From patchwork Wed Feb 1 09:06:06 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 722405 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3vCy2765KYz9s1h; Wed, 1 Feb 2017 20:07:27 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1cYqsv-0000yN-5q; Wed, 01 Feb 2017 09:07:25 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1cYqsp-0000qN-WC for kernel-team@lists.ubuntu.com; Wed, 01 Feb 2017 09:07:19 +0000 Received: from static-50-53-52-155.bvtn.or.frontiernet.net ([50.53.52.155] helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1cYqsp-0003hK-D1 for kernel-team@lists.ubuntu.com; Wed, 01 Feb 2017 09:07:19 +0000 From: John Johansen To: kernel-team@lists.ubuntu.com Subject: [PATCH 14/14] UBUNTU: SAUCE: apparmor: flock mediation is not being enforced on cache check Date: Wed, 1 Feb 2017 01:06:06 -0800 Message-Id: <20170201090606.22422-15-john.johansen@canonical.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170201090606.22422-1-john.johansen@canonical.com> References: <20170201090606.22422-1-john.johansen@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com When an open file with cached permissions is checked for the flock permission. The cache check fails and falls through to no error instead of auditing, and returning an error. For the fall through to do a permission check, so it will audit the failed flock permission check. BugLink: http://bugs.launchpad.net/bugs/1658219 Signed-off-by: John Johansen --- security/apparmor/file.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/security/apparmor/file.c b/security/apparmor/file.c index 95bb2eb..1d049da7 100644 --- a/security/apparmor/file.c +++ b/security/apparmor/file.c @@ -536,18 +536,23 @@ static int __file_path_perm(const char *op, struct aa_label *label, error = fn_for_each_not_in_set(flabel, label, profile, profile_path_perm(op, profile, &file->f_path, buffer, request, &cond, flags, &perms)); - if (denied) { + if (denied && !error) { /* check every profile in file label that was not tested * in the initial check above. */ /* TODO: cache full perms so this only happens because of * conditionals */ /* TODO: don't audit here */ - last_error(error, - fn_for_each_not_in_set(label, flabel, profile, + if (label == flabel) + error = fn_for_each(label, profile, + profile_path_perm(op, profile, &file->f_path, + buffer, request, &cond, flags, + &perms)); + else + error = fn_for_each_not_in_set(label, flabel, profile, profile_path_perm(op, profile, &file->f_path, buffer, request, &cond, flags, - &perms))); + &perms)); } if (!error) update_file_ctx(file_ctx(file), label, request);