apparmor: domain: clean up duplicated parts of handle_onexec()

Regression test of AppArmor finished without any failures. PASSED: aa_exec access attach_disconnected at_secure introspect capabilities changeprofile onexec changehat changehat_fork changehat_misc chdir clone coredump deleted e2e environ exec exec_qual fchdir fd_inheritance fork i18n link link_subset mkdir mmap mount mult_mount named_pipe namespaces net_raw open openat pipe pivot_root posix_ipc ptrace pwrite query_label regex rename readdir rw socketpair swap sd_flags setattr symlink syscall sysv_ipc tcp unix_fd_server unix_socket_pathname unix_socket_abstract unix_socket_unnamed unix_socket_autobind unlink userns xattrs xattrs_profile longpath nfs exec_stack aa_policy_cache nnp stackonexec stackprofile FAILED: make: Leaving directory '/apparmor/tests/regression/apparmor' Signed-off-by: Leesoo Ahn <lsahn@ooseel.net> Signed-off-by: John Johansen <john.johansen@canonical.com>
2024-12-28 16:53:49 +00:00 · 2024-07-09 12:07:51 +09:00 · 2024-07-09 12:07:51 +09:00 · ab6875fbb9
commit ab6875fbb9
parent c030937306
1 changed files with 12 additions and 26 deletions
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@ -826,33 +826,19 @@ static struct aa_label *handle_onexec(const struct cred *subj_cred,
 	AA_BUG(!bprm);
 	AA_BUG(!buffer);

-	if (!stack) {
-		error = fn_for_each_in_ns(label, profile,
-				profile_onexec(subj_cred, profile, onexec, stack,
-					       bprm, buffer, cond, unsafe));
-		if (error)
-			return ERR_PTR(error);
-		new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
-				aa_get_newest_label(onexec),
-				profile_transition(subj_cred, profile, bprm,
-						   buffer,
-						   cond, unsafe));
-
-	} else {
-		/* TODO: determine how much we want to loosen this */
-		error = fn_for_each_in_ns(label, profile,
-				profile_onexec(subj_cred, profile, onexec, stack, bprm,
-					       buffer, cond, unsafe));
-		if (error)
-			return ERR_PTR(error);
-		new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
-				aa_label_merge(&profile->label, onexec,
-					       GFP_KERNEL),
-				profile_transition(subj_cred, profile, bprm,
-						   buffer,
-						   cond, unsafe));
-	}
+	/* TODO: determine how much we want to loosen this */
+	error = fn_for_each_in_ns(label, profile,
+			profile_onexec(subj_cred, profile, onexec, stack,
+				       bprm, buffer, cond, unsafe));
+	if (error)
+		return ERR_PTR(error);

+	new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
+			stack ? aa_label_merge(&profile->label, onexec,
+					       GFP_KERNEL)
+			      : aa_get_newest_label(onexec),
+			profile_transition(subj_cred, profile, bprm,
+					   buffer, cond, unsafe));
 	if (new)
 		return new;