[PATCH 0/1] [jaunty] LP#344370 -- Add checking for AppArmorFS creation failure.

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/1] [jaunty] LP#344370 -- Add checking for AppArmorFS creation failure.

Brad Figg-2
Please pull from:
    git://kernel.ubuntu.com/brad/ubuntu-jaunty master

Bug: 344370

When the creation of the AppArmor FS fails the default_namespace is
free'd. However, this was not being checked for and was being used
anyway.

UBUNTU: SAUCE: Add checking for AppArmorFS creation failure.

 security/apparmor/main.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH] UBUNTU: SAUCE: Add checking for AppArmorFS creation failure.

Brad Figg-2
Bug: 344370

When the creation of the AppArmor FS fails the default_namespace is
free'd. However, this was not being checked for and was being used
anyway.

Signed-off-by: Brad Figg <[hidden email]>
---
 security/apparmor/main.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/security/apparmor/main.c b/security/apparmor/main.c
index 5f9c1cd..a0434da 100644
--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
@@ -1219,11 +1219,13 @@ repeat:
  sa.error_code = -EACCES;
  new_profile = ERR_PTR(aa_audit_file(profile, &sa));
  }
- } else {
+ } else if (default_namespace) {
  /* Unconfined task, load profile if it exists */
  new_profile = aa_register_find(NULL, NULL, filename, 0, 0, &sa);
  if (new_profile == NULL)
  goto cleanup;
+ } else {
+ goto cleanup;
  }
 
  if (IS_ERR(new_profile))
--
1.6.1.3


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 0/1] [jaunty] LP#344370 -- Add checking for AppArmorFS creation failure.

Tim Gardner-2
In reply to this post by Brad Figg-2
Brad Figg wrote:

> Please pull from:
>     git://kernel.ubuntu.com/brad/ubuntu-jaunty master
>
> Bug: 344370
>
> When the creation of the AppArmor FS fails the default_namespace is
> free'd. However, this was not being checked for and was being used
> anyway.
>
> UBUNTU: SAUCE: Add checking for AppArmorFS creation failure.
>
>  security/apparmor/main.c |    4 +++-
>  1 files changed, 3 insertions(+), 1 deletions(-)
>
>

Is this the root cause for AA oops'ing on ARM imx51 ?

--
Tim Gardner [hidden email]

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 0/1] [jaunty] LP#344370 -- Add checking for AppArmorFS creation failure.

Brad Figg-2
Tim Gardner wrote:

> Brad Figg wrote:
>> Please pull from:
>>     git://kernel.ubuntu.com/brad/ubuntu-jaunty master
>>
>> Bug: 344370
>>
>> When the creation of the AppArmor FS fails the default_namespace is
>> free'd. However, this was not being checked for and was being used
>> anyway.
>>
>> UBUNTU: SAUCE: Add checking for AppArmorFS creation failure.
>>
>>  security/apparmor/main.c |    4 +++-
>>  1 files changed, 3 insertions(+), 1 deletions(-)
>>
>>
>
> Is this the root cause for AA oops'ing on ARM imx51 ?
>

Yes and no. This prevents the oops from happening. However, the
reason this check is necessary is that earlier on the AppArmorFS
failed to be created. The creation failed because a directory
"apparmor" could not be created in the root directory of the
"securityfs".

I believe that this is due to a platform configuration issue. However,
I'm trying to figure out what the "securityfs" is, how it gets
created and why it is missing from the imx51.

Brad

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 0/1] [jaunty] LP#344370 -- Add checking for AppArmorFS creation failure.

Tim Gardner-2
Brad Figg wrote:

> Tim Gardner wrote:
>> Brad Figg wrote:
>>> Please pull from:
>>>     git://kernel.ubuntu.com/brad/ubuntu-jaunty master
>>>
>>> Bug: 344370
>>>
>>> When the creation of the AppArmor FS fails the default_namespace is
>>> free'd. However, this was not being checked for and was being used
>>> anyway.
>>>
>>> UBUNTU: SAUCE: Add checking for AppArmorFS creation failure.
>>>
>>>  security/apparmor/main.c |    4 +++-
>>>  1 files changed, 3 insertions(+), 1 deletions(-)
>>>
>>>
>>
>> Is this the root cause for AA oops'ing on ARM imx51 ?
>>
>
> Yes and no. This prevents the oops from happening. However, the
> reason this check is necessary is that earlier on the AppArmorFS
> failed to be created. The creation failed because a directory
> "apparmor" could not be created in the root directory of the
> "securityfs".
>
> I believe that this is due to a platform configuration issue. However,
> I'm trying to figure out what the "securityfs" is, how it gets
> created and why it is missing from the imx51.
>
> Brad
>

