apparmor: fail task profile update if current_cred isn't real_cred

Trying to update the task cred while the task current cred is not the
real cred will result in an error at the cred layer. Avoid this by
failing early and delaying the update.

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/context.c b/security/apparmor/context.c
index 3c4f534..3f32f59 100644 (file)
--- a/security/apparmor/context.c
+++ b/security/apparmor/context.c
@@ -100,6 +100,9 @@ int aa_replace_current_profile(struct aa_profile *profile)
        if (cxt->profile == profile)
                return 0;
 
+       if (current_cred() != current_real_cred())
+               return -EBUSY;
+
        new  = prepare_creds();
        if (!new)
                return -ENOMEM;