Commit 4afc6170 authored by Cengiz Can's avatar Cengiz Can Committed by John Johansen
Browse files

apparmor: use target task's context in apparmor_getprocattr() 



apparmor_getprocattr() incorrectly calls task_ctx(current) instead of
task_ctx(task) when retrieving prev and exec attributes, returning the
caller's labels rather than the target's.

Fix by passing task to task_ctx().

The issue can be reproduced when a process with an onexec transition
(e.g., configured by a container runtime) is inspected via
/proc/<pid>/attr/apparmor/exec. The reader's own value is returned
instead of the target's.

Reported-by: default avatarQualys Security Advisory <qsa@qualys.com>
Fixes: 3b529a76 ("apparmor: move task domain change info to task security")
Cc: stable@vger.kernel.org
Co-developed-by: default avatarCengiz Can <cengiz.can@canonical.com>
Signed-off-by: default avatarCengiz Can <cengiz.can@canonical.com>
Co-developed-by: default avatarJohn Johansen <john.johansen@canonical.com>
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 6de23f81

security/apparmor/lsm.c

+7 −9
Original line number Diff line number Diff line
@@ -822,25 +822,23 @@ static int apparmor_getprocattr(struct task_struct *task, const char *name, 
				char **value)

{

	int error = -ENOENT;

	/* released below */

	const struct cred *cred = get_task_cred(task);

	struct aa_task_ctx *ctx = task_ctx(current);

	struct aa_label *label = NULL;



	rcu_read_lock();

	if (strcmp(name, "current") == 0)

		label = aa_get_newest_label(cred_label(cred));

	else if (strcmp(name, "prev") == 0  && ctx->previous)

		label = aa_get_newest_label(ctx->previous);

	else if (strcmp(name, "exec") == 0 && ctx->onexec)

		label = aa_get_newest_label(ctx->onexec);

		label = aa_get_newest_cred_label(__task_cred(task));

	else if (strcmp(name, "prev") == 0  && task_ctx(task)->previous)

		label = aa_get_newest_label(task_ctx(task)->previous);

	else if (strcmp(name, "exec") == 0 && task_ctx(task)->onexec)

		label = aa_get_newest_label(task_ctx(task)->onexec);

	else

		error = -EINVAL;

	rcu_read_unlock();



	if (label)

		error = aa_getprocattr(label, value, true);



	aa_put_label(label);

	put_cred(cred);



	return error;

}