[JAUNTY SRU] lp#395219 UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[JAUNTY SRU] lp#395219 UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.

Manoj Iyer

SRU JUSTIFICATION

IMPACT: kernel panics when SELinux is enabled.
FIX: A non-upstream patch from Eric Paris fixes this issue specifically
for Ubuntu.
Ubuntu users were experiencing a kernel panic when they enabled SELinux
due to an old bug in our handling of the compatibility mode network
controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
Most distros have not used the compat_net code since the new code was
introduced and so noone has hit this problem before.  Ubuntu is the only
distro I know that enabled that legacy cruft by default.  But, I was ask
to look at it and found that the above patch changed a call to
avc_has_perm from if(send_perm) to if(!send_perm) in
selinux_ip_postroute_iptables_compat().  The result is that users who
turn on SELinux and have compat_net set can (and oftern will) BUG() in
avc_has_perm_noaudit since they are requesting 0 permissions.

This patch corrects that accidental bug introduction.

TEST: The test kernel in http://people.ubuntu.com/~manjo/lp395219-jaunty/ 
was tested by the originator of the bug and reported to work.

The following changes since commit
ca7cfc6f93c0944a45bbe6f8f07b1028c664e3c2:
   Reinette Chatre (1):
         iwl3945: use cancel_delayed_work_sync to cancel rfkill_poll

are available in the git repository at:

   git://kernel.ubuntu.com/manjo/ubuntu-jaunty.git lp395219

Manoj Iyer (1):
       UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.

  security/selinux/hooks.c |    2 +-
  1 files changed, 1 insertions(+), 1 deletions(-)

From d09c656dc7c42f7f606d07fa64222d2c3222d4c7 Mon Sep 17 00:00:00 2001
From: Manoj Iyer <[hidden email]>
Date: Sun, 5 Jul 2009 11:24:22 -0500
Subject: [PATCH] UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.

OriginalAuthor: Eric Paris <[hidden email]>

OriginalLocation: http://marc.info/?l=linux-kernel&m=124276951810932&w=2

BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/395219

Signed-off-by: Manoj Iyer <[hidden email]>
---
  security/selinux/hooks.c |    2 +-
  1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f923577..02f3a16 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4558,7 +4558,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
  if (err)
  return err;

- if (send_perm != 0)
+ if (!send_perm)
  return 0;

  err = sel_netport_sid(sk->sk_protocol,
--
1.6.3.3


Cheers
--- manjo

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [JAUNTY SRU] lp#395219 UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.

Tim Gardner-2
Manoj Iyer wrote:

> SRU JUSTIFICATION
>
> IMPACT: kernel panics when SELinux is enabled.
> FIX: A non-upstream patch from Eric Paris fixes this issue specifically
> for Ubuntu.
> Ubuntu users were experiencing a kernel panic when they enabled SELinux
> due to an old bug in our handling of the compatibility mode network
> controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
> Most distros have not used the compat_net code since the new code was
> introduced and so noone has hit this problem before.  Ubuntu is the only
> distro I know that enabled that legacy cruft by default.  But, I was ask
> to look at it and found that the above patch changed a call to
> avc_has_perm from if(send_perm) to if(!send_perm) in
> selinux_ip_postroute_iptables_compat().  The result is that users who
> turn on SELinux and have compat_net set can (and oftern will) BUG() in
> avc_has_perm_noaudit since they are requesting 0 permissions.
>
> This patch corrects that accidental bug introduction.
>
> TEST: The test kernel in http://people.ubuntu.com/~manjo/lp395219-jaunty/ 
> was tested by the originator of the bug and reported to work.
>
> The following changes since commit
> ca7cfc6f93c0944a45bbe6f8f07b1028c664e3c2:
>    Reinette Chatre (1):
>          iwl3945: use cancel_delayed_work_sync to cancel rfkill_poll
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/manjo/ubuntu-jaunty.git lp395219
>
> Manoj Iyer (1):
>        UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.
>
>   security/selinux/hooks.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
> From d09c656dc7c42f7f606d07fa64222d2c3222d4c7 Mon Sep 17 00:00:00 2001
> From: Manoj Iyer <[hidden email]>
> Date: Sun, 5 Jul 2009 11:24:22 -0500
> Subject: [PATCH] UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.
>
> OriginalAuthor: Eric Paris <[hidden email]>
>
> OriginalLocation: http://marc.info/?l=linux-kernel&m=124276951810932&w=2
>
> BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/395219
>
> Signed-off-by: Manoj Iyer <[hidden email]>
> ---
>   security/selinux/hooks.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f923577..02f3a16 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4558,7 +4558,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
>   if (err)
>   return err;
>
> - if (send_perm != 0)
> + if (!send_perm)
>   return 0;
>
>   err = sel_netport_sid(sk->sk_protocol,

