[apparmor] Questions about AppArmor's Kernel Code

Abhishek Vijeev abhishekvijeev at iisc.ac.in
Wed Jul 31 13:15:00 UTC 2019 

Hi Seth,

I'll surely keep that in mind, thank you. Here's the diff for policy_unpack.c after incorporating the changes John suggested (strdup( )):

diff --git a/linux-5.2.1/security/apparmor/policy_unpack.c b/linux-5.2.1/security/apparmor/policy_unpack.c
index 73836fe94..e63203d29 100644
--- a/linux-5.2.1/security/apparmor/policy_unpack.c
+++ b/linux-5.2.1/security/apparmor/policy_unpack.c
@@ -741,19 +741,14 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
  profile->clabel = kzalloc (sizeof(struct custom_label), GFP_KERNEL);
  if (!profile->clabel)
  goto fail;
- if (!unpack_str(e, &name, NULL))
+ if (!unpack_strdup(e, &profile->clabel->label_name, NULL))
  goto fail;
- profile->clabel->label_name = kzalloc (strlen(name), GFP_KERNEL);
- if (!profile->clabel->label_name)
- goto fail;
-
- strcpy (profile->clabel->label_name, name);

  if (!unpack_u32(e, &(profile->clabel->allow_cnt), NULL))
  goto fail;


if (unpack_nameX(e, AA_STRUCT, "data_list"))
  {
  profile->clabel->allow_list = kzalloc(sizeof(struct data_list), GFP_KERNEL);
  if (!profile->clabel->allow_list)
@@ -762,15 +757,11 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)

  for (i = 0; i < profile->clabel->allow_cnt; i++)
  {
- if (!unpack_str(e, &name, NULL))
- goto fail;
  struct data_list *new_node = kzalloc(sizeof(struct data_list), GFP_KERNEL);
  if (!new_node)
  goto fail;
- new_node->data = kzalloc(strlen(name), GFP_KERNEL);
- if (!new_node->data)
- goto fail;
- strcpy(new_node->data, name);
+ if (!unpack_strdup(e, &new_node->data, NULL))
+                    goto fail;
  INIT_LIST_HEAD(&(new_node->lh));
  list_add(&(new_node->lh), &(profile->clabel->allow_list->lh));
  }


I wrongly assumed that the kernel was crashing for the same reasons as before incorporating John's changes.

On inspecting the fresh crash logs (attached with this email), I found that the crash was now occurring at a different
location - namely the apparmor_socket_sendmsg () function in apparmor/lsm.c. Here, I was trying to extract the
destination IP address from struct msghdr *msg, using the following code:

DECLARE_SOCKADDR(struct sockaddr_in *, usin, msg->msg_name);
if (usin)
{
printk (KERN_INFO "msg sent to %pi4, %d\n", usin->sin_addr.s_addr, usin->sin_port);
}

Removing this code resulted in a stable kernel, and I have fortunately not had a crash since (I'd like to watch for a couple of
more days before being confident that the issue is resolved). However, I'm not quite sure what caused the null pointer
de-reference (as suggested by the log file) since I have an explicit check against this. Is there a better way to obtain the destination
IP address from struct msghdr *msg?





________________________________
From: Seth Arnold <seth.arnold at canonical.com>
Sent: 31 July 2019 03:55:08
To: Abhishek Vijeev <abhishekvijeev at iisc.ac.in>
Cc: apparmor at lists.ubuntu.com <apparmor at lists.ubuntu.com>; Rakesh Rajan Beck <rakeshbeck at iisc.ac.in>
Subject: Re: [apparmor] Questions about AppArmor's Kernel Code

On Tue, Jul 30, 2019 at 12:42:48PM +0000, Abhishek Vijeev wrote:
> Thank you for the correction John.
>
> Despite changing the code to use strdup( ), the kernel still crashes. I
> have attached the modified file for reference.
>
> Is there anything else that might be causing the crash?

Hello Abhishek,

Please consider sharing your modification via diffs; passing along entire
files is pretty difficult to read and understand your changes.

Also be sure to include the full kernel messages when trying to debug
crashes. That's the best lever any has to prise apart the problem.

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190731/a9e4e685/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dmesg_logs
Type: application/octet-stream
Size: 36882 bytes
Desc: dmesg_logs
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190731/a9e4e685/attachment-0001.obj>

More information about the AppArmor mailing list