 
 		/* stack on top of base */
 
@@ -1881,8 +1882,6 @@ struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str,
 
 		if (*str == '&')
 
 		if (*str == '&')
 
 			str++;
 
 			str++;
 
 	}
 
 	}
 
-	if (*str == '=')
 
-		base = &root_ns->unconfined->label;
 
 
 
 	error = vec_setup(profile, vec, len, gfp);
 
 	error = vec_setup(profile, vec, len, gfp);
 
 	if (error)
 
 	if (error)