ACK

--
Tim Gardner [hidden email]

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [JAUNTY SRU] lp#395219 UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.

Amit Kucheria-6
In reply to this post by Manoj Iyer
On 09 Jul 06, Manoj Iyer wrote:

>
> SRU JUSTIFICATION
>
> IMPACT: kernel panics when SELinux is enabled.
> FIX: A non-upstream patch from Eric Paris fixes this issue specifically
> for Ubuntu.
> Ubuntu users were experiencing a kernel panic when they enabled SELinux
> due to an old bug in our handling of the compatibility mode network
> controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e
> Most distros have not used the compat_net code since the new code was
> introduced and so noone has hit this problem before.  Ubuntu is the only
> distro I know that enabled that legacy cruft by default.  But, I was ask
> to look at it and found that the above patch changed a call to
> avc_has_perm from if(send_perm) to if(!send_perm) in
> selinux_ip_postroute_iptables_compat().  The result is that users who
> turn on SELinux and have compat_net set can (and oftern will) BUG() in
> avc_has_perm_noaudit since they are requesting 0 permissions.
>
> This patch corrects that accidental bug introduction.
>
> TEST: The test kernel in http://people.ubuntu.com/~manjo/lp395219-jaunty/ 
> was tested by the originator of the bug and reported to work.
>
> The following changes since commit
> ca7cfc6f93c0944a45bbe6f8f07b1028c664e3c2:
>    Reinette Chatre (1):
>          iwl3945: use cancel_delayed_work_sync to cancel rfkill_poll
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/manjo/ubuntu-jaunty.git lp395219
>
> Manoj Iyer (1):
>        UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.
>
>   security/selinux/hooks.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
> From d09c656dc7c42f7f606d07fa64222d2c3222d4c7 Mon Sep 17 00:00:00 2001
> From: Manoj Iyer <[hidden email]>
> Date: Sun, 5 Jul 2009 11:24:22 -0500
> Subject: [PATCH] UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.
>
> OriginalAuthor: Eric Paris <[hidden email]>
>
> OriginalLocation: http://marc.info/?l=linux-kernel&m=124276951810932&w=2
>
> BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/395219
>
> Signed-off-by: Manoj Iyer <[hidden email]>
> ---
>   security/selinux/hooks.c |    2 +-
>   1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f923577..02f3a16 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -4558,7 +4558,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
>   if (err)
>   return err;
>
> - if (send_perm != 0)
> + if (!send_perm)
>   return 0;
>
>   err = sel_netport_sid(sk->sk_protocol,
> --
> 1.6.3.3

ACK.

--
----------------------------------------------------------------------
Amit Kucheria, Kernel Engineer || [hidden email]
----------------------------------------------------------------------

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [JAUNTY SRU] lp#395219 UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.

Stefan Bader-2
In reply to this post by Manoj Iyer
Reply | Threaded
Open this post in threaded view
|

Re: [JAUNTY SRU] lp#395219 UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.

Stefan Bader-2
In reply to this post by Manoj Iyer
One more thing: what is the status of this on Karmic?

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [JAUNTY SRU] lp#395219 UBUNTU: SAUCE: Fix kernel panic when SELinux is enabled.

Manoj Iyer

You dont need this in karmic, coz in upstream the offending code was
removed.

Cheers
--- manjo

On Wed, 8 Jul 2009, Stefan Bader wrote:

> One more thing: what is the status of this on Karmic?
>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team