apparmor: use common fn to clear task_context for domain transitions

Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>

apparmor: use common fn to clear task_context for domain transitions
Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>
7a2871b5 · John Johansen · 0ca554b9 · 7a2871b5 · 7a2871b5 · 7a2871b5
Commit 7a2871b5 authored Feb 18, 2013 by John Johansen
Showing with 20 additions and 16 deletions

security/apparmor/context.c security/apparmor/context.c +6 -11

security/apparmor/domain.c security/apparmor/domain.c +1 -5

security/apparmor/include/context.h security/apparmor/include/context.h +13 -0

No files found.
--- a/security/apparmor/context.c
+++ b/security/apparmor/context.c
@@ -105,16 +105,12 @@ int aa_replace_current_profile(struct aa_profile *profile)
 		return -ENOMEM;
 	cxt = new->security;
-	if (unconfined(profile) || (cxt->profile->ns != profile->ns)) {
+	if (unconfined(profile) || (cxt->profile->ns != profile->ns))
 		/* if switching to unconfined or a different profile namespace
 		 * clear out context state
 		 */
-		aa_put_profile(cxt->previous);
+		aa_clear_task_cxt_trans(cxt);
-		aa_put_profile(cxt->onexec);
-		cxt->previous = NULL;
-		cxt->onexec = NULL;
-		cxt->token = 0;
-	}
 	/* be careful switching cxt->profile, when racing replacement it
 	 * is possible that cxt->profile->replacedby is the reference keeping
 	 * @profile valid, so make sure to get its reference before dropping
@@ -222,11 +218,10 @@ int aa_restore_previous_profile(u64 token)
 		aa_get_profile(cxt->profile);
 		aa_put_profile(cxt->previous);
 	}
-	/* clear exec && prev information when restoring to previous context */
+	/* ref has been transfered so avoid putting ref in clear_task_cxt */
 	cxt->previous = NULL;
-	cxt->token = 0;
+	/* clear exec && prev information when restoring to previous context */
-	aa_put_profile(cxt->onexec);
+	aa_clear_task_cxt_trans(cxt);
-	cxt->onexec = NULL;
 	commit_creds(new);
 	return 0;

--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -512,11 +512,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 	cxt->profile = new_profile;
 	/* clear out all temporary/transitional state from the context */
-	aa_put_profile(cxt->previous);
+	aa_clear_task_cxt_trans(cxt);
-	aa_put_profile(cxt->onexec);
-	cxt->previous = NULL;
-	cxt->onexec = NULL;
-	cxt->token = 0;
 audit:
 	error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,

--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -160,4 +160,17 @@ static inline struct aa_profile *aa_current_profile(void)
 	return profile;
 }
+/**
+ * aa_clear_task_cxt_trans - clear transition tracking info from the cxt
+ * @cxt: task context to clear (NOT NULL)
+ */
+static inline void aa_clear_task_cxt_trans(struct aa_task_cxt *cxt)
+{
+	aa_put_profile(cxt->previous);
+	aa_put_profile(cxt->onexec);
+	cxt->previous = NULL;
+	cxt->onexec = NULL;
+	cxt->token = 0;
+}
 #endif /* __AA_CONTEXT_H */