| Message ID | ee7877c0-1762-7c1e-1fea-9a4cc16db30e@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [SRU,Xenial,Bionic,1/1] UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets | expand |
On 30.07.2018 22:55, John Johansen wrote: > The apparmor policy language current does not allow expressing of the > locking permission for no-fs unix sockets. However the kernel is > enforcing mediation. > > Add the AA_MAY_LOCK perm to the computed perm mask which will grant > permission for all current abi profiles, but still allow specifying > auditing of the operation if needed. > > BugLink: http://bugs.launchpad.net/bugs/1780227 > Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- Please add the SRU justification to the bug report. The change itself looks small enough but also a bit like voodoo to anybody not familiar... so any help to reviewers and admins counts. ;) > security/apparmor/lib.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c > index a7b3f681b80e..eafad30a78d7 100644 > --- a/security/apparmor/lib.c > +++ b/security/apparmor/lib.c > @@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state, > /* for v5 perm mapping in the policydb, the other set is used > * to extend the general perm set > */ > - perms->allow |= map_other(dfa_other_allow(dfa, state)); > + perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK; > perms->audit |= map_other(dfa_other_audit(dfa, state)); > perms->quiet |= map_other(dfa_other_quiet(dfa, state)); > // perms->xindex = dfa_user_xindex(dfa, state); >
On 07/30/18 22:55, John Johansen wrote: > The apparmor policy language current does not allow expressing of the > locking permission for no-fs unix sockets. However the kernel is > enforcing mediation. > > Add the AA_MAY_LOCK perm to the computed perm mask which will grant > permission for all current abi profiles, but still allow specifying > auditing of the operation if needed. > > BugLink: http://bugs.launchpad.net/bugs/1780227 > Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > security/apparmor/lib.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c > index a7b3f681b80e..eafad30a78d7 100644 > --- a/security/apparmor/lib.c > +++ b/security/apparmor/lib.c > @@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state, > /* for v5 perm mapping in the policydb, the other set is used > * to extend the general perm set > */ > - perms->allow |= map_other(dfa_other_allow(dfa, state)); > + perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK; > perms->audit |= map_other(dfa_other_audit(dfa, state)); > perms->quiet |= map_other(dfa_other_quiet(dfa, state)); > // perms->xindex = dfa_user_xindex(dfa, state); >
On 07/30/18 22:55, John Johansen wrote: > The apparmor policy language current does not allow expressing of the > locking permission for no-fs unix sockets. However the kernel is > enforcing mediation. > > Add the AA_MAY_LOCK perm to the computed perm mask which will grant > permission for all current abi profiles, but still allow specifying > auditing of the operation if needed. > > BugLink: http://bugs.launchpad.net/bugs/1780227 > Signed-off-by: John Johansen <john.johansen@canonical.com> > --- > security/apparmor/lib.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c > index a7b3f681b80e..eafad30a78d7 100644 > --- a/security/apparmor/lib.c > +++ b/security/apparmor/lib.c > @@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state, > /* for v5 perm mapping in the policydb, the other set is used > * to extend the general perm set > */ > - perms->allow |= map_other(dfa_other_allow(dfa, state)); > + perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK; > perms->audit |= map_other(dfa_other_audit(dfa, state)); > perms->quiet |= map_other(dfa_other_quiet(dfa, state)); > // perms->xindex = dfa_user_xindex(dfa, state); > Applied to xenial/master-next and bionic/master-next branches. Thanks, Kleber
On Mon, Jul 30, 2018 at 01:55:30PM -0700, John Johansen wrote: > The apparmor policy language current does not allow expressing of the > locking permission for no-fs unix sockets. However the kernel is > enforcing mediation. > > Add the AA_MAY_LOCK perm to the computed perm mask which will grant > permission for all current abi profiles, but still allow specifying > auditing of the operation if needed. > > BugLink: http://bugs.launchpad.net/bugs/1780227 > Signed-off-by: John Johansen <john.johansen@canonical.com> Applied to cosmic/master-next and unstable/master, thanks!
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c index a7b3f681b80e..eafad30a78d7 100644 --- a/security/apparmor/lib.c +++ b/security/apparmor/lib.c @@ -327,7 +327,7 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state, /* for v5 perm mapping in the policydb, the other set is used * to extend the general perm set */ - perms->allow |= map_other(dfa_other_allow(dfa, state)); + perms->allow |= map_other(dfa_other_allow(dfa, state)) | AA_MAY_LOCK; perms->audit |= map_other(dfa_other_audit(dfa, state)); perms->quiet |= map_other(dfa_other_quiet(dfa, state)); // perms->xindex = dfa_user_xindex(dfa, state);
The apparmor policy language current does not allow expressing of the locking permission for no-fs unix sockets. However the kernel is enforcing mediation. Add the AA_MAY_LOCK perm to the computed perm mask which will grant permission for all current abi profiles, but still allow specifying auditing of the operation if needed. BugLink: http://bugs.launchpad.net/bugs/1780227 Signed-off-by: John Johansen <john.johansen@canonical.com> --- security/apparmor/lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)