apparmor: fail task profile update if current_cred isn't real_cred

Trying to update the task cred while the task current cred is not the
real cred will result in an error at the cred layer. Avoid this by
failing early and delaying the update.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/context.c b/security/apparmor/context.c
index 3c4f534ef88cadfe35b4a183ef4d0679ff04637e..3f32f594c9999025aec4f6b2feac1dd57887a620 100644 (file)
--- a/security/apparmor/context.c
+++ b/security/apparmor/context.c
@@ -100,6 +100,9 @@ int aa_replace_current_profile(struct aa_profile *profile)
        if (cxt->profile == profile)
                return 0;
 
+       if (current_cred() != current_real_cred())
+               return -EBUSY;
+
        new  = prepare_creds();
        if (!new)
                return -ENOMEM;