From patchwork Fri Nov 8 01:38:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ryan Lee X-Patchwork-Id: 2008203 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Xl1n73cR8z1xxq for ; Fri, 8 Nov 2024 12:38:50 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1t9DxI-0004I5-NY; Fri, 08 Nov 2024 01:38:32 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1t9DxH-0004Ht-OX for kernel-team@lists.ubuntu.com; Fri, 08 Nov 2024 01:38:31 +0000 Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com [209.85.215.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 8104D40593 for ; Fri, 8 Nov 2024 01:38:31 +0000 (UTC) Received: by mail-pg1-f199.google.com with SMTP id 41be03b00d2f7-7c6b192a39bso1481992a12.2 for ; Thu, 07 Nov 2024 17:38:31 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731029910; x=1731634710; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DI6sBrA2IsBTprr43Lv7staRrWvacVJiC6BmihYxK8o=; b=vnRHxhRZAT4T0wWapEsNiE2hfa8z5UMXf6neB+WCO5LcvSMQR1xyR3TaRZeijgcHkm OhSFDGi2w3UZ4O92ULXf5tvvrkuGa1AvcpKB6tC1NG9Qte12p46I1Em6LHO8l0asiBAR iP1wLscaWlEYDyJeA3qQLXBFAMrUmXxRiSIlndPI0pBikXky6JgRM/hUn/KW/5w/V+Ql QeBscEjxT8Cb4aZk2bZZkPORQJ46zxO6NJi4A8+nFH0IVYMI/jE8ZYklE299uKGvXstD 0SV1+RVbpmFhres3x2ZoCNhIP2OVWiw6R8ieWKhoTHNbTK/1xFXTqz/44qRUWCNRVb5g jTEw== X-Gm-Message-State: AOJu0YzrDk322mM+ks4VqpAIf+S2u7aN3GY4+Nt89rDcxj1quJ0Vo+YZ aPr0X62rpvjsKk5Q3EMI28Aks3/1dK9RzIOI7a+SNqL6X8vKzOKpMD/E9u+COUjw+cbKAF5jx4A gDkO2QDmo3Ubo7C+774NKt7e+wwKd6qdN98n+wObPNCTyveLNlYj2K5CR486Cirib3z3VPoVJdW DeC0DBvJ4k5vel X-Received: by 2002:a05:6a20:7f93:b0:1db:dfe6:53f5 with SMTP id adf61e73a8af0-1dc22baa0acmr1383430637.45.1731029909841; Thu, 07 Nov 2024 17:38:29 -0800 (PST) X-Google-Smtp-Source: AGHT+IEtbJAD8E5PXXzhGFkNukrFG+Fzj3Y/lk04G0a65jii8qTlg/gChjA1XHPat4VCIRmF1f5HdQ== X-Received: by 2002:a05:6a20:7f93:b0:1db:dfe6:53f5 with SMTP id adf61e73a8af0-1dc22baa0acmr1383380637.45.1731029908895; Thu, 07 Nov 2024 17:38:28 -0800 (PST) Received: from ryan-lee-laptop-13-amd.. (c-76-103-38-92.hsd1.ca.comcast.net. [76.103.38.92]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-724079b7712sm2476504b3a.103.2024.11.07.17.38.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Nov 2024 17:38:28 -0800 (PST) From: Ryan Lee To: kernel-team@lists.ubuntu.com Subject: [SRU][N][PATCH v2 0/2] Backport some AppArmor complain-mode profile bugfixes from Oracular Date: Thu, 7 Nov 2024 17:38:24 -0800 Message-ID: <20241108013826.93748-1-ryan.lee@canonical.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/2086210 SRU Justification: [Impact] Backporting two AppArmor bugfixes (2de989ae726b "apparmor: allocate xmatch for nullpdf inside aa_alloc_null" and 62bd5d5f2149 "apparmor: properly handle cx/px lookup failure for complain") from the Ubuntu Oracular kernel will fix incorrect behavior that occurs with the usage of some complain mode profiles (a kernel oops and an actual denial occurring in complain mode, respectively). [Fix] Apply the two patches 2de989ae726b and 62bd5d5f2149 from the Ubuntu Oracular kernel, previously applied to the Oracular kernel via LP #2028253 as #94/99 and #95/99 in the series. [Test case] Patch 62bd5d5f2149 can be tested by loading the following profile into the kernel: abi , include profile ls_child flags=(complain) { include /dev/tty rw, /usr/bin/ls cxr, } and exercising the profile's nonexistent transition with `aa-exec -p ls_child sh -c ls`. With the patch applied, the ls command will succeed instead of failing. Patch 2de989ae726b is much harder to test, unfortunately. The reproducer I have is (deterministically) finicky but goes through a Docker indirection layer, although at least one other person has encountered the same kernel oops without using Docker. I have attached the files needed to construct a reproducer to the LP bug report. With the patch applied, the run_reproducer.sh script will succeed instead of generating a kernel oops. [Regression potential] This patch set fixes bugs in the handling of complain mode profiles, and are both very small. A bug caused by patch 2de989ae726b would cause, at most, a memory leak by preventing deallocation of a reference-counted profile object. A bug introduced by patch 62bd5d5f2149 would show up in the handling of complain mode profiles and would not affect enforcement of enforce mode profiles. [Other Info] This patchset backports some patches from https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2028253 which were applied to Oracular but not to Noble. v1 -> v2: tagged cherry-pick lines with oracular:linux (indicating git repo https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/oracular) and fixed formatting oopsie with the second patch commit message Ryan Lee (2): UBUNTU: SAUCE: apparmor4.0.0 [94/99]: apparmor: allocate xmatch for nullpdf inside aa_alloc_null UBUNTU: SAUCE: apparmor4.0.0 [95/99]: apparmor: properly handle cx/px lookup failure for complain security/apparmor/domain.c | 9 +++++++-- security/apparmor/policy.c | 1 + 2 files changed, 8 insertions(+), 2 deletions(-) Acked-by: Stefan Bader