[PATCH 3/5] UBUNTU: SAUCE: AppArmor: Fix cap audit_caching preemption disabling
Andy Whitcroft
apw at canonical.com
Thu Nov 12 11:19:46 UTC 2009
On Tue, Nov 10, 2009 at 10:29:11AM -0800, John Johansen wrote:
> BugLink: http://bugs.launchpad.net/bugs/479102
>
> SRU Justification: Failing to put_cpu_var means that kernel preemption is
> disabled for the task. This will affect all confined processes that try
> to audit a capability message (so an process that has capability violation
> or is in learning mode and would have a capability violation).
>
> The auditing code of capabilities, has a simple cache to reduce capability
> messages flooding the audit logs. Checking and updating the cache
> disables kernel preemption. One potential exit path does not properly
> put the per cpu var, thus not reenabling preemption.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
> ubuntu/apparmor/capability.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/ubuntu/apparmor/capability.c b/ubuntu/apparmor/capability.c
> index 65b91cf..5bb2eca 100644
> --- a/ubuntu/apparmor/capability.c
> +++ b/ubuntu/apparmor/capability.c
> @@ -72,6 +72,7 @@ static int aa_audit_caps(struct aa_profile *profile, struct aa_audit_caps *sa)
> /* Do simple duplicate message elimination */
> ent = &get_cpu_var(audit_cache);
> if (sa->base.task == ent->task && cap_raised(ent->caps, sa->cap)) {
> + put_cpu_var(audit_cache);
> if (PROFILE_COMPLAIN(profile))
> return 0;
> return sa->base.error;
This is a nice short section, looks right to me.
Acked-by: Andy Whitcroft <apw at canonical.com>
-apw
More information about the kernel-team
mailing list