[apparmor] [PATCH 5/2] Fix compilation of audit modifiers

Steve Beattie steve at nxnw.org
Tue Mar 17 23:13:03 UTC 2015 

On Tue, Mar 17, 2015 at 12:14:07AM -0700, John Johansen wrote:
> This fixes the incorrect compilation of audit modifiers for exec and
> pivot_root as detailed in
> 
> https://launchpad.net/bugs/1431717
> https://launchpad.net/bugs/1432045
> 
> The permission accumulation routine on the backend was incorrectly setting
> the audit mask based off of the exec type bits (info about the exec) and
> not the actual exec permission.
> 
> This bug could have also caused permissions issues around overlapping exec
> generic and exact match exec rules, except the encoding of EXEC_MODIFIERS
> ensured that the 
>   exact_match_allow & AA_USER/OTHER_EXEC_TYPE
> test would never fail for a permission accumulation with the exec permission
> set.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

Acked-by: Steve Beattie <steve at nxnw.org> for trunk and 2.9. Thanks!

> === modified file 'parser/libapparmor_re/hfa.cc'
> --- parser/libapparmor_re/hfa.cc	2014-09-03 21:36:08 +0000
> +++ parser/libapparmor_re/hfa.cc	2015-03-17 06:32:53 +0000
> @@ -1335,19 +1335,16 @@
>  	}
>  
>  	perms.allow |= exact_match_allow & ~(ALL_AA_EXEC_TYPE);
> -
> -	if (exact_match_allow & AA_USER_EXEC_TYPE) {
> +	perms.audit |= exact_audit & ~(ALL_AA_EXEC_TYPE);
> +	
> +	if (exact_match_allow & AA_USER_EXEC) {
>  		perms.allow = (exact_match_allow & AA_USER_EXEC_TYPE) |
>  			(perms.allow & ~AA_USER_EXEC_TYPE);
> -		perms.audit = (exact_audit & AA_USER_EXEC_TYPE) |
> -			(perms.audit & ~AA_USER_EXEC_TYPE);
>  		perms.exact = AA_USER_EXEC_TYPE;
>  	}
> -	if (exact_match_allow & AA_OTHER_EXEC_TYPE) {
> +	if (exact_match_allow & AA_OTHER_EXEC) {
>  		perms.allow = (exact_match_allow & AA_OTHER_EXEC_TYPE) |
>  			(perms.allow & ~AA_OTHER_EXEC_TYPE);
> -		perms.audit = (exact_audit & AA_OTHER_EXEC_TYPE) |
> -			(perms.audit & ~AA_OTHER_EXEC_TYPE);
>  		perms.exact |= AA_OTHER_EXEC_TYPE;
>  	}
>  	if (AA_USER_EXEC & perms.deny)
> 
> 

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150317/fde6e4be/attachment.pgp>

More information about the AppArmor mailing list