Your best resource for finding out the answer to that question might be
Oliver.
--
Tim Gardner [hidden email]

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 0/1] [jaunty] LP#344370 -- Add checking for AppArmorFS creation failure.

Brad Figg-2
Tim Gardner wrote:

> Brad Figg wrote:
>> Tim Gardner wrote:
>>> Brad Figg wrote:
>>>> Please pull from:
>>>>     git://kernel.ubuntu.com/brad/ubuntu-jaunty master
>>>>
>>>> Bug: 344370
>>>>
>>>> When the creation of the AppArmor FS fails the default_namespace is
>>>> free'd. However, this was not being checked for and was being used
>>>> anyway.
>>>>
>>>> UBUNTU: SAUCE: Add checking for AppArmorFS creation failure.
>>>>
>>>>  security/apparmor/main.c |    4 +++-
>>>>  1 files changed, 3 insertions(+), 1 deletions(-)
>>>>
>>>>
>>>
>>> Is this the root cause for AA oops'ing on ARM imx51 ?
>>>
>>
>> Yes and no. This prevents the oops from happening. However, the
>> reason this check is necessary is that earlier on the AppArmorFS
>> failed to be created. The creation failed because a directory
>> "apparmor" could not be created in the root directory of the
>> "securityfs".
>>
>> I believe that this is due to a platform configuration issue. However,
>> I'm trying to figure out what the "securityfs" is, how it gets
>> created and why it is missing from the imx51.
>>
>> Brad
>>
>
> Your best resource for finding out the answer to that question might be
> Oliver.

Agreed, and one of my next emails was going to be to him. Thanks for including
him on the CC list.

Brad

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 0/1] [jaunty] LP#344370 -- Add checking for AppArmorFS creation failure.

Amit Kucheria-6
In reply to this post by Brad Figg-2
On Mon, Mar 23, 2009 at 05:25:30PM -0700, Brad Figg wrote:

> Tim Gardner wrote:
> > Brad Figg wrote:
> >> Please pull from:
> >>     git://kernel.ubuntu.com/brad/ubuntu-jaunty master
> >>
> >> Bug: 344370
> >>
> >> When the creation of the AppArmor FS fails the default_namespace is
> >> free'd. However, this was not being checked for and was being used
> >> anyway.
> >>
> >> UBUNTU: SAUCE: Add checking for AppArmorFS creation failure.
> >>
> >>  security/apparmor/main.c |    4 +++-

Could you send this AA upstream too?

> >
> > Is this the root cause for AA oops'ing on ARM imx51 ?
> >
>
> Yes and no. This prevents the oops from happening. However, the
> reason this check is necessary is that earlier on the AppArmorFS
> failed to be created. The creation failed because a directory
> "apparmor" could not be created in the root directory of the
> "securityfs".
>
> I believe that this is due to a platform configuration issue. However,
> I'm trying to figure out what the "securityfs" is, how it gets
> created and why it is missing from the imx51.

securityfs is the 4th option in 'Security Options' and it is disabled for
all ARM flavours. So it would be worth a try to just enable it and see if
the oops disappears.

If so, then instead of the above patch, the solution could be to add a
'Selected by' Kconfig dependency of AA on SECURITYFS.

Regards,
Amit

--
----------------------------------------------------------------------
Amit Kucheria, Kernel Engineer || [hidden email]
----------------------------------------------------------------------

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

NAK: [PATCH 0/1] [jaunty] LP#344370 -- Add checking for AppArmorFS creation failure.

Brad Figg-2
The oops is being fixed by means of a Kconfig change. Please disregard this
pull request.

Brad

--
Brad Figg [hidden email] http://www.canonical.com

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team