[PATCH][Lucid] apparmor: Fix quieting of audit messages for network mediation

John Johansen john.johansen at canonical.com
Tue Apr 9 11:33:24 UTC 2013 

The following changes since commit b0386abc4aa169169338c40ba2813c282d96b291:

  UBUNTU: Ubuntu-2.6.32-46.107 (2013-03-22 13:57:53 -0500)

are available in the git repository at:

  git://kernel.ubuntu.com/jj/ubuntu-lucid.git lp1156769

for you to fetch changes up to 225ed2e7f19e43b6513dbd47c74821d4614dc6f2:

  UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation (2013-04-09 02:54:44 -0700)

----------------------------------------------------------------
John Johansen (1):
      UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation

 security/apparmor/net.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

---

>From 225ed2e7f19e43b6513dbd47c74821d4614dc6f2 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen at canonical.com>
Date: Fri, 29 Jun 2012 17:34:00 -0700
Subject: [PATCH] UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for
 network mediation

This fixes a bug in the apparmor networking patch that is not upstream
because it is being replaced by a newer patch.

BugLink: http://bugs.launchpad.net/bugs/1163259

If a profile specified a quieting of network denials for a given rule by
either the quiet or deny rule qualifiers, the resultant quiet mask for
denied requests was applied incorrectly, resulting in two potential bugs.
1. The misapplied quiet mask would prevent denials from being correctly
   tested against the kill mask/mode. Thus network access requests that
   should have resulted in the application being killed did not.

2. The actual quieting of the denied network request was not being applied.
   This would result in network rejections always being logged even when
   they had been specifically marked as quieted.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 security/apparmor/net.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/net.c b/security/apparmor/net.c
index e9b1d1e..dba81af 100644
--- a/security/apparmor/net.c
+++ b/security/apparmor/net.c
@@ -86,7 +86,7 @@ static int aa_audit_net(struct aa_profile *profile, struct aa_audit_net *sa)
 	} else {
 		u16 quiet_mask = profile->net.quiet[sa->family];
 		u16 kill_mask = 0;
-		u16 denied = (1 << sa->type) & ~quiet_mask;
+		u16 denied = (1 << sa->type);
 
 		if (denied & kill_mask)
 			type = AUDIT_APPARMOR_KILL;
-- 
1.8.1.2

More information about the kernel-team mailing list