From: Miklos Szeredi <mszeredi@suse.cz>
Subject: apparmor: fix open after profile replacement
Patch-mainline: not yet
References: bnc#885599
Don't use obsolete profile in apparmor_file_open().
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
---
security/apparmor/lsm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -376,6 +376,7 @@ static int apparmor_inode_getattr(struct
static int apparmor_file_open(struct file *file, const struct cred *cred)
{
+ const struct aa_task_cxt *cxt = cred_cxt(cred);
struct aa_file_cxt *fcxt = file->f_security;
struct aa_profile *profile;
int error = 0;
@@ -393,7 +394,7 @@ static int apparmor_file_open(struct fil
return 0;
}
- profile = aa_cred_profile(cred);
+ profile = aa_get_newest_profile(cxt->profile);
if (!unconfined(profile)) {
struct inode *inode = file_inode(file);
struct path_cond cond = { inode->i_uid, inode->i_mode };
@@ -403,6 +404,7 @@ static int apparmor_file_open(struct fil
/* todo cache full allowed permissions set and state */
fcxt->allow = aa_map_file_to_perms(file);
}
+ aa_put_profile(profile);
return error;
}