[Utopic][Vivid][PATCH] UBUNTU: SAUCE: (no-up): apparmor: fix mediation of fs unix sockets

John Johansen john.johansen at canonical.com
Thu Mar 5 09:33:50 UTC 2015 

Fix for out of tree AppArmor 3 patches.

BugLink: http://bugs.launchpad.net/bugs/1408833

Fix 2 issues around the mediation of file base unix domain sockets.
* Add auditing of deleted/shutdown file based unix domains sockets so
  that the denials can be correctly evalated.
* fix the permission request mask so that it is correct for the
  deleted/shutdown socket case.

Signed-off-by: John Johansen <john.johansen at canonical.com>

diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c
index 73bd94d..62e7fd1 100644
--- a/security/apparmor/af_unix.c
+++ b/security/apparmor/af_unix.c
@@ -31,32 +31,31 @@ static inline int unix_fs_perm(int op, u32 mask, struct aa_label *label,
 	if (unconfined(label) || !LABEL_MEDIATES(label, AA_CLASS_FILE))
 		return 0;
 
+	mask &= NET_FS_PERMS;
 	if (!u->path.dentry) {
 		struct path_cond cond = { };
 		struct file_perms perms = { };
 		struct aa_profile *profile;
 
-		/* socket path has been cleared because it is being shutdown */
-		/* TODO: fix flags */
-		if (!(flags & PATH_MEDIATE_DELETED))
-			return -EACCES;
-		/* Mediate at original socket location */
-		/* TODO: ns disconnected paths */
-		/* TODO: after switch to newer audit provide deleted/shutdown
-		 *       message as part of audit info
+		/* socket path has been cleared because it is being shutdown
+		 * can only fall back to original sun_path request
 		 */
 		return fn_for_each_confined(label, profile,
+			((flags | profile->path_flags) & PATH_MEDIATE_DELETED) ?
 				__aa_path_perm(op, profile,
-					       u->addr->name->sun_path,
-					       mask, &cond, flags, &perms));
+					       u->addr->name->sun_path, mask,
+					       &cond, flags, &perms) :
+				aa_audit_file(profile, &nullperms, op, mask,
+					      u->addr->name->sun_path, NULL,
+					      cond.uid, "Failed name lookup - "
+					      "deleted entry", -EACCES));
 	} else {
 		/* the sunpath may not be valid for this ns so use the path */
 		struct path_cond cond = { u->path.dentry->d_inode->i_uid,
 					  u->path.dentry->d_inode->i_mode
 		};
 
-		return aa_path_perm(op, label, &u->path, flags, mask & NET_FS_PERMS,
-				    &cond);
+		return aa_path_perm(op, label, &u->path, flags, mask, &cond);
 	}
 
 	return 0;

More information about the kernel-team mailing list