Commit 8f6d94bf authored by John Johansen's avatar John Johansen

Update base network mediation patch with missing feature pinning fixup

apparmor: fix regression in network mediation when using feature pinning

When the 4.14-rc6 and earlier kernels are used with an upstream 4.13
or earlier pinned feature set, there is a regression in network
mediation where policy is not being correctly enforced, because the
compilation is completely dropping the af mediation table as expected
by pre 4.14 kernels but the 4.14 kernel is not accounting for this.

Resulting in network denials that can not be fixed by policy.
Signed-off-by: 's avatarJohn Johansen <john.johansen@canonical.com>
parent 0b93a7f9
From 27d9aac1346ff7feb6a49bfb33510c2d79a41da7 Mon Sep 17 00:00:00 2001
From ae291c63ebb649f8af0bd491ea44e48b5c55526c Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Tue, 18 Jul 2017 23:18:33 -0700
Subject: [PATCH 1/2] apparmor: add base infastructure for socket mediation
......@@ -44,8 +44,8 @@ Acked-by: Seth Arnold <seth.arnold@canonical.com>
security/apparmor/lib.c | 5 +-
security/apparmor/lsm.c | 387 +++++++++++++++++++++++++++++++++++++
security/apparmor/net.c | 184 ++++++++++++++++++
security/apparmor/policy_unpack.c | 47 ++++-
12 files changed, 834 insertions(+), 12 deletions(-)
security/apparmor/policy_unpack.c | 51 ++++-
12 files changed, 838 insertions(+), 12 deletions(-)
create mode 100644 security/apparmor/include/net.h
create mode 100644 security/apparmor/net.c
......@@ -1040,7 +1040,7 @@ index 000000000000..33d54435f8d6
+ return aa_label_sk_perm(label, op, request, sock->sk);
+}
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 59a1a25b7d43..68b168e8f499 100644
index 59a1a25b7d43..769d2c55bdae 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -275,6 +275,19 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
......@@ -1072,7 +1072,7 @@ index 59a1a25b7d43..68b168e8f499 100644
struct rhashtable_params params = { 0 };
char *key = NULL;
struct aa_data *data;
@@ -717,6 +730,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
@@ -717,6 +730,42 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
goto fail;
}
......@@ -1101,6 +1101,10 @@ index 59a1a25b7d43..68b168e8f499 100644
+ }
+ if (!unpack_nameX(e, AA_ARRAYEND, NULL))
+ goto fail;
+ } else {
+ /* support policy pre AF socket mediation */
+ for (i = 0; i < AF_MAX; i++)
+ profile->net.allow[i] = 0xffff;
+ }
+ if (VERSION_LT(e->version, v7)) {
+ /* pre v7 policy always allowed these */
......
From 8f0a917911fe19f9911d972fe85c43243f7eaa37 Mon Sep 17 00:00:00 2001
From a3a1dea7d72da33f004f4c5c2e9de91f3311d336 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Tue, 18 Jul 2017 23:27:23 -0700
Subject: [PATCH 2/2] apparmor: af_unix mediation
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment