[SRU][Xenial][Bionic][PATCH 1/1] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[SRU][Xenial][Bionic][PATCH 1/1] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets

John Johansen-2
The apparmor policy language current does not allow expressing of the
locking permission for no-fs unix sockets. However the kernel is
enforcing mediation.

Add the AA_MAY_LOCK perm to the computed perm mask which will grant
permission for all current abi profiles, but still allow specifying
auditing of the operation if needed.

BugLink: http://bugs.launchpad.net/bugs/1780227
Signed-off-by: John Johansen <[hidden email]>
---
 security/apparmor/lib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index a7b3f681b80e..eafad30a78d7 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
  /* for v5 perm mapping in the policydb, the other set is used
  * to extend the general perm set
  */
- perms->allow |= map_other(dfa_other_allow(dfa, state));
+ perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK;
  perms->audit |= map_other(dfa_other_audit(dfa, state));
  perms->quiet |= map_other(dfa_other_quiet(dfa, state));
 // perms->xindex = dfa_user_xindex(dfa, state);
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK/Cmnt: [SRU][Xenial][Bionic][PATCH 1/1] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets

Stefan Bader-2
On 30.07.2018 22:55, John Johansen wrote:

> The apparmor policy language current does not allow expressing of the
> locking permission for no-fs unix sockets. However the kernel is
> enforcing mediation.
>
> Add the AA_MAY_LOCK perm to the computed perm mask which will grant
> permission for all current abi profiles, but still allow specifying
> auditing of the operation if needed.
>
> BugLink: http://bugs.launchpad.net/bugs/1780227
> Signed-off-by: John Johansen <[hidden email]>
Acked-by: Stefan Bader <[hidden email]>
> ---

Please add the SRU justification to the bug report. The change itself looks
small enough but also a bit like voodoo to anybody not familiar... so any help
to reviewers and admins counts. ;)


>  security/apparmor/lib.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
> index a7b3f681b80e..eafad30a78d7 100644
> --- a/security/apparmor/lib.c
> +++ b/security/apparmor/lib.c
> @@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
>   /* for v5 perm mapping in the policydb, the other set is used
>   * to extend the general perm set
>   */
> - perms->allow |= map_other(dfa_other_allow(dfa, state));
> + perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK;
>   perms->audit |= map_other(dfa_other_audit(dfa, state));
>   perms->quiet |= map_other(dfa_other_quiet(dfa, state));
>  // perms->xindex = dfa_user_xindex(dfa, state);
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [SRU][Xenial][Bionic][PATCH 1/1] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets

Kleber Souza
In reply to this post by John Johansen-2
On 07/30/18 22:55, John Johansen wrote:

> The apparmor policy language current does not allow expressing of the
> locking permission for no-fs unix sockets. However the kernel is
> enforcing mediation.
>
> Add the AA_MAY_LOCK perm to the computed perm mask which will grant
> permission for all current abi profiles, but still allow specifying
> auditing of the operation if needed.
>
> BugLink: http://bugs.launchpad.net/bugs/1780227
> Signed-off-by: John Johansen <[hidden email]>

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

> ---
>  security/apparmor/lib.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
> index a7b3f681b80e..eafad30a78d7 100644
> --- a/security/apparmor/lib.c
> +++ b/security/apparmor/lib.c
> @@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
>   /* for v5 perm mapping in the policydb, the other set is used
>   * to extend the general perm set
>   */
> - perms->allow |= map_other(dfa_other_allow(dfa, state));
> + perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK;
>   perms->audit |= map_other(dfa_other_audit(dfa, state));
>   perms->quiet |= map_other(dfa_other_quiet(dfa, state));
>  // perms->xindex = dfa_user_xindex(dfa, state);
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [SRU][Xenial][Bionic][PATCH 1/1] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets

Kleber Souza
In reply to this post by John Johansen-2
On 07/30/18 22:55, John Johansen wrote:

> The apparmor policy language current does not allow expressing of the
> locking permission for no-fs unix sockets. However the kernel is
> enforcing mediation.
>
> Add the AA_MAY_LOCK perm to the computed perm mask which will grant
> permission for all current abi profiles, but still allow specifying
> auditing of the operation if needed.
>
> BugLink: http://bugs.launchpad.net/bugs/1780227
> Signed-off-by: John Johansen <[hidden email]>
> ---
>  security/apparmor/lib.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
> index a7b3f681b80e..eafad30a78d7 100644
> --- a/security/apparmor/lib.c
> +++ b/security/apparmor/lib.c
> @@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
>   /* for v5 perm mapping in the policydb, the other set is used
>   * to extend the general perm set
>   */
> - perms->allow |= map_other(dfa_other_allow(dfa, state));
> + perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK;
>   perms->audit |= map_other(dfa_other_audit(dfa, state));
>   perms->quiet |= map_other(dfa_other_quiet(dfa, state));
>  // perms->xindex = dfa_user_xindex(dfa, state);
>

Applied to xenial/master-next and bionic/master-next branches.

Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED[C/Unstable]: [SRU][Xenial][Bionic][PATCH 1/1] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets

Seth Forshee
In reply to this post by John Johansen-2
On Mon, Jul 30, 2018 at 01:55:30PM -0700, John Johansen wrote:

> The apparmor policy language current does not allow expressing of the
> locking permission for no-fs unix sockets. However the kernel is
> enforcing mediation.
>
> Add the AA_MAY_LOCK perm to the computed perm mask which will grant
> permission for all current abi profiles, but still allow specifying
> auditing of the operation if needed.
>
> BugLink: http://bugs.launchpad.net/bugs/1780227
> Signed-off-by: John Johansen <[hidden email]>

Applied to cosmic/master-next and unstable/master, thanks!

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team