apparmor: fix policy load/remove semantics

The namespace being passed into the replace/remove profiles fns() is not the view, but the namespace specified by the inode from the file hook (if present) or the loading tasks ns, if accessing the top level virtualized load/replace file interface. Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2017-06-04 12:22:22 -0700
committer: John Johansen <john.johansen@canonical.com> 2017-06-10 17:11:32 -0700
commit: 60285eb3e7c8827e00e2f2b54561a8cca07d802f (patch)
tree: 3f4ea89339e63e1a522e0d6d814f64348e555e5e /security/apparmor/apparmorfs.c
parent: 3664268f19ea07bec55df92fe53ff9ed28968bcc (diff)
1 files changed, 2 insertions, 4 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 105a1da57b8f..4f4cd98d2b3b 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -418,8 +418,7 @@ static ssize_t policy_update(u32 mask, const char __user *buf, size_t size,
 	data = aa_simple_write_to_buffer(buf, size, size, pos);
 	error = PTR_ERR(data);
 	if (!IS_ERR(data)) {
-		error = aa_replace_profiles(ns ? ns : profile->ns, profile,
-					    mask, data);
+		error = aa_replace_profiles(ns, profile, mask, data);
 		aa_put_loaddata(data);
 	}
 
@@ -486,8 +485,7 @@ static ssize_t profile_remove(struct file *f, const char __user *buf,
 	error = PTR_ERR(data);
 	if (!IS_ERR(data)) {
 		data->data[size] = 0;
-		error = aa_remove_profiles(ns ? ns : profile->ns, profile,
-					   data->data, size);
+		error = aa_remove_profiles(ns, profile, data->data, size);
 		aa_put_loaddata(data);
 	}
  out:
author	John Johansen <john.johansen@canonical.com>	2017-06-04 12:22:22 -0700
committer	John Johansen <john.johansen@canonical.com>	2017-06-10 17:11:32 -0700
commit	60285eb3e7c8827e00e2f2b54561a8cca07d802f (patch)
tree	3f4ea89339e63e1a522e0d6d814f64348e555e5e /security/apparmor/apparmorfs.c
parent	3664268f19ea07bec55df92fe53ff9ed28968bcc (diff)