apparmor: revalidate files during exec
authorJohn Johansen <john.johansen@canonical.com>
Fri, 9 Jun 2017 18:58:42 +0000 (11:58 -0700)
committerJohn Johansen <john.johansen@canonical.com>
Sun, 11 Jun 2017 00:11:37 +0000 (17:11 -0700)
commit192ca6b55a866e838aee98d9cb6a0b5086467c03
treeeba93d671a1476432f357fa68e6842f548e2cb2f
parent2835a13bbdc09d330eafdf5e67eb407c90c01ab7
apparmor: revalidate files during exec

Instead of running file revalidation lazily when read/write are called
copy selinux and revalidate the file table on exec. This avoids
extra mediation overhead in read/write and also prevents file handles
being passed through to a grand child unchecked.

Signed-off-by: John Johansen <john.johansen@canonical.com>
security/apparmor/file.c
security/apparmor/include/audit.h
security/apparmor/include/file.h
security/apparmor/lsm.c