[Acked] [PATCH][Lucid] apparmor: Fix quieting of audit messages for network mediation

Andy Whitcroft apw at canonical.com
Tue Apr 9 12:31:11 UTC 2013


On Tue, Apr 09, 2013 at 04:33:24AM -0700, John Johansen wrote:
> The following changes since commit b0386abc4aa169169338c40ba2813c282d96b291:
> 
>   UBUNTU: Ubuntu-2.6.32-46.107 (2013-03-22 13:57:53 -0500)
> 
> are available in the git repository at:
> 
>   git://kernel.ubuntu.com/jj/ubuntu-lucid.git lp1156769
> 
> for you to fetch changes up to 225ed2e7f19e43b6513dbd47c74821d4614dc6f2:
> 
>   UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation (2013-04-09 02:54:44 -0700)
> 
> ----------------------------------------------------------------
> John Johansen (1):
>       UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for network mediation
> 
>  security/apparmor/net.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> ---
> 
> From 225ed2e7f19e43b6513dbd47c74821d4614dc6f2 Mon Sep 17 00:00:00 2001
> From: John Johansen <john.johansen at canonical.com>
> Date: Fri, 29 Jun 2012 17:34:00 -0700
> Subject: [PATCH] UBUNTU: SAUCE: apparmor: Fix quieting of audit messages for
>  network mediation
> 
> This fixes a bug in the apparmor networking patch that is not upstream
> because it is being replaced by a newer patch.
> 
> BugLink: http://bugs.launchpad.net/bugs/1163259
> 
> If a profile specified a quieting of network denials for a given rule by
> either the quiet or deny rule qualifiers, the resultant quiet mask for
> denied requests was applied incorrectly, resulting in two potential bugs.
> 1. The misapplied quiet mask would prevent denials from being correctly
>    tested against the kill mask/mode. Thus network access requests that
>    should have resulted in the application being killed did not.
> 
> 2. The actual quieting of the denied network request was not being applied.
>    This would result in network rejections always being logged even when
>    they had been specifically marked as quieted.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  security/apparmor/net.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/security/apparmor/net.c b/security/apparmor/net.c
> index e9b1d1e..dba81af 100644
> --- a/security/apparmor/net.c
> +++ b/security/apparmor/net.c
> @@ -86,7 +86,7 @@ static int aa_audit_net(struct aa_profile *profile, struct aa_audit_net *sa)
>  	} else {
>  		u16 quiet_mask = profile->net.quiet[sa->family];
>  		u16 kill_mask = 0;
> -		u16 denied = (1 << sa->type) & ~quiet_mask;
> +		u16 denied = (1 << sa->type);
>  
>  		if (denied & kill_mask)
>  			type = AUDIT_APPARMOR_KILL;

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw




More information about the kernel-team mailing list