From patchwork Fri Nov 18 16:12:05 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 9436977 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3623F60237 for ; Fri, 18 Nov 2016 16:12:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2752F29984 for ; Fri, 18 Nov 2016 16:12:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1BD442999B; Fri, 18 Nov 2016 16:12:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7670629984 for ; Fri, 18 Nov 2016 16:12:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752234AbcKRQML (ORCPT ); Fri, 18 Nov 2016 11:12:11 -0500 Received: from youngberry.canonical.com ([91.189.89.112]:49157 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751959AbcKRQMK (ORCPT ); Fri, 18 Nov 2016 11:12:10 -0500 Received: from static-50-53-51-193.bvtn.or.frontiernet.net ([50.53.51.193] helo=[192.168.192.153]) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1c7llo-0000wm-Kn; Fri, 18 Nov 2016 16:12:08 +0000 To: James Morris Cc: "open list:SECURITY SUBSYSTEM" , LKLM From: John Johansen Subject: [PATCH] apparmor: fix changehat not finding hat after policy replacement Organization: Canonical Message-ID: <48726882-f583-1627-1af3-edc90ea9b0d9@canonical.com> Date: Fri, 18 Nov 2016 08:12:05 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Hi James, This is a fix for a policy replacement bug that is fairly serious for apache mod_apparmor users, as it results in the wrong policy being applied on an network facing service. can you please pull and pushup for 4.9 It has been rebased against current 4.9, you can either grab the patch included below or do a pull from The following changes since commit 623898671c8eb05639e746e6d84cffa281616438: Merge branch 'for-linus' of git://git.kernel.dk/linux-block (2016-11-17 13:59:39 -0800) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor fix-change_hat for you to fetch changes up to 4bc60a7f780acb6eb5b71360ab04e29ecd282bda: apparmor: fix change_hat not finding hat after policy replacement (2016-11-18 07:07:10 -0800) ---------------------------------------------------------------- John Johansen (1): apparmor: fix change_hat not finding hat after policy replacement security/apparmor/domain.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- From 4bc60a7f780acb6eb5b71360ab04e29ecd282bda Mon Sep 17 00:00:00 2001 From: John Johansen Date: Wed, 31 Aug 2016 21:10:06 -0700 Subject: [PATCH] apparmor: fix change_hat not finding hat after policy replacement After a policy replacement, the task cred may be out of date and need to be updated. However change_hat is using the stale profiles from the out of date cred resulting in either: a stale profile being applied or, incorrect failure when searching for a hat profile as it has been migrated to the new parent profile. Fixes: 01e2b670aa898a39259bc85c78e3d74820f4d3b6 (failure to find hat) Fixes: 898127c34ec03291c86f4ff3856d79e9e18952bc (stale policy being applied) Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1000287 Cc: stable@vger.kernel.org Signed-off-by: John Johansen --- security/apparmor/domain.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index fc3036b..a4d90aa 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -621,8 +621,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) /* released below */ cred = get_current_cred(); cxt = cred_cxt(cred); - profile = aa_cred_profile(cred); - previous_profile = cxt->previous; + profile = aa_get_newest_profile(aa_cred_profile(cred)); + previous_profile = aa_get_newest_profile(cxt->previous); if (unconfined(profile)) { info = "unconfined"; @@ -718,6 +718,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) out: aa_put_profile(hat); kfree(name); + aa_put_profile(profile); + aa_put_profile(previous_profile); put_cred(cred); return error;