@@ -621,8 +621,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
/* released below */
cred = get_current_cred();
cxt = cred_cxt(cred);
- profile = aa_cred_profile(cred);
- previous_profile = cxt->previous;
+ profile = aa_get_newest_profile(aa_cred_profile(cred));
+ previous_profile = aa_get_newest_profile(cxt->previous);
if (unconfined(profile)) {
info = "unconfined";
@@ -718,6 +718,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
out:
aa_put_profile(hat);
kfree(name);
+ aa_put_profile(profile);
+ aa_put_profile(previous_profile);
put_cred(cred);
return error;
Hi James, This is a fix for a policy replacement bug that is fairly serious for apache mod_apparmor users, as it results in the wrong policy being applied on an network facing service. can you please pull and pushup for 4.9 It has been rebased against current 4.9, you can either grab the patch included below or do a pull from The following changes since commit 623898671c8eb05639e746e6d84cffa281616438: Merge branch 'for-linus' of git://git.kernel.dk/linux-block (2016-11-17 13:59:39 -0800) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor fix-change_hat for you to fetch changes up to 4bc60a7f780acb6eb5b71360ab04e29ecd282bda: apparmor: fix change_hat not finding hat after policy replacement (2016-11-18 07:07:10 -0800) ---------------------------------------------------------------- John Johansen (1): apparmor: fix change_hat not finding hat after policy replacement security/apparmor/domain.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- From 4bc60a7f780acb6eb5b71360ab04e29ecd282bda Mon Sep 17 00:00:00 2001 From: John Johansen <john.johansen@canonical.com> Date: Wed, 31 Aug 2016 21:10:06 -0700 Subject: [PATCH] apparmor: fix change_hat not finding hat after policy replacement After a policy replacement, the task cred may be out of date and need to be updated. However change_hat is using the stale profiles from the out of date cred resulting in either: a stale profile being applied or, incorrect failure when searching for a hat profile as it has been migrated to the new parent profile. Fixes: 01e2b670aa898a39259bc85c78e3d74820f4d3b6 (failure to find hat) Fixes: 898127c34ec03291c86f4ff3856d79e9e18952bc (stale policy being applied) Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000287 Cc: stable@vger.kernel.org Signed-off-by: John Johansen <john.johansen@canonical.com> --- security/apparmor/domain.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)