diff options
author | Kees Cook <keescook@chromium.org> | 2014-05-21 15:23:46 -0700 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2017-10-12 15:28:22 +0100 |
commit | 5f3333219189a3fe4bbbd2d67e636ed1bb74d243 (patch) | |
tree | e4078c65d51b66763aaaee24b3b9b14cb80771ca /security | |
parent | 9e839401a65a30d15cbe9a1255640cd5ce2b548d (diff) |
sched: move no_new_privs into new atomic flags
commit 1d4457f99928a968767f6405b4a1f50845aa15fd upstream.
Since seccomp transitions between threads requires updates to the
no_new_privs flag to be atomic, the flag must be part of an atomic flag
set. This moves the nnp flag into a separate task field, and introduces
accessors.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'security')
-rw-r--r-- | security/apparmor/domain.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index c0ee04da93e6..24a21cd72b4c 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -621,7 +621,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) * There is no exception for unconfined as change_hat is not * available. */ - if (current->no_new_privs) + if (task_no_new_privs(current)) return -EPERM; /* released below */ @@ -778,7 +778,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, * no_new_privs is set because this aways results in a reduction * of permissions. */ - if (current->no_new_privs && !unconfined(profile)) { + if (task_no_new_privs(current) && !unconfined(profile)) { put_cred(cred); return -EPERM; } |