tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

apparmor: fix apparmor mediating locking non-fs unix sockets

the v8 and earlier policy does not encode the locking permission for
no-fs unix sockets. However the kernel is enforcing mediation.

Add the AA_MAY_LOCK perm to v8 and earlier computed perm mask which will
grant permission for all current abi profiles, but still allow specifying
auditing of the operation if needed.

Link: http://bugs.launchpad.net/bugs/1780227
Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 1cf26c3d 1b5a6198

+9 -4
+9 -4
security/apparmor/policy_unpack.c
··· 31 31 #define K_ABI_MASK 0x3ff 32 32 #define FORCE_COMPLAIN_FLAG 0x800 33 33 #define VERSION_LT(X, Y) (((X) & K_ABI_MASK) < ((Y) & K_ABI_MASK)) 34 + #define VERSION_LE(X, Y) (((X) & K_ABI_MASK) <= ((Y) & K_ABI_MASK)) 34 35 #define VERSION_GT(X, Y) (((X) & K_ABI_MASK) > ((Y) & K_ABI_MASK)) 35 36 36 37 #define v5 5 /* base version */ ··· 797 796 } 798 797 799 798 static struct aa_perms compute_perms_entry(struct aa_dfa *dfa, 800 - aa_state_t state) 799 + aa_state_t state, 800 + u32 version) 801 801 { 802 802 struct aa_perms perms = { }; 803 803 ··· 811 809 */ 812 810 813 811 perms.allow |= map_other(dfa_other_allow(dfa, state)); 812 + if (VERSION_LE(version, v8)) 813 + perms.allow |= AA_MAY_LOCK; 814 814 perms.audit |= map_other(dfa_other_audit(dfa, state)); 815 815 perms.quiet |= map_other(dfa_other_quiet(dfa, state)); 816 816 817 817 return perms; 818 818 } 819 819 820 - static struct aa_perms *compute_perms(struct aa_dfa *dfa) 820 + static struct aa_perms *compute_perms(struct aa_dfa *dfa, u32 version) 821 821 { 822 822 unsigned int state; 823 823 unsigned int state_count; ··· 835 831 836 832 /* zero init so skip the trap state (state == 0) */ 837 833 for (state = 1; state < state_count; state++) 838 - table[state] = compute_perms_entry(dfa, state); 834 + table[state] = compute_perms_entry(dfa, state, version); 839 835 840 836 return table; 841 837 } ··· 1059 1055 } 1060 1056 if (!unpack_nameX(e, AA_STRUCTEND, NULL)) 1061 1057 goto fail; 1062 - profile->policy.perms = compute_perms(profile->policy.dfa); 1058 + profile->policy.perms = compute_perms(profile->policy.dfa, 1059 + e->version); 1063 1060 if (!profile->policy.perms) { 1064 1061 info = "failed to remap policydb permission table"; 1065 1062 goto fail;