apparmor: use target task's context in apparmor_getprocattr()

apparmor_getprocattr() incorrectly calls task_ctx(current) instead of
task_ctx(task) when retrieving prev and exec attributes, returning the
caller's labels rather than the target's.

Fix by passing task to task_ctx().

The issue can be reproduced when a process with an onexec transition
(e.g., configured by a container runtime) is inspected via
/proc/<pid>/attr/apparmor/exec. The reader's own value is returned
instead of the target's.

Reported-by: Qualys Security Advisory <qsa@qualys.com>
Fixes: 3b529a7600d8 ("apparmor: move task domain change info to task security")
Cc: stable@vger.kernel.org
Co-developed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
Co-developed-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index c1d42fc72fdb4b6bed33aaf8965b9ae3eb2c8db7..d3af2d10fc22c505439e098e6109e0adec468eb6 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -822,25 +822,23 @@ static int apparmor_getprocattr(struct task_struct *task, const char *name,
                                char **value)
 {
        int error = -ENOENT;
-       /* released below */
-       const struct cred *cred = get_task_cred(task);
-       struct aa_task_ctx *ctx = task_ctx(current);
        struct aa_label *label = NULL;
 
+       rcu_read_lock();
        if (strcmp(name, "current") == 0)
-               label = aa_get_newest_label(cred_label(cred));
-       else if (strcmp(name, "prev") == 0  && ctx->previous)
-               label = aa_get_newest_label(ctx->previous);
-       else if (strcmp(name, "exec") == 0 && ctx->onexec)
-               label = aa_get_newest_label(ctx->onexec);
+               label = aa_get_newest_cred_label(__task_cred(task));
+       else if (strcmp(name, "prev") == 0  && task_ctx(task)->previous)
+               label = aa_get_newest_label(task_ctx(task)->previous);
+       else if (strcmp(name, "exec") == 0 && task_ctx(task)->onexec)
+               label = aa_get_newest_label(task_ctx(task)->onexec);
        else
                error = -EINVAL;
+       rcu_read_unlock();
 
        if (label)
                error = aa_getprocattr(label, value, true);
 
        aa_put_label(label);
-       put_cred(cred);
 
        return error;
 }