提交 9cfd403a 编写于 作者: L Linus Torvalds

Merge tag 'apparmor-pr-2018-01-07' of...

Merge tag 'apparmor-pr-2018-01-07' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor fix from John Johansen:
 "This fixes a regression when the kernel feature set is reported as
  supporting mount and policy is pinned to a feature set that does not
  support mount mediation"

* tag 'apparmor-pr-2018-01-07' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: fix regression in mount mediation when feature set is pinned
...@@ -329,6 +329,9 @@ static int match_mnt_path_str(struct aa_profile *profile, ...@@ -329,6 +329,9 @@ static int match_mnt_path_str(struct aa_profile *profile,
AA_BUG(!mntpath); AA_BUG(!mntpath);
AA_BUG(!buffer); AA_BUG(!buffer);
if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
return 0;
error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer, error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
&mntpnt, &info, profile->disconnected); &mntpnt, &info, profile->disconnected);
if (error) if (error)
...@@ -380,6 +383,9 @@ static int match_mnt(struct aa_profile *profile, const struct path *path, ...@@ -380,6 +383,9 @@ static int match_mnt(struct aa_profile *profile, const struct path *path,
AA_BUG(!profile); AA_BUG(!profile);
AA_BUG(devpath && !devbuffer); AA_BUG(devpath && !devbuffer);
if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
return 0;
if (devpath) { if (devpath) {
error = aa_path_name(devpath, path_flags(profile, devpath), error = aa_path_name(devpath, path_flags(profile, devpath),
devbuffer, &devname, &info, devbuffer, &devname, &info,
...@@ -558,6 +564,9 @@ static int profile_umount(struct aa_profile *profile, struct path *path, ...@@ -558,6 +564,9 @@ static int profile_umount(struct aa_profile *profile, struct path *path,
AA_BUG(!profile); AA_BUG(!profile);
AA_BUG(!path); AA_BUG(!path);
if (!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
return 0;
error = aa_path_name(path, path_flags(profile, path), buffer, &name, error = aa_path_name(path, path_flags(profile, path), buffer, &name,
&info, profile->disconnected); &info, profile->disconnected);
if (error) if (error)
...@@ -613,7 +622,8 @@ static struct aa_label *build_pivotroot(struct aa_profile *profile, ...@@ -613,7 +622,8 @@ static struct aa_label *build_pivotroot(struct aa_profile *profile,
AA_BUG(!new_path); AA_BUG(!new_path);
AA_BUG(!old_path); AA_BUG(!old_path);
if (profile_unconfined(profile)) if (profile_unconfined(profile) ||
!PROFILE_MEDIATES(profile, AA_CLASS_MOUNT))
return aa_get_newest_label(&profile->label); return aa_get_newest_label(&profile->label);
error = aa_path_name(old_path, path_flags(profile, old_path), error = aa_path_name(old_path, path_flags(profile, old_path),
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册