[apparmor] Pidgin, 4.14, and App Armor Oops.

Thu Nov 23 13:22:29 UTC 2017

Hello,

Am Mittwoch, 22. November 2017, 16:57:59 CET schrieb John Johansen:
> From 6ba06322267ea931be5f1f559965120d1e09b030 Mon Sep 17 00:00:00 2001
> From: John Johansen <john.johansen at canonical.com>
> Date: Wed, 22 Nov 2017 07:33:38 -0800
> Subject: [PATCH] apparmor: fix oops in audit_signal_cb hook
> 
> The apparmor_audit_data struct ordering got messed up during a merge
> conflict, resulting in the signal integer and peer pointer being in
> a union instead of a struct together.

If you need another bug reference:
https://bugzilla.opensuse.org/show_bug.cgi?id=1069562

I built a test kernel with a patch based on what you posted (the 
original patch didn't apply on the openSUSE kernel), and it seems to fix 
the issue. 
Note that I only run this kernel (4.14.1 + the patch) since 30 minutes, 
but OTOH I always got the oops within two minutes with 4.14.0 ;-)
(I did not test if "just" updating to 4.14.1 fixes the issue.)


My version of the patch is:
https://build.opensuse.org/package/show/home:cboltz:branches:Kernel:HEAD/kernel-default -> "link diff"

--- a/security/apparmor/include/audit.h	2017-11-22 22:46:30.771215108 +0100
+++ b/security/apparmor/include/audit.h	2017-11-22 22:48:27.398759948 +0100
@@ -121,10 +121,13 @@
 		/* these entries require a custom callback fn */
 		struct {
 			struct aa_label *peer;
-			struct {
-				const char *target;
-				kuid_t ouid;
-			} fs;
+                       union {
+                               struct {
+                                       const char *target;
+                                       kuid_t ouid;
+                               } fs;
+                               int signal;
+                       };
 			struct {
 				int type, protocol;
 				struct sock *sk;
@@ -135,7 +138,6 @@
 			const char *ns;
 			long pos;
 		} iface;
-		int signal;
 		struct {
 			int rlim;
 			unsigned long max;


If you think this patch this is close enough to your original patch, 
feel free to add
    Tested-by: Christian Boltz


Regards,

Christian Boltz
-- 
> PS.: Don't drink as root!
Das kann man gar nicht oft genug sagen: "uups, rm -rf * statt rm -rf *~
in /etc", das war eine Meisterleistung nachts um 3 mit 2.6 auf dem
Turm ;-))   [Volker Müller und Thomas Bendler in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171123/112994a7/attachment.sig>
